Hackers using “push  bombing” to bypass your MFA/2FA

Hackers using “push bombing” to bypass your MFA/2FA

beware of push bombing

Multifactor authentication (MFA) is the gold standard in offices around the world and 2FA is the standard for end users. We all know the drill: you use your username (often your email address) and, perhaps, as the password, the name of your first dog and your kids DOB.

Not very foolproof, and not recommended, but often the end user isn’t too worried. In their mind, they know that if the hacker does figure out their crappy password using various tools or techniques, they still must find their way past the 2FA/MFA layer of security.

Beware of “push bombing”

However, what you may not realize is that hackers have developed many tried-and-true methods for circumventing your 2FA/MFA security, including social engineering attacks, spear-phishing, and DDoS attacks. And there is another favorite tool hackers have at their disposal, and it relies on users being tired, frazzled, or annoyed enough to “cave in.”, which is especially prevalent in the lead-up to the holiday season.

Users and organizations frequently implement multi-factor authentication (or 2FA) that uses push notifications to protect their employees and customers. The process is simple: you type in your password, receive a notification that is “pushed” to your smartphone, and approve the access. Many Identity Providers (IdPs) and MFA products work in this way. The problem with push notification MFA is that, like most things, it can be exploited.

  • The 2022 Passwordless Security Report found that push attacks grew 33% year over year
  • Push attacks are a favorite tactic of  Nobelium, the Russian hacking group behind the massive Solar Winds supply chain attack 
  • The recent attacks by the Lapsus$ hacking group underscore the level of risk push notification MFA creates for organizations.

what is the difference between 2FA and MFA

What Are Push Attacks?

Push attacks (also called push bombing attacks, push fatigue attacks and MFA-prompt bombing) are used by malicious actors to get past push notification MFA. The attacker is usually already in possession of a valid username and password. With 15 billion stolen  passwords available on the dark web, this is trivial. The attacker spams the victim with notifications to authenticate until they are fatigued and finally accept it. When deployed on a mass scale using automated attack tools, even a 3% success rate is significant. 

How Does a Push Attack Work?

Consider this: what happens when you’re busy, immersed in your work, and you receive a notification on your phone to approve?

Do you always read the notification? How likely are you to casually approve a message or prompt out of habit, just to get on with your day? Would a less tech-savvy user in your organization tap “Approve” on their mobile app, even if it was a fake push notification? 

The reality is that they are very likely to do so. Push notifications have become so numerous that people often hastily approve them — not knowing or understanding the repercussions this can have on their work environment. In 2018, malicious actors exploited this tendency toward “push fatigue” multiple times in concert with phishing tools to target politicians involved in the economic and military sanctions against Iran. More recently, large swaths of Microsoft 365 users were targeted in a push attack campaign.

Push Attack Vulnerability Factors

Sending fake approval messages to a user is nothing new, we’ve seen them take the form of SMS phishingfake login pages and of course the classic Google Drive email attachment.

Push notification attacks take advantage of a few key factors:

Awareness

The attackers prey on a particular lack of awareness on the user’s part. Many people outside the Security Operations Center (SOC) don’t even know this is happening. Companies invest heavily in security education to protect employees from falling victim to password phishing and more traditional attacks. It’s going to be a while before the push attack problem is part of users’ daily vocabulary.

Familiarity

Push-based approvals are often introduced to the enterprise along with an MFA app such as SalesForce Authenticator. The user associates the action of approving a request with a security feature. Given this, It’s understandable that people aren’t quick to be suspicious of this functionality.

Cognitive Overload

Between texts, emails, Spotify alerts, etc., our smartphones are overloaded with notifications. There is simply too much information to process — and hackers take advantage of this overload. Users who receive dozens or even hundreds of notifications a day are not likely to think too hard about them. The likelihood of a single rogue login approval being overlooked or approved by accident is low, but at scale, it becomes a very promising attack vector.

Compromisable Push Notification MFA

Of course, the elephant in the room in common here is the fact that standard push notification MFA is inherently flawed and increasingly being used as an attack vector.

Can You Prevent Push Attacks?

The good news is that you can use alternative authentication flows that better secure you or your users, increase your login speed and provide a smoother user experience.

These attacks are generally going to be targeted at employees of organizations they want to gain access, rather than individuals.

