What are MFA fatigue attacks, and how can they be prevented?

April 2024 Information Security

During an attack on Uber’s IT systems in 2022, the hackers did not use any sophisticated tactics to gain access. Instead, they bombarded an employee with repeated login requests until, out of sheer frustration, the employee approved one. “This type of cyberattack is known as an ‘MFA fatigue attack’ and poses a real risk to organisations,” says Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 Africa.

“MFA fatigue attacks, also known as prompt spamming or authentication bombing, exploit human vulnerability, rather than relying on high-tech hacking methods,” she explains. “These attacks involve sending continuous push notifications to a target who has already provided their username and password, aiming to irritate or confuse them into unwittingly granting the attacker access to their account or system.”

With Uber, the attacker likely bought the contractor's Uber corporate username and password on the dark web. The attacker then made repeated attempts to log into the victim's Uber account. Each time, the victim received a request to approve a two-factor login, which blocked access at first. However, eventually, and after the attacker contacted the contractor on WhatsApp claiming they were from Uber IT and that the only way to get rid of the never-ending notifications was to accept one, the contractor accepted one request, allowing the attacker to successfully log in.

Previously, cybersecurity experts believed that multifactor authentication (MFA) was a foolproof method to protect corporate IT systems from hackers. “Now we are seeing attackers finding ways around it by bombarding the victim with scores of MFA requests, or by tricking them over the phone,” says Collard. “This tactic, similar to a swarm of bees overwhelming someone, is a simple yet effective social engineering technique used by hackers. By bugging you repeatedly until you give in, malicious actors can manipulate users into approving fraudulent access attempts.”

How can you prevent it?

The best way to prevent MFA fatigue attacks in organisations is not to use push notifications. “While MFA provides an extra layer of security, it is not fool proof,” she asserts. “From a cybersecurity perspective, I would recommend that organisations disable push notifications altogether and rather use alternative verification methods.”

An example of a better verification method is number matching. This involves matching a unique code provided by the authentication app with the code displayed on the screen during the login process.

A challenge-response method is another effective way of providing additional security. This method asks a user a specific question to verify their identity or to perform a task in response to a challenge. A challenge-response method is more difficult for hackers to bypass. It can involve mechanisms like biometric authentication, in which users must scan their fingerprints or irises or use facial recognition to gain access to a network. However, both of the above are not immune against so-called ‘man-in-the-middle’ or social engineering attacks, tricking the users to hand over their OTP or response to the fraudster.

Another effective verification method is FIDO2, an open authentication standard that allows users to log in without using passwords. “You can implement FIDO2 using hardware security keys,” she explains. Typically, USB sticks store the user’s private key, while the public key is stored on the authentication server. As soon as the user enters their username and password, the system requests them to use the hardware key. “It is more resistant to phishing as it works on a challenge-response protocol and does not rely on a one-time PIN that can be intercepted.”

Mindfulness is key

As with all hacking attempts, it is crucial that users remain calm and mindful, rather than reacting emotionally. “Stay tuned into your body’s responses when dealing with potential cybersecurity threats, whether they are phishing emails or MFA fatigue attacks,” says Collard. “If something feels strange, like if the situation is putting you under undue pressure, listen to that cue and do not respond in a knee-jerk fashion. In this way, you will keep a straight head and thwart potential data breaches.”

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

A strong cybersecurity foundation
Milestone Systems Information Security
The data collected by cameras, connected sensors, and video management software can make a VMS an attractive target for malicious actors; therefore, being aware of the risks of an insecure video surveillance system and how to mitigate these are critical skills.

Surveillance and cybersecurity
Cathexis Technologies Information Security
Whether your business runs a security system with a handful of cameras or it is an enterprise company with thousands of cameras monitoring sites across a multinational organisation, you must pay attention to cybersecurity.

Cybersecurity and AI
AI & Data Analytics Information Security
Cybersecurity is one of the primary reasons that detecting the commonalities and threats of what is otherwise completely unknown is possible with tools such as SIEM and endpoint protection platforms.

SA's cybersecurity risks to watch
Information Security
The persistent myth is that cybercrime only targets the biggest companies and economies, but cybercriminals are not bound by geography, and rapidly digitising economies lure them in large numbers.

Cyber insurance a key component in cyber defence strategies
Information Security
[Sponsored] Cyber insurance has become a key part of South African organisations’ risk reduction strategies, driven by the need for additional financial protection and contingency plans in the event of a cyber incident.

Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Navigating South Africa's cybersecurity regulations
Sophos Information Security Infrastructure
[Sponsored] Data privacy and compliance are not just buzzwords; they are essential components of a robust cybersecurity strategy that cannot be ignored. Understanding and adhering to local data protection laws and regulations becomes paramount.