How to Prevent Multifactor authentication (MFA) Fatigue Attacks from Fraudsters and Cybercriminals
Multifactor authentication is a crucial security measure that necessitates users to provide an additional form of verification before accessing a corporate network. Its purpose is to prevent fraudsters from gaining unauthorized access. However, cybercriminals have become increasingly adept at circumventing this security measure.
In a recent attack on Uber’s IT systems in 2022, the hackers did not employ sophisticated tactics to breach the system. Instead, they bombarded an employee with repeated login requests until the employee, overwhelmed by the constant notifications, approved one of them. This type of cyberattack is known as an “MFA fatigue attack” and poses a significant threat to organizations, warns Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 AFRICA, a cybersecurity training designer.
“Multifactor authentication (MFA) Fatigue Attacks or MFA fatigue attacks, also referred to as prompt spamming or authentication bombing, exploit human vulnerability rather than relying on advanced hacking techniques,” she explains. “These attacks involve continuously sending push notifications to a target who has already provided their username and password, with the intention of irritating or confusing them into unwittingly granting the attacker access to their account or system.”
In the case of Uber, the attacker likely obtained the contractor’s Uber corporate username and password from the dark web. The attacker then made repeated login attempts to the victim’s Uber account. Each time, the victim received a request to approve a two-factor login, initially blocking access. However, after the attacker contacted the contractor on WhatsApp, falsely claiming to be from Uber IT and suggesting that accepting one of the requests would stop the incessant notifications, the contractor eventually accepted one, thereby enabling the attacker to successfully log in.
Previously, cybersecurity experts held the belief that Multifactor Authentication (MFA) was an infallible technique for safeguarding corporate IT systems against hackers. However, recent developments have shown that attackers have found ways to circumvent MFA. They achieve this by bombarding the victim with numerous MFA requests or by deceiving them through phone interactions. This strategy, akin to a swarm of bees overwhelming an individual, represents a straightforward yet highly effective social engineering method employed by hackers. By persistently pestering the target until they succumb, malicious actors can manipulate users into authorizing fraudulent access attempts.
How can you Prevent Multifactor authentication (MFA) Fatigue Attacks?
To counteract this threat, it is crucial to adopt preventive measures. One effective approach to prevent MFA fatigue attacks within organizations is to avoid using push notifications. While MFA does offer an additional layer of security, it is not foolproof, as emphasized by Collard. From a cybersecurity standpoint, it is advisable for organizations to disable push notifications entirely and instead opt for alternative verification methods.
One such method is number matching, which entails comparing a unique code provided by the authentication app with the code displayed on the screen during the login process. Collard explains that this approach serves as an example of a superior verification method.
Another highly effective means of enhancing security is the challenge-response method. This technique involves posing a specific question to the user to verify their identity or prompt them to complete a task in response to a challenge. Collard highlights that the challenge-response method poses greater difficulty for hackers to bypass. It can incorporate mechanisms like biometric authentication, where users must scan their fingerprints, irises, or utilize facial recognition to gain network access. However, it is important to note that both of these methods are not impervious to man-in-the-middle or social engineering attacks, which trick users into divulging their OTP or responding to fraudulent requests.
FIDO2 is an alternative verification method that eliminates the need for passwords when logging in. By utilizing hardware security keys, such as USB sticks, the user’s private key is stored on the device while the public key is kept on the authentication server. Upon entering their username and password, the system prompts the user to use the hardware key. This method is highly secure against phishing attempts as it operates on a challenge-response protocol, eliminating the vulnerability of a one-time PIN that can be intercepted.
Mindfulness is Key in Preventing Multifactor authentication (MFA) Fatigue Attacks
Maintaining mindfulness is essential when it comes to dealing with cybersecurity threats. Instead of reacting emotionally, it is important for users to stay calm and aware of their body’s responses. Whether it’s phishing emails or MFA fatigue attacks, Collard advises individuals to pay attention to any unusual feelings or situations that may be putting them under undue pressure. By doing so, they can avoid knee-jerk reactions and effectively prevent potential data breaches. SOURCE: KnowBe4