If you are just and end user, looking to protect access to your online services and accounts, the easy solution is to not use an MFA/2FA solution that simply requires you to tap “approve” on your mobile device (such a Windows Hello or Android authentication), which gives access to anyone who is asking.

Instead use a solution that actually requires you to interact with the service/website that you are logging into, such as entering a One-Time-Password (OTP) from your authenticator app or confirming an on-screen code that you will only know if you are one logging in.

This will stop you from simply approving a malicious actors requests, either accidentally or through fatigue,

For corporate solutions, read on.

Taking a User-First Approach to Authentication

One solution is to deploy mobile-initiated authentication at the front door to your corporate experience: your computer.

When you combine user-first login with desktop SSO, you can achieve a very high level of assurance for desktop login, web applications and Single sign-on. It’s more secure than a push-based login and it gives you instant access across SSO-protected apps and corporate resources.

For example, with HYPR True Passwordless™ MFA, your smartphone acts as a remote control for your computer. You tap on the HYPR mobile app to select your computer, provide your preferred biometric or decentralized PIN and gain access to your desktop. 

Workforce_Login_Speed-1

User-initiated authentication for desktop SSO addresses multiple threats:

  • Clarifying Intent: The login action is initiated by the user. This requirement signals a clear intent to login. Moving the first step from the desktop to the smartphone keeps a malicious actor from spamming the user with requests to access their workstation, and subsequently, all of their corporate resources.
  • Stops phishing: Login of this kind is phishing resistant, preventing you from inadvertently approving any access request because it’s an active process that begins on your smartphone. Access is granted only when you make the conscious decision to unlock your smartphone.
  • Elimination of passwords: HYPR’s mobile-first login does not utilize passwords. Going passwordless also means you’ll worry less about credential stuffing, brute force, and SIM-swapping attacks that are common among legacy, password-based MFA solutions.

MFA By Design

The mobile-initiated login method is multi-factor by design. It provides factors for:

  • Something you are: your fingerprint, face scan, or other biometric recognition. 
  • Something you have: your smartphone, which acts as a physical FIDO token, similar to a smart card.
  • Something you know: a decentralized PIN that’s also stored safely on your device.

Now that the user has strong authentication into their computer, your SSO provider can extend that strong binding to provide seamless access into other resources across the enterprise without additional friction.

Log into SSO With QR Code

Passwordless MFA that supports QR code scanning provides the strongest protection against push attacks. This eliminates push notifications entirely, even for direct SSO login. QR Login feature lets users log into their SSO-managed web apps by scanning a QR code with the App or camera on their smartphone.

QR-code-login

This prevents push fatigue and its potential for push attacks. It gives more control to the end-user as they initiate their authentication by scanning the code rather than waiting for a push notification to arrive on their smartphone. QR Code login is also an inherently multi-factor as it utilizes something you have (your phone) and something you are (biometric validation). 

Preventing Push Attacks: Key Takeaways

With push notification MFA, organizations are relying on the weakest link known to security — people. It’s human nature to take the path of least resistance, including recklessly accepting push notification authentication requests so we can continue on with our day. 

As cyber threats evolve, so must our security solutions. Here are key takeaways to help your organization steer clear of push attacks:

  • Push-based MFA is subject to bypassing commonly used tools such as Modlishka and phishing. 
  • Initiating login on the user’s smartphone creates a phishing-resistant flow so your employees cannot be tricked into logging into the enterprise. 
  • Mobile-initiated login at the desktop is inherently multi-factor, this means you can leverage your SSO provider for instant access to cloud and web applications. 
  • QR Code login to SSO eliminates push notifications entirely from the authentication process.
What is the difference between 2FA and MFA ?

What is the difference between 2FA and MFA ?

2fa vs mfa what's the difference

Cybersecurity is a complex topic and if you are the average layperson, you likely have found yourself asking “What is the difference between 2FA and MFA “.

In simple terms, Two-Factor Authentication (2FA) requires users to demonstrate exactly two distinct methods of authentication, whereas Multi-Factor Authentication (MFA) requires users to demonstrate a MINIMUM of two distinct methods of authentication but can be more. So, all 2FA is MFA, but not all MFA is 2FA.

If you are new to the world of cybersecurity, terms such as MFA and 2FA may appear rather cryptic to you. Sometimes MFA and 2FA are used interchangeably, but although similar, they are not the same thing. Both acronyms have been in wide use for years and happen to be an inseparable part of online security, so let’s once and for all clear up the confusion around MFA and 2FA.

