What are MFA fatigue attacks, and how can they be prevented?

April 2024 Information Security

During an attack on Uber’s IT systems in 2022, the hackers did not use any sophisticated tactics to gain access. Instead, they bombarded an employee with repeated login requests until, out of sheer frustration, the employee approved one. “This type of cyberattack is known as an ‘MFA fatigue attack’ and poses a real risk to organisations,” says Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 Africa.

“MFA fatigue attacks, also known as prompt spamming or authentication bombing, exploit human vulnerability, rather than relying on high-tech hacking methods,” she explains. “These attacks involve sending continuous push notifications to a target who has already provided their username and password, aiming to irritate or confuse them into unwittingly granting the attacker access to their account or system.”

With Uber, the attacker likely bought the contractor's Uber corporate username and password on the dark web. The attacker then made repeated attempts to log into the victim's Uber account. Each time, the victim received a request to approve a two-factor login, which blocked access at first. However, eventually, and after the attacker contacted the contractor on WhatsApp claiming they were from Uber IT and that the only way to get rid of the never-ending notifications was to accept one, the contractor accepted one request, allowing the attacker to successfully log in.

Previously, cybersecurity experts believed that multifactor authentication (MFA) was a foolproof method to protect corporate IT systems from hackers. “Now we are seeing attackers finding ways around it by bombarding the victim with scores of MFA requests, or by tricking them over the phone,” says Collard. “This tactic, similar to a swarm of bees overwhelming someone, is a simple yet effective social engineering technique used by hackers. By bugging you repeatedly until you give in, malicious actors can manipulate users into approving fraudulent access attempts.”

How can you prevent it?

The best way to prevent MFA fatigue attacks in organisations is not to use push notifications. “While MFA provides an extra layer of security, it is not fool proof,” she asserts. “From a cybersecurity perspective, I would recommend that organisations disable push notifications altogether and rather use alternative verification methods.”

An example of a better verification method is number matching. This involves matching a unique code provided by the authentication app with the code displayed on the screen during the login process.

A challenge-response method is another effective way of providing additional security. This method asks a user a specific question to verify their identity or to perform a task in response to a challenge. A challenge-response method is more difficult for hackers to bypass. It can involve mechanisms like biometric authentication, in which users must scan their fingerprints or irises or use facial recognition to gain access to a network. However, both of the above are not immune against so-called ‘man-in-the-middle’ or social engineering attacks, tricking the users to hand over their OTP or response to the fraudster.

Another effective verification method is FIDO2, an open authentication standard that allows users to log in without using passwords. “You can implement FIDO2 using hardware security keys,” she explains. Typically, USB sticks store the user’s private key, while the public key is stored on the authentication server. As soon as the user enters their username and password, the system requests them to use the hardware key. “It is more resistant to phishing as it works on a challenge-response protocol and does not rely on a one-time PIN that can be intercepted.”

Mindfulness is key

As with all hacking attempts, it is crucial that users remain calm and mindful, rather than reacting emotionally. “Stay tuned into your body’s responses when dealing with potential cybersecurity threats, whether they are phishing emails or MFA fatigue attacks,” says Collard. “If something feels strange, like if the situation is putting you under undue pressure, listen to that cue and do not respond in a knee-jerk fashion. In this way, you will keep a straight head and thwart potential data breaches.”




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
Addressing today’s mining challenges: cyber risks beyond IT
Editor's Choice Information Security Mining (Industry)
Despite the mining industry’s operational technology systems being vulnerable to cyberattacks, many decision-makers still see these threats as purely an IT issue, even though a breach could potentially disrupt mining operations.

Read more...
Get proactive with cybersecurity
Information Security
The ability to respond effectively to a cybersecurity breach is critical, but the missing piece of the puzzle is a thorough, proactive evaluation to ascertain weaknesses and identify any hidden threats.

Read more...
How to effectively share household devices
Smart Home Automation Information Security
Sharing electronic devices within a household is unavoidable. South African teens spend over eight hours per day online, making device sharing among family members commonplace. Fortunately, there are methods to guarantee safe usage for everyone.

Read more...
How to securely manage your digital footprint
Information Security Training & Education
Managing your online presence is critical to safeguarding your privacy and security. It is imperative to take a proactive approach, including using robust cybersecurity best practices.

Read more...
The state of code security in 2024
Information Security
The 2024 State of Code Security survey reveals that organisations have continued to shore up application security defences over the last year, according to OpenText Premier Partner iOCO Application Management.

Read more...
What is the level of safety and integrity of the software supply chain?
Information Security IoT & Automation
Organisations are embracing AppSec practices and focusing on their software security posture. However, they highlight that insufficient funding and security resources, plus a disconnect between developers and security teams, remain major roadblocks.

Read more...
Cybercriminals target financial service providers to get at sensitive client data
Information Security
According to Ryan van de Coolwijk, Product Head for cyber at iTOO Special Risks, hackers target financial service providers because they hold sensitive client information that unauthorised individuals could use for fraudulent activities.

Read more...
Fortinet establishes new point-of-presence in South Africa
News & Events Information Security
Fortinet has announced the launch of a new dedicated point-of-presence (POP) in Isando, Johannesburg, to expand the reach and availability of Fortinet Unified SASE for customers across South Africa and southern African countries.

Read more...