Multi-factor authentication (MFA), or Two-factor authentication (2FA), are both extra steps you can put in place to further protect your accounts from criminals and hackers. If you have MFA set up, you will receive a prompt asking you to verify your identity while logging in to your accounts. These programs work to make sure that the user logging into an account is authorized to have access to it before letting them in. It is an efficient and clever way to make sure that the only person with access to your accounts is you or a trusted coworker. But, as technological security measures become more advanced, unfortunately, so do cybercriminals. New MFA scams are beginning to appear, when if successful, give criminals access to sensitive information.
The Most Popular MFA Scam
Though there are other forms of MFA scams, the most recent and popular scam is called MFA prompt “bombing,” where the goal is to gain access to a system that is protected with MFA. The criminals are stealing login credentials through data breaches or other methods such as phishing, then triggering authentication requests from whichever form of MFA you use. They will call, text, or send push notifications to their victim repeatedly and usually at odd times, often in the middle of the night, to annoy them, irritate them, and/or catch them off guard. They are hoping to frustrate the victim enough to make them accept a prompt so that the notifications will stop. When the victim accepts the MFA request, they unknowingly give the criminal access to their MFA enrollment portal or their MFA protected accounts and devices, where they can run malicious code or steal your information.
This attack exploits human weakness for the personal gain of the attacker, taking advantage of its victims in times of vulnerability. The most recent successful attacks were carried out by a cybercriminal group called “Lapsus$,” a group who has managed to breach big tech companies including Microsoft and Samsung. A member posted on the groups Telegram chat channel to “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
Battling MFA Attacks
Some companies have opted to stop using MFA because of these scams and switch to enforced one-time passwords (OTP), particularly dynamic OTPs. These passwords are generated for you to use once, then they expire. It typically works like this: you enter your normal login credentials, then a random OTP is generated, which you then enter to verify your identity. And though OTPs are very secure and are specifically designed to make attacks much less effective, they can be very inconvenient to the user. With this authentication method, it becomes easy for users to experience fatigue with constantly putting in new passwords.
The best way to avoid falling victim to an MFA scam or bombing attack is to be aware and be educated. It is important to remember that no matter how annoying the attacks may be, having your credentials stolen or your organization hacked will always be a much bigger headache. With access to your accounts, criminals can do all sorts of things to wreak havoc on your online presence, like send scam emails or text messages that appear to be from you, gain control of your bank account, install malware on your devices, send and receive emails that appear to use your account to intercept payments on legitimate invoices, and much more.
Stay Safe From MFA Scams
Some MFA tools are stronger than others, also. It is best to try to find MFAs with features that offer extra security measures. Some MFAs store identity verification only on one device, which prevents criminals from logging in from other devices. Some also allow you to enable number matching, where the program requires you to enter a number on your screen that matches a number displayed on the login screen, which reduces the probability of accidental MFA approvals. Never approve requests that you don’t recognize.
Having a trustworthy IT partner will always help you with extra security and safety measures, as well. IT technicians are experts and should know how to help you when it comes to protecting your devices, accounts, and information. In the Kansas City metro area, companies turn to Blue Oak Technology Solutions to help them stay one step ahead of any cybercriminal who may be trying to attack. You can too — click here to learn more about our solutions and managed services.
Read our previous blog post: Picking The Best Printer For You
