MFA Spamming – Push Notification Fatigue
MFA is one of the best ways to protect any of your online accounts as it acts as a second layer of protection along with passwords.
However, there’s a method hackers use, attempting to sign into your account even with MFA in place.
Multi-factor authentication (MFA), also known as two-factor authentication (2FA) is an important method for protection on any online accounts you have, including Office 365. It acts as a second layer of security making it more difficult for cyber criminals to hack into.
If you’re not clued up about MFA or why you should have it enabled, we strongly advise that you read this article about the importance of 2FA.
What are MFA Fatigue Attacks?
Attackers have begun to look for ways to compromise accounts even when they have additional layers of security. One of these methods is known as MFA fatigue or push notification spamming.
MFA fatigue refers to the overload of prompts or notifications the victim would receive via MFA applications. Push notification spamming is the technique hackers are using to log into victims accounts. This method can be partially effective, not because of the technology in place, but because it targets human knowledge. If someone isn’t as educated about MFA, they are more likely to become a victim to these attacks so it’s important that you’re aware and familiar with this method, to make sure you don’t fall for it.
How does Push Notification Spamming work?
Once a hacker signs into the victim’s account via username/email and password, they start requesting an approval for sign in from the victims MFA app.
For most victims, they won’t be attempting a sign in themselves, so will decline the request. At this point, they might believe that there’s an error with the MFA application.
However, after the first decline, the hacker doesn’t stop trying, repeatedly spamming push notifications to the victim’s phone requesting sign in approval.
After an overwhelming amount of notifications, the victim might eventually approve, leading the hacker to successfully sign in and have access to personal information and data.
Push Notification Spamming Demonstration.
Here’s a quick video showing how Push notification spamming and MFA fatigue attacks work.
How to Avoid and Prevent MFA Spam Attacks
The most important thing when it comes to avoiding these MFA attacks is awareness and knowledge about cyber security. If you are aware that these types of attacks exist, you’re less likely to get caught out and become a victim.
Enable Passwordless Login
– In Azure AD, you are able to setup passwordless login. This is another type of sign in verification however instead of approving sign in via a single button, you must match the correct number from one device on another. This means it’s very unlikely you’ll be able to verify the sign in unless you’re actually signing in yourself on another device.
With this method, as soon as one prompt has been sent, the hacker will not longer be able to send prompts through to the victims device.
Get in touch.
If you have any questions about 2FA or your business’ cyber security, get in touch with our team on 01158 244 824 or email using the button below.
Interested in what else our IT Support package includes?
There are many reasons that IT support with Reformed IT is a great choice for your business or organisation. If you choose Reformed IT for your IT support, you'll receive all these benefits including help from members of our experienced team when needed.
Unlimited IT Support
We provide fully inclusive, onsite and remote IT support. In addition to that, it won't cost you extra for an engineer to attend your site to resolve a technical issue.
Device Status Monitoring
When we take on your IT support, we deploy our monitoring agent onto all devices and servers. This alerts us to any issues which you may be unaware of.
Data Breach Monitoring
There are over 8 billion breached passwords and personal information available on the dark web. There's a possibility that some of this data relates to your employees. We'll monitor dark web activity and provide reports of breached passwords.
Cyber Essentials Certification
We ensure every one of our clients achieve their Cyber Essentials certification at no additional cost. We also help them towards Cyber Essentials Plus ensuring that everything is ready for assessment.
Office 365 Monitoring
We monitor your Microsoft 365 tenancy with our 24/7 security operations centre. If there is strange activity we'll find it immediately and alert you or resolve the issue straight away. Keeping your business secure.
Everyone wants to avoid computer viruses. We include anti-virus software as part of our IT support package to keep your devices safe and to save time when it comes to viruses.
Over 90% of cyber attacks start with a phishing email. It's crucial that your business has the best defence against cyber criminals and scams when regarding your mailbox.
Backups for Office 365
We will ensure that all of your emails and files are backed up, at no extra cost. We recognise the importance of backups and disaster recovery so we feel it shouldn't be an added extra.
Managed Email Signatures
With our included Exclaimer signatures for Office 365 service, you can get more out of your email signatures instead of a simple message with no images.
Cyber Security Training
To keep you even safer from hackers, we provide globally recognised and market leading Cyber security training by KnowBe4. This online training portal will provide your teams with guidance and information to reduce the risk of hackers and scams.
Asset and Warranty Tracking & Reporting
We provide you with a list of your current assets in the business by using our powerful remote management tools. This creates a monthly asset report so you can keep track of your hardware life cycles.
Reformed IT Academy
We'll provide your business with the best IT training and learning sources. With the Reformed IT Academy, you’ll be able to watch and complete over 700 courses to help grow your knowledge and skills.
Password managers make storing and creating passwords much easier and safer. Keeper password manager also auto-fills passwords making the sign in proccess much quicker.
We have over 30 years of combined IT support experience. We like to use analogies and stories to explain technical terms instead of baffling you with science.