Preliminary Definitions

In order to fully comprehend what MFA and 2FA are, you have to understand two concepts: that of authentication and that of a factor of authentication.

Authentication is a process during which a security system decides if the person who tries to log in is exactly who they claim to be.

The preceding definition entails that a security system has to find a way to ensure that the person who tries to log in as Bob is indeed Bob and not someone pretending to be Bob. The security system should not grant access to some oher person using Bob’s credentials. So how can a security system know that the person is Bob?

Well, Bob has to successfully present adequate evidence of his identity and then and only then will he be granted access.

A factor of authentication is a piece of evidence that a user has to present to prove they are who they claim to be. 

The three basic Factors of Authentication are:

  • Knowledge Factor – represents what you know, e.g. a password
  • Possession Factor – represents what you have, e.g. a phone, a security token
  • Inherence Factor – represents who you are, e.g. your fingerprint or eye retinal pattern

MFA vs. 2FA

Multi-Factor Authentication (MFA) is a type of authentication that requires two or more factors of authentication.

Two-Factor Authentication (2FA) is a type of authentication that requires exactly two factors of authentication.

Two-Factor Authentication is, therefore, a subset of Multi-Factor Authentication, and the following two sentences are true:

  • Every Two-Factor Authentication is Multi-Factor Authentication
  • Not every Multi-Factor Authentication is Two-Factor Authentication
What is the difference between 2FA and MFA ? 1 mfa

Why Is One Factor Not Enough?

The Knowledge Factor is the most commonly used factor of authentication. A password you enter every time you log in to an application is an example of the Knowledge Factor. Unfortunately, passwords have long proved insufficient in the contemporary world. Simply put, passwords are not secure enough.

Cybercriminals invented a wide range of methods to intercept and hack somebody’s password, from phishing to keylogging, to rainbow table attacks. If passwords are your sole line of defense against unauthorized access, then you better enable Multi-Factor Authentication in your workforce before it’s too late along with a password manager.

How Introducing More Factors Improves Security?

MFA adds more factors of authentication and therefore eliminates security threats associated with low security of passwords. You can think of every factor as an additional lock, with varying levels of difficulty of breaking them. If you introduce Two-Factor Authentication (2FA) to your users’ login experience, then even if a malicious third party manages to break the weak lock (password), they will not be able to open the door because the strong lock (e.g. the Mobile Push authentication request method) will stop them.

The Mobile Push authentication method is an example of the Possession Factor. Mobile Push is one of the methods your users can use if they install a mobile authentication app. Assuming the attacker already broke your password, now they have to steal or gain remote access to your phone, which isn’t impossible but much harder than cracking a password. Stealing or gaining access to your phone requires additional steps on the attacker’s side, which in turn means more time for you to react. Simply tapping DENY on your phone will stop any malicious attempt at breaking into your account.

The Best Authenticator Apps for 2022

PC Mag

Human Error And More Factors of Authentication

Nobody’s perfect. It’s human to err. Sometimes you work under stress or pressure and it’s so easy to get distracted. Attackers know this and they will try to attack you when you are the weakest. You can make a mistake that will cost you your data and money. Two-Factor Authentication significantly mitigates the probability of human error but does not eliminate it. Introducing yet another factor of authentication will make your authentication even stronger and the chances of human error are negligible.

One way to further reinforce your MFA is turning on fingerprinting in your Authenticator.

With fingerprinting turned on, your Mobile Push Multi-Factor Authentication may look as follows:

What is the difference between 2FA and MFA ? 2 mfa

Again, adding more factors of authentication is like adding more locks to your door, each lock harder to crack than the other. In the login example above, three factors of authentication were used:  Knowledge Factor (password), Possession Factor (phone), and Inherence Factor (fingerprint). Since three factors were used, the preceding is an example of Multi-Factor Authentication but not Two-Factor Authentication.

Enable MFA/2FA Now

To reiterate, MFA involves introducing more factors of authentication to the process of authentication. 2FA is a subset of MFA that involves using exactly two factors of authentication. Using just one factor in the form of a password is not secure enough, and that’s why you have to enable Multi-Factor Authentication in your company.

Time is of the essence. Now that you understand what MFA/2FA is and know how insecure using only passwords in your company is, enable MFA before it’s too late! Improving security should be your number one concern now.

Also see: Why you should be using a password manager.

Russ Michaels