Cybercriminals are always looking for new ways to attack businesses. As cybersecurity measures improve, so too do criminal methods. Multi-Factor Authentication (MFA) has quickly become one of the best ways to secure systems, but cybercriminals have developed a new way to combat this security measure. It’s called MFA prompt bombing, and if you’re not careful, it could lead to a massive data breach. Here’s what you need to know about this new cyber threat and how to avoid it.
What Is MFA?
MFA stands for Multi-Factor Authentication, a method used to verify the user trying to access an account. MFA has been around for about a decade but only became the default standard a few years ago. MFA has also been called 2FA since two factors are commonly used to authenticate the user. However, as cyber threats evolve, some companies use more than two factors, turning 2FA into MFA.
Generally, a password is the first factor, with a prompt on your mobile device working as the second factor. Some systems will even prompt users to use biometrics as a third factor. This is common with banking websites that will use a password, prompt the user on their mobile device to confirm the login attempt, and then finalize the login using the fingerprint sensor on their device. This method seems impenetrable, but MFA prompt bombing has proven otherwise.
How Does an MFA Bombing Attack Work?
In an MFA prompt bombing, a cybercriminal already has access to the users’ login ID and password. They may have acquired it through a phishing attack, guessing passwords, and taking advantage of accounts with weak or common passwords. In any case, when the user has enabled MFA, they will receive a prompt on their mobile device whenever the cybercriminal attempts to log in using the victim’s credentials.
The “bombing” part of the attack comes from the frequency of these prompts. The cybercriminal may send request after request endlessly. While most accounts have a timeout after several incorrect password attempts, there are often no limits to the number of MFA prompts that can be sent. As a result, the victim may receive dozens of popups on their phone asking for verification. If the victim says yes to any of these prompts, the cybercriminal can access their account freely.
Why Is MFA Prompt Bombing an Effective Strategy?
On the surface, MFA prompt bombing may seem to pose little to no risk. After all, the victim can simply keep pressing “No” when prompts arise, preventing the cybercriminal from accessing the account. However, a user might press “Yes” quickly due to having the habit ingrained from their own experience. Since most of us have never received an MFA prompt due to a malicious attack, we will likely accept the prompt without a second thought.
Furthermore, some people succumb to what has been called “MFA fatigue,” where the person is tired of receiving prompt after prompt and may accept the prompt to make the endless stream of popups come to an end. On the other hand, they may assume that the prompt is a bug in the system instead of realizing that they are under attack. All a cybercriminal needs is a single acceptance to gain access, making the bombardment strategy very effective.
How to Protect Against MFA Prompt Attacks
With this new method of attack rising in popularity, companies need to take extra steps to prevent data breaches from MFA prompt attacks. How can your business protect itself against these kinds of attacks? First, it’s essential to ensure your associates are familiar with MFA prompt attacks and how they work. Second, you should have a response plan in place so that people know exactly what to do when attacked.
Finally, you should review your cybersecurity policies and take steps to reduce the possibility of MFA attacks in the first place. You may be able to adjust certain settings or change your company policies to limit the chances of an MFA attack happening.
Learn to Recognize an MFA Attack
Everyone on your team needs to be aware of how MFA attacks work. Consider making infographics or a short video to illustrate how these attacks happen. Training your staff is vital if you want to prevent a data breach from these attacks. In general, all of your associates should understand a few basic signs of an MFA attack.
First, you should only receive an MFA prompt after attempting to log in to a service intentionally. These prompts are usually only triggered when logging into a new device. If you are suddenly interrupted by an MFA prompt, you may be under attack. Secondly, you should never receive more than one of these prompts at a time unless you intentionally tried to log in, did not receive the first prompt, and requested another.
Create a Response Plan
If someone receives unsolicited MFA prompts or numerous prompts in a row, they need to know how to respond to the situation. What should someone do when they are being bombarded with MFA prompts? First, they should be sure not to accept any of the prompts that arrive. MFA prompt attacks usually don’t last for more than 15-30 minutes; cybercriminals will eventually give up and move on to the next name on the list. Patience is essential.
Once the prompts stop coming in, the victim needs to change their password urgently. It’s important to wait because many systems will send an MFA prompt to confirm the password change. Accidentally clicking one of the old prompts could give the attacker access. Resetting your password should stop the attack completely.
Preventative Measures
To prevent these attacks from happening in the first place, check your MFA settings. If your company uses software that requires MFA, you may be able to limit the number of prompts sent to a device with a cooldown or waiting period after a certain number of prompts. Encourage your staff to change passwords frequently since compromised passwords are a prerequisite for these attacks.
Managed cybersecurity services can help keep your company safe by monitoring your network, protecting your passwords, and creating response plans to ensure you don’t fall victim to the various cyberattack methods used today. Contact Edafio Technology Partners to learn more about our cybersecurity services.