MFA Bombing: How Does it Work?
MFA bombing (multi-factor authentication) bombing, is a type of social engineering cyber attack during which hackers repeatedly push authentication requests. The end goal of this is to cause a user to enable hackers to access the now-compromised account.
What is MFA?
This is the definition of MFA bombing (you may also have heard it called MFA spamming too), but do you know what multi-factor authentication is?
Simply put, MFA is where a device requires multiple options to be validated by a user while they are logging into an account.
These options typically include a password, followed by a one-time passcode (OTP) which is then sent to the user’s smartphone. This will either land in the app or will be sent via text message – the user will then validate their identity by typing in the passcode.
Because two different mediums have been used, this is known as two-factor authentication (2FA for short), and is the most common form of MFA.
Below, we will discuss both how MFA bombing works, and how you can protect yourself and your organisation against it.
How Do Hackers Use MFA Bombing?
As mentioned earlier, MFA bombing is when hackers will send numerous authentication requests to a device – the key word here being numerous.
In doing this, they essentially overwhelm the MFA system by sending so many requests in such a short period.
And the risk associated with this – they can easily access your accounts, without you even knowing about it, due to the amount of disruption that the hacking has caused.
How Do They Know My Details?
Data breaches are a key factor in how hackers can access your details online. A data breach is essentially a leak which results in private information being given out – this can be either accidental or on purpose.
For example, if you have signed up to a website, entered your email address and password and perhaps a security question (such as your mother’s maiden name), then this information could be leaked and your account accessed, as well as your data being available to any hackers –
they now have your email address, know a personal fact about you, and have your password. This is another reason it is so important to have different passwords for different websites. Using the same password on a variety of different websites from personal social media accounts to work email accounts means that if your password appears in a data breach, it could be used to access a multitude of your accounts.
However, hackers don’t necessarily have to wait for a mistake to be made in order to access your details through a data breach.
Some hacking businesses will sell their customer’s data for a price to other hackers – which is why you should always be vigilant when signing up to a new website and how many details you’re giving away.
Multiple Authentication Requests
You may have noticed above that MFA bombing requires multiple authentication requests – but how can this be possible from a mobile device, or even a computer?
Long gone are the days of a hacker sitting in a dark basement manually punching in random numbers to hack an account half way across the world.
Automated bots are set up – often using some form of clever coding – to copy a genuine login attempt.
Their aim is to use the stolen data – usernames and passwords – to log in to your account. This makes it look like a genuine login attempt.
Sending Numerous Requests
Once the hackers have secured your data, and set up the automated bots to make a forced login attempt, this is the real beginning of the MFA bombing attack.
The next step that they undertake is to send a multitude of login requests.
But this is not done over the course of a month, a week or even a day – they will do it over a matter of minutes and seconds.
The reason behind this is so that the sheer amount of login requests coming in (faster than a human could possibly do this, hence using a bot or some form of artificial intelligence to do it instead) will crash the MFA system.
The system’s usual response to this sort of attempt is to do one of two things. It will either crash, and then access is open to the hackers, or it will shut down any further login attempts – including genuine login attempts from yourself – so that either way, you will be unable to access your accounts.
Overwhelming the MFA Process
With so many login requests coming in during such a short space of time, the system will likely be overwhelmed. This is sometimes referred to as MFA fatigue, or an MFA fatigue attack. This means that the system will either slow down, or fail completely – making it either very difficult or impossible for anyone else to login – and unfortunately, if you have been hacked by MFA bombing, this means that you will be unable to access your accounts, but the hackers can. This is exactly what the hackers want to do.
When the system is essentially in meltdown, or has been fully overwhelmed, it will sometimes grant access to a login attempt without the second authentication factor (which is typically the text sent through to your mobile device or smartphone app).
This is again an ideal situation for the hackers, because they now have access to login without the need for 2FA – they already have your password, and can login with just this piece of information.
Unauthorised Access to Your Accounts
This is the end goal of what the hackers wanted to achieve – they want to access your accounts. By crashing the multi-factor authentication system (hence the name bombing being used), the hackers have now successfully gained access to your accounts, from just one password.
Again, this demonstrates the importance of having a range of passwords for different websites – if they manage to get hold of a work password (for example) then they can access your work files – but if you happen to use the same password for your own personal social media accounts, then they can also access these the same way.
This is a brief guide of how MFA bombing works. The next sections of the article will outline methods and suggest tips on how you can prevent an MFA bomb attack at your business, company or workplace.
Have a Password Policy in Place
Time to start at the very beginning – and the very first step is to make sure that you have a password policy in place at your organisation.
There is no real easy way around this because there must be a certain level of complexity in place. It is no use allowing your employees to use passwords such as “password1” because although it is easy to remember, it is easy to hack, too.
Consider making at least one number and one special character compulsory, as well as making the passwords case sensitive.
This chart shows just how easy it is for hackers to compromise your passwords – any passwords which are just under 10 numbers can be hacked instantly, but the more layers of complexity you add to it, the harder it is. The example shown is that an eighteen-character password, including special characters, a mixture of upper and lower case letters and numbers, would take a hacker 7 quadrillion years to compromise!
