Hackers using “push bombing” to bypass your MFA/2FA
Multifactor authentication (MFA) is the gold standard in offices around the world and 2FA is the standard for end users. We all know the drill: you use your username (often your email address) and, perhaps, as the password, the name of your first dog and your kids DOB.
Not very foolproof, and not recommended, but often the end user isn’t too worried. In their mind, they know that if the hacker does figure out their crappy password using various tools or techniques, they still must find their way past the 2FA/MFA layer of security.
Beware of “push bombing”
However, what you may not realize is that hackers have developed many tried-and-true methods for circumventing your 2FA/MFA security, including social engineering attacks, spear-phishing, and DDoS attacks. And there is another favorite tool hackers have at their disposal, and it relies on users being tired, frazzled, or annoyed enough to “cave in.”, which is especially prevalent in the lead-up to the holiday season.
Users and organizations frequently implement multi-factor authentication (or 2FA) that uses push notifications to protect their employees and customers. The process is simple: you type in your password, receive a notification that is “pushed” to your smartphone, and approve the access. Many Identity Providers (IdPs) and MFA products work in this way. The problem with push notification MFA is that, like most things, it can be exploited.
- The 2022 Passwordless Security Report found that push attacks grew 33% year over year
- Push attacks are a favorite tactic of Nobelium, the Russian hacking group behind the massive Solar Winds supply chain attack
- The recent attacks by the Lapsus$ hacking group underscore the level of risk push notification MFA creates for organizations.
What Are Push Attacks?
Push attacks (also called push bombing attacks, push fatigue attacks and MFA-prompt bombing) are used by malicious actors to get past push notification MFA. The attacker is usually already in possession of a valid username and password. With 15 billion stolen passwords available on the dark web, this is trivial. The attacker spams the victim with notifications to authenticate until they are fatigued and finally accept it. When deployed on a mass scale using automated attack tools, even a 3% success rate is significant.
How Does a Push Attack Work?
Consider this: what happens when you’re busy, immersed in your work, and you receive a notification on your phone to approve?
Do you always read the notification? How likely are you to casually approve a message or prompt out of habit, just to get on with your day? Would a less tech-savvy user in your organization tap “Approve” on their mobile app, even if it was a fake push notification?
The reality is that they are very likely to do so. Push notifications have become so numerous that people often hastily approve them — not knowing or understanding the repercussions this can have on their work environment. In 2018, malicious actors exploited this tendency toward “push fatigue” multiple times in concert with phishing tools to target politicians involved in the economic and military sanctions against Iran. More recently, large swaths of Microsoft 365 users were targeted in a push attack campaign.
Push Attack Vulnerability Factors
Sending fake approval messages to a user is nothing new, we’ve seen them take the form of SMS phishing, fake login pages and of course the classic Google Drive email attachment.
Push notification attacks take advantage of a few key factors:
The attackers prey on a particular lack of awareness on the user’s part. Many people outside the Security Operations Center (SOC) don’t even know this is happening. Companies invest heavily in security education to protect employees from falling victim to password phishing and more traditional attacks. It’s going to be a while before the push attack problem is part of users’ daily vocabulary.
Push-based approvals are often introduced to the enterprise along with an MFA app such as SalesForce Authenticator. The user associates the action of approving a request with a security feature. Given this, It’s understandable that people aren’t quick to be suspicious of this functionality.
Between texts, emails, Spotify alerts, etc., our smartphones are overloaded with notifications. There is simply too much information to process — and hackers take advantage of this overload. Users who receive dozens or even hundreds of notifications a day are not likely to think too hard about them. The likelihood of a single rogue login approval being overlooked or approved by accident is low, but at scale, it becomes a very promising attack vector.
Compromisable Push Notification MFA
Of course, the elephant in the room in common here is the fact that standard push notification MFA is inherently flawed and increasingly being used as an attack vector.
Can You Prevent Push Attacks?
The good news is that you can use alternative authentication flows that better secure you or your users, increase your login speed and provide a smoother user experience.
These attacks are generally going to be targeted at employees of organizations they want to gain access, rather than individuals.
If you are just and end user, looking to protect access to your online services and accounts, the easy solution is to not use an MFA/2FA solution that simply requires you to tap “approve” on your mobile device (such a Windows Hello or Android authentication), which gives access to anyone who is asking.
Instead use a solution that actually requires you to interact with the service/website that you are logging into, such as entering a One-Time-Password (OTP) from your authenticator app or confirming an on-screen code that you will only know if you are one logging in.
This will stop you from simply approving a malicious actors requests, either accidentally or through fatigue,
For corporate solutions, read on.
Taking a User-First Approach to Authentication
One solution is to deploy mobile-initiated authentication at the front door to your corporate experience: your computer.
When you combine user-first login with desktop SSO, you can achieve a very high level of assurance for desktop login, web applications and Single sign-on. It’s more secure than a push-based login and it gives you instant access across SSO-protected apps and corporate resources.
For example, with HYPR True Passwordless™ MFA, your smartphone acts as a remote control for your computer. You tap on the HYPR mobile app to select your computer, provide your preferred biometric or decentralized PIN and gain access to your desktop.
User-initiated authentication for desktop SSO addresses multiple threats:
- Clarifying Intent: The login action is initiated by the user. This requirement signals a clear intent to login. Moving the first step from the desktop to the smartphone keeps a malicious actor from spamming the user with requests to access their workstation, and subsequently, all of their corporate resources.
- Stops phishing: Login of this kind is phishing resistant, preventing you from inadvertently approving any access request because it’s an active process that begins on your smartphone. Access is granted only when you make the conscious decision to unlock your smartphone.
- Elimination of passwords: HYPR’s mobile-first login does not utilize passwords. Going passwordless also means you’ll worry less about credential stuffing, brute force, and SIM-swapping attacks that are common among legacy, password-based MFA solutions.
MFA By Design
The mobile-initiated login method is multi-factor by design. It provides factors for:
- Something you are: your fingerprint, face scan, or other biometric recognition.
- Something you have: your smartphone, which acts as a physical FIDO token, similar to a smart card.
- Something you know: a decentralized PIN that’s also stored safely on your device.
Now that the user has strong authentication into their computer, your SSO provider can extend that strong binding to provide seamless access into other resources across the enterprise without additional friction.
Log into SSO With QR Code
Passwordless MFA that supports QR code scanning provides the strongest protection against push attacks. This eliminates push notifications entirely, even for direct SSO login. QR Login feature lets users log into their SSO-managed web apps by scanning a QR code with the App or camera on their smartphone.
This prevents push fatigue and its potential for push attacks. It gives more control to the end-user as they initiate their authentication by scanning the code rather than waiting for a push notification to arrive on their smartphone. QR Code login is also an inherently multi-factor as it utilizes something you have (your phone) and something you are (biometric validation).
Preventing Push Attacks: Key Takeaways
With push notification MFA, organizations are relying on the weakest link known to security — people. It’s human nature to take the path of least resistance, including recklessly accepting push notification authentication requests so we can continue on with our day.
As cyber threats evolve, so must our security solutions. Here are key takeaways to help your organization steer clear of push attacks:
- Push-based MFA is subject to bypassing commonly used tools such as Modlishka and phishing.
- Initiating login on the user’s smartphone creates a phishing-resistant flow so your employees cannot be tricked into logging into the enterprise.
- Mobile-initiated login at the desktop is inherently multi-factor, this means you can leverage your SSO provider for instant access to cloud and web applications.
- QR Code login to SSO eliminates push notifications entirely from the authentication process.