As multi-factor authentication continues to be prioritized for security, evolving ways of bypassing MFA are born. Social engineering techniques are far from new, in fact, social engineering dates back to 1894 when Dutch industrialist J.C. Van Marken coined the term.
Social Engineering relies on confusing victims in order to gain entry to their accounts and comes in a variety of flavors from baiting, catfishing, and spear phishing.
Human Error has long been one of the most significant hurdles to overcome for security. In 2020 Gartner found that ¼ of all breaches occur due to human error. This is something that we saw in the Solarwinds attack, and have seen again as recently as the Microsoft and Okta breaches. How exactly are attackers doing this? The answer is by annoying you in the middle of the night with a frenzy of push notifications.
Prompt Bombing is a form of social engineering that leverages annoyance, fear, and trickery to gain access to target accounts. These tactics were used in the infamous Solarwinds hack, and most recently were used to bypass Microsoft and Okta’s MFA last month.
The most common way prompt bombing has been used is to bombard targeted accounts with a ton of MFA push notifications, usually at a strategic time like the middle of the night. This strategy is designed to frustrate users who are already caught off guard in the hopes that they will approve an MFA challenge-response. Ultimately, this opens the door for hackers to register their own devices as the MFA of choice for future logins, which means unlimited access for the months it takes to plan a sophisticated attack. Lapsus$ and Russian-state threat actors such as Cozy Bear (the group behind the SolarWinds hack) have both successfully executed prompt bombing campaigns in the past several months.
While hackers have found ways to leverage social engineering to bypass traditional MFA with prompt bombing, the good news is there are multi-factor authenticators out there that are resistant to these types of attacks!
Password-based MFA cannot and will not stop phishing attacks. As social engineering becomes more advanced and more prevalent, it is imperative that we look at the technology and solutions being used to counter these attacks and act accordingly. As threats evolve, so must organizations' security posture. While traditional MFA does have its benefits, one-time passwords and push notifications are not going to suffice should a user be tricked into entering a website or approving a one-off MFA challenge.
Phishing-resistant MFA is one of the most integral components of cultivating a zero-trust architecture and was a featured topic in the OMB “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles” initiative that was introduced by the White House in January.
“Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks.”
Integrating a phishing-proof MFA such as Twosense into an organization's security posture is one proactive way companies can protect themselves from potential attacks. Developed in partnership with the United States Department of Defense, Twosense uses machine learning to drive passive biometrics that can guarantee a user's identity continuously throughout the day. This approach is completely unphishable, as there are no keys or codes that can be handed to an attacker in the event of a phishing attempt. With 3 simple steps, admins can deploy MFA everywhere, on every app, all the time, while simultaneously reducing user friction and transitioning to phishing-resistant MFA.