Multi-factor authentication (MFA) remains a useful defence against account takeovers, but it is not a complete control. Attackers increasingly work around MFA with social engineering, automation, and infrastructure that makes malicious traffic look ordinary.
The Rise of AI-Powered Phone Scams
A Kaspersky article describes the rise of OTP bots. These automated tools use social engineering to trick users into revealing their one-time passwords (OTPs). AI adds another layer to that problem.
Consider Lucy, an AI phone assistant. Lucy is built for legitimate business use, but similar technology can make criminal call flows harder to recognise. These AI-powered systems can:
- Place convincing, natural-sounding phone calls
- Adapt their conversation based on user responses
- Mimic accents and speaking styles to match the impersonated organisation
A user who believes they are speaking with their "bank" may hear a fluent explanation of a supposed security issue and be persuaded to provide an MFA code. Because the call can respond to questions in real time, the attack can feel more credible than a traditional robocall.
The OTP Bot Attack Flow
An AI-enhanced OTP bot attack might follow this pattern:
- Attackers obtain working login credentials, either by testing breached credentials via credential stuffing, dark web purchases, or phishing attacks.
- They attempt to log into the victim's account, triggering an OTP request.
- An AI-powered OTP bot calls the victim, impersonating a legitimate organisation.
- The AI carries on a natural conversation, explaining why the OTP is needed.
- The unsuspecting victim provides the OTP during the call.
- The code is relayed to the attacker, granting them access to the account.
The Role of Residential Proxies
Attackers also use residential proxies. These are IP addresses assigned to homeowners by Internet Service Providers, then sold or leased for use by third parties. Residential proxies create several problems for account takeover defences:
- Legitimacy: Traffic from residential proxies appears to come from real homes, making it harder to separate from legitimate user activity.
- Geolocation bypassing: Attackers can choose proxies in the same city or country as the account holder, bypassing location-based security checks.
- IP rotation: Large pools of residential proxies allow attackers to switch IP addresses constantly, evading traditional rate limiting and IP blocking measures.
Residential proxies make credential stuffing harder to stop because IP address alone is no longer a reliable signal for identifying and blocking malicious login attempts.
A Multi-Layered Security Approach
To deal with these threats, businesses need controls around MFA rather than MFA alone. Key defences include:
1. Advanced Rate Limiting
Peakhour's Advanced Rate Limiting can help counter residential proxy abuse by limiting requests based on:
- HTTP/2 and TLS fingerprints
- Autonomous System Numbers (ASNs)
- Countries
- Custom combinations of request headers
This gives businesses more ways to identify and block suspicious activity when it is distributed across multiple residential IP addresses.
2. Bot Management
Peakhour's Bot Management uses several signals to detect and mitigate bot traffic:
- Machine learning algorithms to identify bot behaviour.
- JavaScript challenges to verify human interaction.
- Device fingerprinting to track suspicious patterns.
- Integration with threat intelligence feeds.
- Per-request residential proxy detection to turn attackers' infrastructure against them.
These techniques help identify automated attacks, including traffic coming from residential proxy networks.
3. Monitoring and Anomaly Detection
Continuous monitoring of login attempts and user behaviour is important. Look for:
- Sudden spikes in login attempts
- Logins from unusual locations or devices
- Use of passwords known to be compromised
- Unusual patterns in successful logins followed by immediate password or email changes
Peakhour's solutions provide real-time analytics and alerting to help businesses spot these anomalies.
4. Account Protection
Peakhour's Account Protection helps secure user accounts through:
- Proactive blocking of requests from known malicious sources
- Detection of credential stuffing and brute force attacks
- Integration with Have I Been Pwned to check for compromised passwords
- Custom rules to adapt to specific security requirements
5. User Education
Technical controls matter, but user education is still an important line of defence:
- Teach users about the risks of providing OTPs over the phone
- Encourage the use of authenticator apps instead of SMS-based MFA
- Promote the use of password managers to encourage unique, strong passwords for each account
Final Thoughts
AI-powered phone scams and residential proxies create real problems for traditional security measures, including MFA. MFA remains valuable, but it cannot carry account takeover prevention on its own.
Advanced rate limiting, bot management, continuous monitoring, account protection, and user education each address a different part of the attack path. Together, they make account takeover attempts harder to run and easier to detect.
Security controls need regular review as attackers change their tooling and infrastructure. MFA should remain part of the stack, but it should not be the only control standing between an attacker and a user account.
