Multi-factor authentication prompt bombing is the strongest proof that not all MFA solutions are secure. This social engineering technique has been generating a lot of interest in recent weeks as cybercriminal groups have deployed it successfully as in the case of the Lapsus$ attacks.
The technique consists of hackers impersonating a company that uses software with an MFA system so that users can identify themselves and access their services and solutions. The target is bombarded by notifications with identification requests that pretend to be part of the MFA program procedure. If the user is tricked into believing that the requests come from the company and clicks on the notification then hackers gain access to the organization’s systems. This type of cyberattack can be carried out in several different ways: they can send a series of online requests to get the user to accept the identification request, believing they are maintaining access to these services. On other occasions, hackers send less frequent requests (one or two a day) to raise less suspicion. There have even been cases of phone calls to a specific user pretending to be an employee of that company to get the user to trust them and tell them that they will be sending an MFA request. The question is how can we avoid these bombing attacks?
- As is usually the case with all social engineering techniques, user distrust and cybersecurity training are key and constitute the first line of defense. In this regard, employees should never accept a push notification to identify themselves to access company programs, if they didn’t request access at that moment, or if it is coming from another location. So, when in doubt, it is best to contact and inform IT managers and disable the notifications in the meantime.
- As regards push notifications, the bombing technique is often used and escalated in MFA solutions where there is no first validation with a password, or used as single passwordless authentication. But this does not mean that an organization can never provide a push notification system for its employees as an MFA procedure, it should provide ways to control MFA bombing or at least monitor for its occurrence and block it.
However, it is advisable to deploy an advanced identity protection and management solution that can control at all times which employees have chosen the push notifications and notify them if they block any of them, as well as implement additional mechanisms to help employees if they receive a flurry of notifications, such as being able to block them for some time. Access to this identity management solution would also have to be password-protected so that a hacker cannot use it to bombard the target because the attacker needs to know the password to this solution first.
This gives organizations complete control over identities, assets, accounts, and information without having to worry about being impersonated using bombing or other techniques to enter its systems by tricking users through MFA procedures.