SMBs Need To Learn To Defend Against MFA Prompt Bombing

Summary: This short blog discusses multi-factor authentication prompt bombs, what they are and how to prevent them. If you have additional questions about MFA bombing attacks, contact DIGIGUARD CYBER SECURITY at 833-33-CYBER (833-332-9237) or visit www.DIGIGUARDsecurity.com for a cyber risk analysis.

Hackers will try every trick they have to steal your login credentials. Stealing your credentials for any of the platforms you use gives cybercriminals a launch pad to breach your private data. Due to the dramatic rise in cyberattacks since the onset of the pandemic, home and business users alike have adopted multi-factor authentications (MFAs) to add an additional layer of cyber security beyond merely entering passwords. MFAs have made stealing credentials much more complicated for cyber thieves. So, what’s a hacker to do? MFA prompt bombing is a tactic they use to get past additional authentication security measures.

What Is An MFA Bombing Attack?

An MFA attack is when a bad actor bombards a user with an onslaught of verification requests. Often, if an SMB is the target, hackers will send a multitude of verification requests to the employees’ personal devices. The barrage of verification requests causes users to suffer from what has become known as MFA fatigue. MFA fatigue attacks literally wear out the patience of users until they succumb to the verification request. Hackers capitalize on users’ impulsivity and lack of patience, as with many cyberattacks.

How Can SMBs Protect Against MFA Prompt Bombing?

Cyber security is a multi-layered process with no single layer providing sufficient protection. MFAs are still important; however, they are not foolproof. Fortunately, there are a few steps small businesses can take to defend against MFA prompt bombings:

• Risk-Based Authentication – Risk-based authentication allows applications to examine the signals contained within login requests to see if there are any unusual or suspicious anomalies. Risk-based authentications can recognize things like the number of authentication requests, location of the senders and other factors that raise the level of suspicion. When abnormalities are identified, some risk-based assessments will send notifications to users, just as anti-virus software sends alerts when malicious files are detected. Unfortunately, businesses must be integrated with a service that provides the option of risk-based authentication.
• Establish Cyber Security Best Practices – Many cyberattacks can be prevented if users are educated in best practices for the safe use of connected devices. Unfortunately, many SMBs do not pay enough attention to cyber security, sometimes because management thinks the company is too small to be of interest to cybercriminals. That assumption could not be further from the truth. Hackers love the vulnerable “low-hanging fruit” presented by the tendency of small businesses to have insufficient anti-virus protection and untrained users. Establishing best practices for all employees provides a crucial layer of cyber security and gets everyone on the same page. Some of these practices include:
• Safer Password Creation and Storage – Passwords should be kept private. Once hackers steal a password, their cybercrime is off and running. Password creation was once about using pet names, anniversary dates, nicknames and other easy-to-remember personal data. Today, the threat of cyberattacks is too significant to use weak, easy-to-guess passwords. Therefore, when creating a password manually, avoid any names or dates that relate to personal elements of private data. For hackers, any personal data in a password makes it easier to guess and might contain details that they can add to the data they have about you.
• Password Managers – Password managers are helpful to password security in two ways:
  • They can generate multi-character, unique, random and hard-to-guess passwords
  • They safely store your passwords in one secure place, available only to you. Hint: Never store the password for the password manager on your devices. It should either be memorized or kept offline, out of the reach of cyber thieves.

There are password control settings built into many business computer systems. However, there are several issues they do not defend against:

• Reused passwords
• Duplicate passwords for different users
• Context-based passwords
• Incremental passwords

Stealing passwords is often the opening play, forging the opportunity for hackers to launch MFA prompt bombing attacks. Once they can MFA bomb someone, that user’s password has already been breached. Part of a cyber security best practices plan should include the instruction that users should reset their passwords as soon as they believe they have been MFA bombed. Resetting passwords from time to time is a good best practice. When a threat occurs, speed is of the essence. Reset before you forget! The quicker passwords are changed, the sooner the MFA bomb attack can be mitigated or neutralized.

The key to robust cyber security combines state-of-the-art anti-virus protection, up-to-date operating systems and software and established best practices. If followed, these practices will increase the overall security of your business’s computer system. Remote work must operate under the same guidelines because any device, anywhere, connected to your network is at the same risk it would be if they were working from your office. For your hard-earned business data to remain secure from a breach, all your employees must work as a team following the protocol required to protect your business’s data.