MFA and Push Bombing

Posted on by

Cybersecurity
Online account hacking has become a major problem for both organisations and individuals. Think about how many online accounts you have that require a username and password both in your work environment and at home.

Hackers use various methods to get those login credentials but get thwarted at MFA prompts. This is when they resort to push bombing.

What Is Push-Bombing?

When a user logs into a MFA protected account, they typically receive a code or authorisation prompt of some type. This MFA prompt or approval request will usually come through some type of “push” message. Users can receive it in a few ways: ·

  • A device popup
  • An app notification
  • SMS or text message

Receiving that notification is a normal part of the multi-factor authentication login and it is something the user would be familiar with.

With a push-bombing attack, hackers start with the user’s credentials (obtained through phishing or from a large data breach password dump). They then take advantage of that push notification process by attempting to log in many times. This sends the legitimate user a number of push notifications, one after the other. Many people question the receipt of an unexpected code that they didn’t request, but when someone is bombarded with these, it can be easy to mistakenly click to approve access. One the notification is accepted the hacker then has access to the account.

Push-bombing is a form of social engineering attack designed to:

  • Wear the user down with multiple notifications.
  • Confuse the user as they are not sure what to do.
  • Trick the user into approving the MFA request to give the hacker access

Doesn’t MFA Stop Credential Breaches?

Many businesses and individuals use multi-factor authentication (MFA) to improve their security of online accounts. It is an easy way to stop attackers that have gained access to usernames and passwords. MFA is very effective at protecting accounts and has been for many years, but it is that effectiveness that has spurred workarounds by hackers. One of these nefarious ways to get around MFA is called push-bombing.

Ways to Combat Push-Bombing

Educate Employees

Knowledge is power. When a user experiences a push-bombing attack it can be confusing. If employees are educated, they can be better prepared to defend themselves and your business. Let employees know what push-bombing is and explain how it works. Provide them with training on what to do if they receive MFA notifications they haven’t requested. You should also give your staff a way to report these attacks as it enables your IT security team to alert other users and take steps to secure everyone’s login credentials.

Use Strong Passwords

For hackers to send several push-notifications, they need to have the user’s username and password. Enforcing strong password policies reduces the chance that a password will get breached.

Standard practices for strong password policies include:

    • Using at least 12 characters in your password.
    • Using a combination of at least one upper and one lower-case letter.
    • Using a combination of letters, numbers and special characters (ie symbols like #, %, ?, = etc).
    • Storing passwords securely in a password manager. See our blog on the Power of a Password Manager.
    • Not reusing the same password across different accounts.

Reduce Business Application Sprawl

On average, employees can use up to 36 different cloud-based services per day.  The more logins someone has to use, the greater the risk of a stolen password, password reuse or passwords written down in an unsecure location. Take a look at how many applications your company uses and examine ways to reduce app “sprawl” by consolidating them. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Consolidating your cloud accounts improves both security and productivity.

Adopt Phishing-Resistant MFA Solutions

You can stop push-bombing attacks by moving to a different form of MFA. Phishing-resistant MFA solutions include using a physical security key for authentication. You connect this key to your computer and there is no push notification to approve. This solution is more complex to set up, but it is also more secure than a text or app-based MFA method.

Do You Need Help Improving Your Identity & Access Security?

Businesses need several layers of protection to reduce their risk of a cloud breach. If you based in Australia and are looking for some help to improve your security, contact us a call today to schedule a free no obligation chat.