What is a replay attack, and how can you prevent them?

Replay attacks intercept and reuse valid data transmissions to trick systems into granting unauthorized access. Despite their simplicity, they’ve powered some of the most damaging breaches. Victims lose data, money, and trust in a single resend. Here’s how you can protect your business from replay attacks and other cyberthreats.

TeamPassword features an integrated TOTP authenticator, making it easier than ever to prevent replay attacks. 

What is a replay attack?

Replay attacks, sometimes called playback attacks, occur when an adversary first intercepts a legitimate data transmission, such as an authentication token or transaction request. Then, they later retransmit it verbatim to impersonate the original sender. By capturing the raw bits of a valid message and injecting them into the network at the right moment, the attacker tricks the receiving system into believing it’s processing a fresh, authorized operation.

Typically, a replay attack follows three core steps:

1. Capture: The attacker sniffs network traffic or taps communication channels to record a valid message (e.g., a login handshake or payment instruction).

2. Store: The intercepted data is saved, often unchanged, until conditions are optimal for reuse (timing, network access, or target readiness).

3. Resend: The attacker retransmits the stored message to the server or device, which, lacking mechanisms to detect old versus new requests, executes the command as if it were fresh.

Replay attacks prey on systems that treat every message the same, without checking when it was sent or if it’s already been seen. This weakness can affect anything from basic website requests to more complex login exchanges (even some encrypted setups) if the message never changes. 

This is exactly why time‑based one‑time passwords (TOTP) stop playback attacks in their tracks.

Replay attack examples and statistics

Replay‑style exploits have become pervasive across industries: 39% of businesses reported at least one cybersecurity breach in the last 12 months, with network‑injection techniques like replay implicated in a growing share of incidents. 

Researchers have also found that 75% of tested Internet of Things (IoT) devices may be vulnerable to replay attacks—allowing attackers to mimic legitimate commands such as “unlock” or “turn on”. 

Meanwhile, ecommerce fraud losses driven in part by transaction‑replay schemes were projected to reach $44 billion in 2024 and $100 billion by 2029, underscoring the high financial stakes of undetected replays.

Here are two recent replay attacks.

Ethereum/Ethereum Classic hard‑fork replay

In July 2016, the Ethereum network split into two chains—Ethereum (ETH) and Ethereum Classic (ETC)—following The DAO exploit. Because both chains initially used the same transaction format without a unique chain identifier, any signed transaction submitted on one chain could be rebroadcast (replayed) on the other, leading to unintended transfers on both networks.

To stop this, developers introduced “replay protection” by embedding a distinct ChainID in each transaction signature. That change ensured that a transaction valid on ETH would be rejected on ETC (and vice versa), closing the software‑level loophole that replay attacks had exploited.

Samy Kamkar’s RollJam device

At DEF CON 23 in 2015, security hacker Samy Kamkar unveiled “RollJam”, a pocket‑sized gadget that combined signal jamming with silent recording of rolling‑code fob transmissions. When a car owner pressed their key fob, RollJam blocked the first code from reaching the vehicle while capturing it; on the second press, it forwarded the first code (unlocking the car) and stored the second code for future use. This simple replay scheme worked on millions of vehicles and demonstrated that without additional nonce or timestamp checks, rolling‑code systems remain vulnerable.

How does a replay attack differ from other similar attacks?

Replay attacks don’t create new credentials. They just resend captured data at the perfect moment. Often woven into larger scams like phishing, they demand their own defenses. 

Here’s how replay attacks compare with several related cyberthreats.

Replay attack vs man in the middle (MitM)

In a MitM attack, the adversary intercepts and possibly alters communication between two parties in real time, sitting “in the middle” of the conversation. The attacker can eavesdrop, modify messages on the fly, or inject their own data, all while both ends believe they’re talking directly to each other.

By contrast, a replay attack involves no message tampering or active intervention during the live exchange. It simply records a valid transmission and later resends it unchanged. Whereas MitM requires the attacker to maintain a foothold between sender and receiver, replay attacks can be executed offline once the data is captured, making detection strategies and timing controls especially critical.

Replay attack vs spoofing

Spoofing attacks impersonate a legitimate user or device by crafting fake credentials (e.g., forging an IP address, email header, or digital certificate) to trick systems into granting access. The core goal is to convince the target that a malicious actor is someone or something they trust. This is one reason hackers want your email login credentials.

Replay attacks, on the other hand, don’t fabricate new identities. Instead, they reuse genuine messages captured from prior sessions. Since the attacker relies on the authenticity of the original data, replay defenses focus on freshness and uniqueness checks rather than identity verification alone.