For more tips on setting up a good password policy in the workplace, check out our previous article on the subject here.
Offer Cybersecurity Training
Ensuring that your team have some basic understanding of cybersecurity and how to protect the organisation and themselves is key to combatting MFA bombing.
Naturally, there are hundreds of courses online which can be either undertaken for free or paid for, which can train across all levels of cybersecurity.
If you’re an office-based institution, perhaps you could hire a cybersecurity expert or professional in to undertake training once a week throughout the whole company – or just implement company-wide cybersecurity training.
The more savvy employees are when it comes to cybersecurity knowledge, the safer they – and your business – will be online.
With many companies offering remote work or hybrid models, there are still options on how you can set up cybersecurity for your team – this article has numerous tips on how to make the most of cybersecurity while at home.
Two-Factor Authentication for MFA
Yes, you read that right – this is something that should absolutely be taken into account, and it is very possible to do so!
Enabling 2FA for MFA adds an extra level of security for MFA – think of it as multi-factor authentication for MFA. Although this does sound confusing, when broken down, it is essentially layer upon layer of extra security, thus reducing the risk of MFA bombing.
An example of setting this up could be something such as two additional security questions, another password, or even a facial or fingerprint recognition ID for more physical forms. Nevertheless, this is an additional factor which can help you and your accounts stay safer online.
Monitoring Passwords
While a successful password policy was mentioned above, monitoring how often passwords are changed is another factor which can help you to keep safe online and deter the threat of MFA bombing.
Making sure that passwords cannot be reused is key to this process, especially since they cannot be reused by other employees.
Often, numerous passwords are difficult to remember and are often changed predictably, with characters such as $ replacing S. However, with tools such as LogonBox, password breaches can be detected, and the user informed, and if policy mandates force the user to change the password, meaning that you don’t have to try and remember 100 different passwords, only to end up changing them every month or so.
This article outlines how easily you can change and reset your password with LogonBox. According to a Google survey, only 45% of respondents would change their password after a breach – in spite of the fact that 47% said that they had lost money as a result of their password being compromised.
Keeping on top of your passwords and regularly updating them is key to staying safe as an organisation – and seeing statistics like this might just shock enough people into understanding how dangerous keeping the same password can be.
Monitor Your MFA
This is another key factor in how you can protect yourself and reduce the risk of MFA bombing. Ensuring that you have a dedicated team or an artificial intelligence model which can track and monitor any suspicious login attempts around the clock is a good way to ensure that you can stay safe from MFA bombing.
By monitoring any support tickets that come through and any logs of failed login attempts is a good way to discern genuine from spammy attempts.
In addition, keeping track of the volume of requests which come through for temporary or one-off verification codes is another successful method in identifying MFA bombing. For instance, if hundreds of requests are coming through at once, then you will know that it is an MFA bombing attempt. On the contrary, if there are two requests, it could just be that the person attempting to access their account has missed the first one and is trying again.
Monitoring the MFA patterns themselves is another good tip on how you can monitor your MFA overall.
For instance, looking at the data and seeing how long it is taking users to login. Does it take them longer than it did before? Is this why more requests are coming though? Keeping an eye on this will help improve and streamline your process too.
For a system which is tried and tested, take a look at ours here.
Limit the Number of Login Attempts
This is also known as rate limiting.
By taking control of how many push notifications and prompts are sent to a user in one session can reduce the risk of MFA bombing.
For example, if you normally send 10, reduce this amount to 3. That way, it makes it more difficult for hackers to access your accounts, while genuine users are hardly likely to need more than 3 attempts per session.
Not only does this reflect more positively for both the user experience and the company, it makes it even more difficult for the hackers who are trying to access the accounts, and on top of that, it makes it less likely that your MFA will crash or meltdown, meaning the hackers might not even be able to access the accounts through MFA bombing.
The reason behind this is because by limiting the number of times someone can attempt to login, the less pressure and strain there is on the MFA system itself – meaning there is less chance that it will crash.
Final Thoughts
MFA bombing is a serious cybersecurity threat which needs to be taken seriously by companies and employees alike.
From the initial onset of a data breach or sold data compromising passwords to hackers gaining access to one or more accounts through MFA bombing, the process is difficult and scary for most people to deal with.
But, by taking a few extra steps as a company and as an individual, you can drastically reduce the risk of an MFA bombing attack on your accounts.
From the company’s perspective – ensure that the right software is in place which can support the above points, as well as invest in some basic cybersecurity training for your employees. This can make a monumental difference, particularly when security-related risks are reduced by 70% when businesses invest in cybersecurity training and awareness programmes.
From the employee’s perspective – taking part in a cybersecurity training programme will not only make you feel much safer and more confident online, but will give you the knowledge and tools which you can take into all walks of life – whether that be a new job, or just understanding how to protect yourself better online in your personal life and on your social media accounts. In addition, being able to take those easy extra steps, such as implementing and following a password policy, as well as keeping on top of changing passwords regularly can make a huge difference when it comes to MFA bombing – and reduce the risks even further, with the end goal of eliminating the possibility wherever possible.
