MFA does not make your accounts un-hackable. I repeat, MFA DOES NOT MAKE YOU INVINCIBLE TO CYBERATTACKS. In fact, nothing is 100% secure and anyone that tells you otherwise simply wants to sell you something.
Even though MFA won’t make you invincible, it is still one of the best ways to secure your online accounts. Most of us are familiar with MFA or multi-factor authentication. If you aren’t using it at work (you absolutely should be), you are probably using it with your online shopping or social media accounts. And as more providers are making it a requirement, you will likely be using it for every online service sooner than later.
The trouble with using MFA everywhere is what has been dubbed MFA fatigue. And cybercriminals are taking advantage of this fatigue with a new style of cyberattack.
What is MFA Fatigue?
When MFA is configured to deliver push notifications as the approval method, the end user will receive a prompt on their phone or other mobile device. This notification is a convenient way for the user to validate the login in by simply tapping the “approve” option.
But with MFA now being commonplace, people are becoming less thoughtful when their phone delivers a push notification asking to approve access.
We have actually seen this same evolution before with phishing emails. The more email we get, the less thoughtful we are when reviewing our inbox. This led to an increase in the amount and success of phishing emails. Cybercriminals are hoping to apply the same logic to MFA protected accounts with a different type of cyberattack.
MFA bombing is a new technique that cybercriminals are using to bypass MFA protected accounts. The attack works by sending a constant flow of MFA push notifications to the user’s device. The cybercriminal hopes that the seemingly endless prompts will wear down the user and convince them to approve the sign in request in order to stop the constant notifications.
In some instances, MFA bombing attacks become rather sophisticated and include qualities typical in phishing and social engineering. Here is an example:
On a Monday, you receive an email from your IT Department letting you know that a change is being made to the system that may cause a string of authentication alerts to your phone. The email is apologetic and states that as soon as you approve one of the notifications, you won’t receive any more. In reality, this email did not come from your IT department but from the criminal trying to access your account. But if you didn’t notice that the email came from a fraudulent source, you would likely follow the instructions and approve the sign in request.
Another common characteristic of MFA bombing attacks is the timing. Cybercriminals will often send the push notifications at late hours, expecting their target to be asleep. This is in hopes that the target will wake up due to the constant dings of their phone and eventually approve the login so that they can go back to sleep.
How To Protect Your Organization
Talk to your staff. It is crucial for you staff to be aware of this new style of attack and receive regular reminders to not approve unexpected login requests or share their codes with anyone.
Use number matching MFA.
Instead of a user selecting approve or deny, number matching requires the person trying to sign in to input a specific number into their authenticator app. Since the cybercriminal does not have access to the app, MFA bombing becomes an ineffective technique to breach an account. Bad actors will still try to get around number matching MFA, it just requires a more sophisticated approach. Users should be immediate suspicious of anyone asking them for their MFA codes or numbers.
Set account lockouts after too many MFA requests. By setting a max number of MFA requests, your organization can limit the chance of an MFA bombing attack being successful. With a limit in place, an account will be temporarily locked after a predetermined number of requests. This can greatly limit the chance that a user will blindly accept a login prompt and raise an alert to your IT department that one of your account’s passwords has been stolen.
Attackers will always continue to find new ways to target MFA and sidestep security controls. Business owners must educate themselves and their staff to these constant changes in the cybersecurity landscape. One of our missions is to provide regular cybersecurity updates for the small business community. Keep an eye out for more here on our blog as well as our LinkedIn, YouTube, and Facebook pages. We encourage everyone to follow and subscribe so that when a new trend emerges, you will be ready to implement changes and educate your staff.