The optimal strategy for averting MFA fatigue episodes within organizations is to abstain from utilizing push notifications. Warns KnowBe4, a team of free-thinking techies, who look at IT security issues a little differently. Where other IT security companies may value profits, they value, well…security, and a strong human firewall. They help organisations build a strong security culture.
Multifactor authentication (MFA) is a security protocol that necessitates users to provide a secondary form of verification before accessing a corporate network. It has long been deemed indispensable for thwarting fraud attempts. However, cybercriminals have been devising increasingly ingenious methods to circumvent it.
During an assault on Uber’s IT infrastructure in 2022, as reported by (https://apo-opa.co/4aT1XGc), the hackers eschewed sophisticated techniques. Instead, they bombarded an employee with repeated login requests until, succumbing to frustration, the employee granted approval for one.
Anna Collard
According to SVP Content Strategy and Evangelist for KnowBe4 Africa, Anna Collard this form of cyberattack is termed an “MFA fatigue attack” and presents a tangible threat to organizations.
“MFA fatigue attacks, also known as prompt spamming or authentication bombing, exploit human vulnerability, rather than relying on high-tech hacking methods,” says Collard
“These attacks involve sending continuous push notifications to a target who has already provided their username and password, aiming to irritate or confuse them into unwittingly granting the attacker access to their account or system.” she adds
With Uber, the assailant probably purchased the contractor’s Uber corporate username and password on the dark web. Subsequently, the assailant made multiple attempts to log into the victim’s Uber account. Each time, the victim received a request to approve a two-factor login, initially blocking access.
However, eventually, after the assailant contacted the contractor on WhatsApp, falsely claiming to be from Uber IT and insisting that the only solution to cease the persistent notifications was to approve one, the contractor accepted a request, enabling the assailant to successfully log in.
Previously, cybersecurity experts believed that Multifactor Authentication (MFA) was a foolproof method to protect corporate IT systems from hackers.
“Now we’re seeing attackers finding ways around it by bombarding the victim with scores of MFA requests or by tricking them over the phone,”

This tactic, akin to a swarm of bees overwhelming an individual, is a straightforward yet potent social engineering technique employed by hackers.

“By bugging you repeatedly until you give in, malicious actors can manipulate users into approving fraudulent access attempts,” adds Collard

How to Prevent MFA fatigue attacks

The best way to prevent MFA fatigue attacks in organisations is not to use push notifications.
“While MFA provides an extra layer of security, it’s not foolproof.” From a cybersecurity perspective, I would recommend that organisations disable push notifications altogether and rather use alternative verification methods.”
An example of a better verification method is number matching. “This involves matching a unique code provided by the authentication app with the code displayed on the screen during the login process,” says Collard

A challenge-response method is another effective way of providing additional security. This method asks a user a specific question to verify their identity or to perform a task in response to a challenge.
“A challenge-response method is more difficult for hackers to bypass. It can involve mechanisms like biometric authentication, in which users must scan their fingerprints or irises or use facial recognition to gain access to a network.”
However, both of the above are not immune against so-called man in the middle or social engineering attacks tricking the users to hand over their OTP or response to the fraudster.

Or alternatively use, “FIDO2, an open authentication standard, offers a password-free login method. Users employ hardware security keys like USB sticks, storing the private key locally and the public key on the server. Upon username and password entry, the system prompts for the hardware key, enhancing security against phishing with its challenge-response protocol.”

Embracing Mindfulness: Unlocking the Power Within

In hacking attempts, users must stay calm and mindful, avoiding emotional reactions. “Stay tuned into your body’s responses when dealing with potential cybersecurity threats, whether they are phishing emails or MFA fatigue attacks.”
“If something feels strange, like if the situation is putting you under undue pressure, listen to that cue and don’t respond in a knee-jerk fashion. In this way, you’ll keep a straight head and thwart potential data breaches.” she concludes

Notes: KnowBe4

The post What Are MFA Fatigue Attacks, and How Can You Stop Them? first appeared on IT News Africa | Business Technology, Telecoms and Startup News.