The optimal strategy for averting MFA fatigue episodes within organizations is to abstain from utilizing push notifications. Warns KnowBe4, a team of free-thinking techies, who look at IT security issues a little differently. Where other IT security companies may value profits, they value, well…security, and a strong human firewall. They help organisations build a strong security culture.
Multifactor authentication (MFA) is a security protocol that necessitates users to provide a secondary form of verification before accessing a corporate network. It has long been deemed indispensable for thwarting fraud attempts. However, cybercriminals have been devising increasingly ingenious methods to circumvent it.
During an assault on Uber’s IT infrastructure in 2022, as reported by (https://apo-opa.co/4aT1XGc), the hackers eschewed sophisticated techniques. Instead, they bombarded an employee with repeated login requests until, succumbing to frustration, the employee granted approval for one.
According to SVP Content Strategy and Evangelist for KnowBe4 Africa, Anna Collard this form of cyberattack is termed an “MFA fatigue attack” and presents a tangible threat to organizations.
“MFA fatigue attacks, also known as prompt spamming or authentication bombing, exploit human vulnerability, rather than relying on high-tech hacking methods,” says Collard
“These attacks involve sending continuous push notifications to a target who has already provided their username and password, aiming to irritate or confuse them into unwittingly granting the attacker access to their account or system.” she adds
With Uber, the assailant probably purchased the contractor’s Uber corporate username and password on the dark web. Subsequently, the assailant made multiple attempts to log into the victim’s Uber account. Each time, the victim received a request to approve a two-factor login, initially blocking access.
However, eventually, after the assailant contacted the contractor on WhatsApp, falsely claiming to be from Uber IT and insisting that the only solution to cease the persistent notifications was to approve one, the contractor accepted a request, enabling the assailant to successfully log in.
Previously, cybersecurity experts believed that Multifactor Authentication (MFA) was a foolproof method to protect corporate IT systems from hackers.
“Now we’re seeing attackers finding ways around it by bombarding the victim with scores of MFA requests or by tricking them over the phone,”
This tactic, akin to a swarm of bees overwhelming an individual, is a straightforward yet potent social engineering technique employed by hackers.
© IT News Africa | All rights reserved.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |