Holiday MFA fatigue allow hacker opportunities

November 23, 2022
Access Tech: Stay alert this holiday season while still getting in the spirit.

Multi-factor authentication (MFA) is the gold standard in offices around the world. We all know the drill: you use your username, and as the password, the name of your first dog and the last four digits of your social security number. 

Not very foolproof, but often the user is not too worried. In their mind, they know that if the hacker does figure out their login credentials using various tools or techniques, they still must find their way around MFA’s second layer of security. 

Beware of “push bombing” 

However, hackers have developed many tried-and-true methods for accomplishing this, including social engineering attacks, spear-phishing, and DDoS attacks. And there is another favorite tool hackers have at their disposal, and it relies on users being tired, frazzled, or annoyed enough to “cave in.” And who is not fatigued or frazzled in the final sprint to wrap up Q4 and holiday gifts? The technique hackers like to employ this time of year is called “push bombing.” 

The Cybersecurity and Infrastructure Security Agency (CISA) describes push bombing as a situation where the user is bombarded with push notifications until they hit the ‘accept’ button

Hackers are preying upon numerous factors when using a push bombing campaign. These are some of the specific times of day that push-bombers like to target: 

  • Beginning of the workday 
  • Right before lunch 
  • Middle of the night 

Thwart attacks with proper training and preventative techniques 

The push-bombing tool is so effective during the sprint to the holidays that CISA included push-bombing in its list of MFA threats to watch. To add a layer to thwart push-bombing, CISA recommends a token-based OTP. When numbers matching is implemented, there is an additional step between receiving and accepting the prompt: the user must enter numbers from the identity platform into the application to approve the authentication request. 

MFA is evolving, but so are the hackers’ techniques. 

So, how do you avoid being victimized by a push-bombing campaign? Duncan recommends the following steps: 

User training 

The more someone knows, the more they can be vigilant. User training is the cheapest way to alert people to the threat that push-bombing poses. 

Number matching 

This is an effective method to ward off MFA fatigue and push-bombing campaigns. Number matching is a setting that forces the user to enter numbers from the identity platform into their app to approve the authentication request. CISA’s site provides insight into implementing number matching in MFA applications. This technique is not immune from phishing, but it is a good stopgap.  

As we approach the holiday season, do not give hackers the gift of your data and information. Access Tech has been helping companies for decades to keep their security updated and secure against hacks. Contact us today for a consultation on your security system where we can help identify the holes and patch them up. 

For more insights on this topic: