In the never-ending cybersecurity arms race, hackers are opening a new front against multi-factor authentication (MFA). A technique called MFA prompt bombing is being used to trick victims into bypassing MFA defenses. Let’s look at how this attack works and what you can do to protect yourself.
Recently, cybercriminals have been choosing credential hijacking over malware. MFA has proven itself to be an indispensable defense against these attacks. According to Microsoft, MFA blocks an astounding 99.9% of automated attacks. Similarly, Google found that its MFA-enabled accounts were half as likely to be compromised. However, cracks are appearing in the MFA armor as hackers increasingly resort to tactics like SIM swapping and cookie hijacking.
Prompt bombing is another attack designed to undermine MFA. In this case, targeting users who rely on push notifications to authenticator apps, such as Duo Mobile or Microsoft Authenticator. After stealing users’ credentials through a data breach, brute force attack or other method, hackers trigger authentication requests that, if approved, grant them access to the account.
Like all social-engineering attacks, MFA prompt bombing exploits human behavior to circumvent technical controls. It takes advantage of MFA fatigue by either subtly sending one or two prompts a day until a distracted user approves, or by spamming prompts, perhaps at odd hours, to annoy users into accepting them. Another variation involves calling users, while impersonating a company representative, and instructing them to accept the prompt request.
Does this mean I should stop using MFA? Absolutely not. MFA is still vital to access control, and any type of MFA is better than none. However, some forms of MFA are stronger than others, and there are other steps you can take to thwart attacks:
- Use strong MFA: FIDO2-compliant MFA stores identity verification information only on the user’s physical device, preventing them from authenticating a different device. This presents a huge obstacle to hackers using a remote device.
- Enable number matching: If supported by your MFA solution, you can use this additional security control to require that a number be entered or selected to approve a push notification. This number must match the one displayed on the sign-in screen, reducing the possibility of accidental approvals.
- Pay attention to authentication prompts: Don’t approve requests you don’t recognize, especially if you get dozens of them at 3 a.m. Instead, you should immediately change your password upon receiving a suspicious authentication request.
- Implement zero trust: Zero trust is a defense-in-depth strategy that uses techniques like user behavior analytics and network segmentation to detect compromised accounts and limit their access within the network.
Cybercriminals are constantly testing our defenses with new attacks. MBL Technologies is here to help organizations stay ahead of the threat curve with our comprehensive cybersecurity services. Contact us to learn more!