What Is A Multi-Factor Authentication (MFA) Fatigue Attack?

Topics: Small Business

Summary: Cybercriminals are getting more creative in accessing a business’s information and customer data. Businesses are protecting their data by using multi-factor authentication (MFA) tools. However, criminals have found a way to trick their targets into sharing passwords by deluging their victims with MFA notifications.

What is a Multi-Factor Authorization Fatigue Attack?

A multi-factor authentication (MFA) is a cybersecurity tool that requires multiple authentication methods to verify a user’s identity. The purpose of an MFA is to create a defense system to make it more difficult for an unauthorized person to access a website, network, database, or even a physical location. The three most common authentication factors are:
  • Knowledge factor: Users are asked to verify something they know, such as passwords and personal identification numbers (PINs), or provide information such as a mother’s maiden name or first car.
  • Possession factor: Users must have something in their possession to log in, such as a badge or security token.
  • Inherence factor: Biological traits, such as a fingerprint scan, voice authentication, or facial recognition, are used for verification.

Most users are sent a push notification to their authorization device or application, such as a text, call, or email. But, if you are receiving too many notifications, you might be getting targeted by hackers using what are known as MFA fatigue attacks.

Increasing credential-theft incidents have compelled companies to implement multi-factor authentication (MFA) to protect their employees from the severe implications of password theft. But hackers are now carrying out MFA fatigue attacks to get around this added layer of protection.

What Is An MFA Fatigue Attack?

An MFA fatigue attack involves bombarding an account owner incessantly with MFA push notifications until they slip up or are worn down psychologically and approve the login request. As account holders often use smartphone authenticator apps, hackers can target them 24/7 to wear them down. Once an MFA request is approved, hackers can access the user’s email and misuse it however they want.

The main goal of an MFA attack is to send an endless barrage of push notifications to inflict a sense of fatigue on the account owner. After continual harassment, the MFA fatigue can make the user approve the sign-in accidentally or knowingly to stop MFA push notifications, giving access to the hacker.

What Happens In An MFA Fatigue Attack?

The first step of an MFA fatigue attack is getting an account user’s login credentials. Cybercriminals use many common tricks to hack passwords, including phishing, spidering and brute force attacks. Once an attacker has a user’s login credentials, they bombard them with multi-factor authentication prompts.

With repeated messages, the attackers hope for two outcomes:
  • The user will approve the login attempt by mistake
  • The user will give in due to psychological pressure exerted by an endless stream of MFA requests

The MFA fatigue attacks can easily be automated, and often, social engineering is combined with these disruptions to make them even more successful for hackers. For example, the target user receives a phishing email requesting the user to approve the MFA request. The harmful email can also inform the target that they may get a barrage of multiple MFA requests in the coming days as a new security system is being implemented. The email can further state that MFA requests will stop once the account owner approves the login attempt.

How To Know You May Be Receiving MFA Fatigue Notifications

There are ways to know that you could be a target of an MFA attack:
  • Receiving unexpected MFA request push notifications
  • The notifications originate from an unfamiliar location (i.e., the request comes from a country or city different from the one you are currently in)
  • Getting a call, email, or message from someone claiming to be from your IT team performing an MFA test and asking you to accept the MFA request notifications that you’re receiving
  • A rapid-fire sequence of MFA request notifications

Look For The Warning Signs Of An MFA Fatigue Attack

Understanding the signs of an MFA fatigue attack is crucial for preventing cybercriminals from getting access to your accounts. The following warning signs will also help prevent you and your business from being victims of these attacks:
  • If you do not know why you are receiving an MFA prompt, DO NOT APPROVE IT and contact your company’s IT security team right away
  • The fact that the attacker can trigger MFA push notifications means that they have obtained your password, so it is essential to reset your password as soon as possible
  • If you notice random, infrequent push notifications, err on the side of caution and change your password for the relevant application

AmTrustCyber Protects Businesses From Cyber Risks

As personal, consumer, and company data security risks continue to increase and cybercriminals become savvier by using methods such as MFA fatigue attacks to access data, small business owners must find additional ways to protect their businesses from data breaches. Every organization should offer data security training and create a company-wide data breach policy with a response plan ready to implement when/if it is needed.

Please contact us today to learn how you can benefit from an AmTrustCyber policy. We can help you understand how to protect your organization from cybersecurity attacks and other data breach threats.

This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.

Time Zones