Push-Bombing Threats Can Bypass 2FA
by TUCU Managed IT Services in Toronto
In this post we cover a new threat called push-bombing so that if it happens to you or your team, you know what to do.
In order to learn or grow, we have to challenge assumptions. First, let's challenge the assumption that every password you and your team use are strong. Research says this is not the case.
If a password has been compromised, the next layer of protection would be 2 factor authentication. Push-bombing targets 2FA.
Doesn’t Multi-Factor Authentication Stop Credential Breaches?
Threat keep changing. Multi-factor authentication (MFA) has been and continues to be a way to stop attackers that have gained access to usernames and passwords, but every layer of security is a target for hackers to try to exploit. This is what push-bombing is - an effort to bypass MFA.
This is why it is important you stay up to date on changes in IT security and threat prevention trends, or hire a managed IT security provider to help you keep up. For now, here is a great push-bombing explainer to share with your team.
● How Does Push-Bombing Work?
By now, you likely have 2FA enabled on several accounts.
With 2FA, receiving a notification is a normal part of the login process. It’s something you are familiar with.
With push-bombing, hackers already have your password. They may get compromised credentials through phishing or from a data breach password dump.
With the correct password, they target the push notification process. They attempt to log in many times in quick succession. This sends you several push notifications, one after the other.
Many people will question the receipt of an unexpected code that they didn’t request, but when someone is bombarded with these, it can be easy to mistakenly click to approve access.
If it happens to you, put down the phone until the notifications stop. You don't want to accidentally click allow and give away access to your account.
Once the notifications stop, log in and change your passwords because chances are very good that your password has been compromised.
Push-bombing is a form of social engineering attack designed to:
- Confuse the user
- Wear the user down
- Trick the user into approving the MFA request to give the hacker access
Stay calm and remember these tips.
How To Combat Push-Bombing In Your Business
● Educate Employees
Between 2019 and 2021, account takeover (ATO) rose by 307%. Take time to educate everyone on your team about the risks.
Aside from risks, push bombing attacks can be confusing and stressful. By arming your employees with awareness and education before hand, they will be better able to recognize the attack and stay calm.
Share this post with them. Remind them on what not to do if they receive 2FA notifications they didn’t request.
Ask staff to report these attacks to your IT company so that they can alert other users and help them to secure their login credentials if needed.
● Curate and Reduce Approved Apps
If you are not already using an application security tool, now is the time to consider reviewing and reducing the number of approved apps for use across your organization. This will help twofold by:
- reducing the number of login credentials each staff must maintain
- re-assess the security of each app
On average, employees use 36 different cloud-based services per day and with each login there comes a risk of a stolen login credential.
Review your productivity suite for additional apps and services you can access behind a single login. By maximizing your Microsoft 365 subscription or Google Workspace accounts, you can improve productivity and security in one move.
● Consider Phishing-Resistant MFA Solutions
SMS messages are easier to spoof and exploit with tactics like push-bombing attacks. Consider moving to a different form of MFA. Microsoft's new code authentication is a step in the right direction. Other options for phishing-resistant MFA include a device passkey or physical security key for authentication. These are a bit more complex to set up, but it’s also more secure than text based 2FA.
● Create Strong Password Policies
Push-bombing bypasses 2FA when hackers already have passwords. Educate your team on password security and use password enforcement tools where you can. Strong passwords for every staff member and every account helps protect your business.
Standard practices for secure password policies include:
- Using both upper and lower-case letters
- Using a combination of letters, numbers, and symbols
- Not using personal information in passwords such as birth dates
- Never reusing passwords across accounts
- Storing passwords securely
● Adopt an Advanced Identity Management Solution
Advanced identity management solutions can also help you prevent push-bombing attacks. They will typically combine all logins through a single sign-on solution. Users, then have just one login and MFA prompt to manage, rather than several.
Additionally, businesses can use identity management solutions to install contextual login policies. These enable a higher level of security by adding access enforcement flexibility. The system could automatically block login attempts outside a desired geographic area. It could also block logins during certain times or when other contextual factors aren’t met.
Do You Need Help Improving Your Identity & Access Security?
Strong passwords and multi-factor authentication alone are not enough. Small businesses need multiple layers of protection to reduce risk of a cloud breach.
Are you looking for some help with your Identity Management and IT security? Give us a call today to schedule a chat.