Commentary – MFA Fatigue: Hacker’s new favorite tactic in high-profile breaches

The recent breach at Uber has garnered a lot of opinions from individuals within the cyber and information security profession. The days since the breach was made public, comments have been made about the security solutions Uber may or may not have already in place, some even stating, if Uber used “xyz” product, they wouldn’t be in this current situation.

Some of the solutions that are being suggested, does not account for the human element in the equation of cyber and information security. It only takes a single individual to ultimately circumvent all security controls that are in place. Monday, Uber revealed that the breach was made possible due to MFA Fatigue, which is also known as MFA bombing and/or MFA push spam.

MFA Fatigue attacks occur when a threat actor runs a script that repeatedly sends push notifications to the victim’s phone for approval. Individuals are denying the request, until the threat actor poses as someone within the organization’s IT department and convince the victim to accept the next push notification.

If you feel that you may be a victim of MFA Fatigue attack, instead of just approving the request right away, change your password so that the threat actor can no longer utilize your existing credentials to carry out the attack. Also, be sure to report it your organization’s IT department for further investigation.

Commentary by Frances Stover

Based on an article from BleepingComputer.com