Replay attack vs session hijacking

Session hijacking involves taking over an active session, often by stealing or predicting session tokens, and then using that live connection to act as the legitimate user. The attacker typically needs to operate within the same session time frame, exploiting weaknesses in how sessions are managed or terminated.

Replay attacks differ by not requiring an active session to be open. Instead, they use previously recorded messages to create a new session or repeat an old action. Whereas hijacking demands timing precision within a live window, replay simply relies on replaying stored data, so defenses emphasize time‑stamps, nonces, and one‑time tokens.

Replay attack vs cross-site request forgery (CSRF) 

CSRF tricks a user’s browser into sending unintended requests (like fund transfers) to a trusted site where they’re already authenticated. CSRF leverages the victim’s active session cookies to perform unauthorized actions without their knowledge.

In contrast, replay attacks bypass user involvement entirely by capturing the underlying request data and resending it, often from a different device or location. While CSRF exploits browser trust and cookie handling, replay attacks exploit lack of message freshness checks, meaning CSRF protections (anti‑CSRF tokens) and replay defenses (TOTP) tackle different vulnerabilities.

How to prevent replay attacks

The best defense against a replay attack is to make intercepted data useless to anyone who might try to “play it back”. That means choosing authentication methods and habits that tie each login or transaction to a unique moment in time. 

Fortunately, you don’t need to understand every protocol detail to stay safe. Simple steps like enabling time‑based codes and avoiding unprotected networks go a long way. These measures work together. That is, the harder you make it for an attacker to capture and reuse your credentials, and the shorter the window in which those credentials remain valid, the less chance there is for a replay attack to succeed. 

Here are some practical actions you can take today:

• Enable TOTP-based two‑factor authentication: Use a trusted authenticator app. Since the code changes every 30 seconds, if someone grabs your code, it’ll expire before they can use it. TeamPassword has an integrated TOTP authenticator, eliminating the need for a second tool.

• Avoid public or unsecured Wi‑Fi for sensitive tasks: If you must use public Wi‑Fi, employ a reputable VPN so attackers can’t sniff your traffic and capture login tokens.

• Keep software and apps up to date: Regular updates often patch vulnerabilities that could allow message interception or replay.

• Use services with built‑in anti‑replay checks: Many banking and payment apps automatically reject requests that aren’t “fresh”. Where possible, choose apps and websites that support nonces or timestamp validation behind the scenes.

• Monitor account activity and set alerts: Turn on notifications for new logins or high‑risk transactions. Early awareness of unusual activity can thwart replay‑style fraud before it escalates.
  
  

What should you do if you fall victim to a replay attack?

If you discover that someone has replayed your credentials or transactions, acting quickly can limit the damage and help you regain control. Follow these steps to secure your accounts and prevent further unauthorized access:

• Immediately change your passwords and revoke tokens: Update passwords on affected accounts and any others using the same credentials. In your account settings, revoke all active sessions or tokens to force fresh logins.
• Enable or reinforce two‑factor authentication (2FA): If you haven’t already, turn on TOTP‑based 2FA. If you already have it, regenerate your 2FA secrets to invalidate any stolen codes.
• Contact your service provider or bank: Report the incident to your bank, payment processor, or platform support team. They can freeze transactions, rollback suspicious activity, and guide you through their fraud‑response process.
• Review recent activity and set up alerts: Scan account logs, statements, or transaction histories for unfamiliar entries. Turn on real‑time notifications for logins, password changes, and bank transactions.
• Secure your devices and network: Run a malware scan on your computer and mobile devices to ensure no keyloggers or packet sniffers remain. Switch to a trusted Wi‑Fi network or use a VPN when handling sensitive tasks.
• File a report with relevant authorities: For financial losses or stolen data, consider filing a report with your local cybercrime unit or consumer protection agency. This can help in investigations and may be required for reimbursement.
• Educate yourself on safe practices: Learn how replay attacks work and adopt habits (like using strong, unique passwords and avoiding unsecured networks) to reduce the risk of future incidents.

TeamPassword’s integrated TOTP authenticator helps prevent replay attacks

TeamPassword includes a built-in TOTP authenticator that generates unique, time-limited codes alongside your stored passwords. Since each code expires quickly and can’t be reused, it removes the window that replay attacks rely on.

TeamPassword makes security easy with built-in TOTP authentication. Don’t believe us? Sign up for a 14-day free trial today and try for yourself.