Multi-factor authentication fatigue attacks are on the rise: How to defend against them

Credential compromise has been one of the top causes for network security breaches for a long time, which has prompted more organizations to adopt multi-factor authentication (MFA) as a defense. While enabling MFA for all accounts is highly encouraged and a best practice, the implementation details matter because attackers are finding ways around it.

One of the most popular ways is spamming an employee whose credentials have been compromised with MFA authorization requests until they become annoyed and approve the request through their authenticators app. It’s a simple yet effective technique that has become known as MFA fatigue and was also used in the recent Uber breach.

Uber, LAPSUS$ and past breaches

Uber suffered a security breach last week where a hacker managed to access some of its internal systems, including G-Suite, Slack, OpenDNS and HackerOne bug bounty platform. As details about the hack were coming to light, some security researchers managed to speak to the hacker who seemed eager to take responsibility and share some of the details about how the attack was performed.

In one conversation shared on Twitter by security researcher Kevin Beaumont, the hacker said: “I was spamming [an] employee with push auth for over an hour. I then contacted him on WhatsApp and claimed to be from Uber IT. Told him if he wants it to stop he must accept it. And well, I accepted and I added my device.”

Uber has since partially confirmed this information, saying in a security incident update that the victim was an external Uber contractor who had his Uber credentials stolen after their device was infected with malware. The company believes the hacker likely bought the credentials from the dark web and initiated the MFA fatigue attack.

“The attacker then repeatedly tried to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”

Copyright © 2022 IDG Communications, Inc.

Leave a Reply

Your email address will not be published.