Vishing Campaigns Show How Session Hijacking Bypasses Traditional MFA

A single phone call was sufficient for attackers to obtain active session tokens at Qantas and several retail organizations. By impersonating internal IT staff, Scattered Spider operators persuaded employees to approve push notifications or relay one-time codes, converting those interactions into immediate access to operational systems. Flight schedules were disrupted and customer data exposed without any malware deployment or network exploit.

The incidents followed a consistent pattern: attackers reached employees through trusted voice channels, obtained real-time consent, and used the resulting tokens for lateral movement. Once a valid session existed, downstream controls provided no additional barrier because the authentication decision had already been completed.

Vishing Converted User Approval into Operational Access

Attackers relied on the fact that common second factors require human judgment at the moment of request. Employees received what appeared to be legitimate prompts and supplied the requested confirmation under the pressure of a live conversation. No cryptographic material needed extraction; the live session token itself became the usable credential. This approach succeeded across multiple targets because the communication channel remained reachable and the approval step contained no independent proof that the request originated from an authorized source.

Session-Based Factors Leave No Trace Once Granted

Traditional MFA implementations that depend on push notifications or displayed secrets keep verification material on a device reachable by phone or message. When that channel is compromised through impersonation, the factor itself supplies the attacker with what they need. The underlying cryptographic secret may never have left the device, yet access was still granted because the system accepted the human decision as authoritative. The core weakness is the transferability of that decision rather than any flaw in encryption.

Device-Bound Public-Key Credentials Remove Transferable Material

MFA 2.0 replaces approval-based factors with key pairs generated and stored on the endpoint. The private key remains inside hardware or a secure enclave and never leaves the device. Authentication occurs only when the device signs a fresh challenge after local biometric or PIN verification. Nothing travels that an attacker can intercept, request over the phone, or trick a user into forwarding.

This model applies the same non-exportable primitive across registration, device onboarding, authorization, and decommissioning. No fallback channel exists for voice-based social engineering. Unlike FIDO2 and passkeys, which protect only the login step after potentially phishable registration, device-bound credentials eliminate phishable material from every stage of the identity lifecycle.

The Qantas incidents would have ended at the first call. Employees cannot be persuaded to approve a signature that does not appear on screen and cannot be read aloud. Recovery after device loss uses only public-key operations through pre-registered devices or administrator challenges. Standard SAML and OIDC connectors map the resulting assertions to existing user directories without changes to provisioning.

MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography. It uses device-bound credentials with no central credential database and requires same-device authentication. Because no credentials exist to compromise, the attack cannot occur in the first place. This model focuses on prevention rather than detection or post-authentication monitoring.