MFA (Multi-Factor Authentication) Fatigue Attacks – 2024
A Cyberattack to Counter Multi-Factor Authentication
Catalog of Scams – A SCARS Institute Insight
Author:
• SCARS Institute Encyclopedia of Scams Editorial Team – Society of Citizens Against Relationship Scams Inc.
Article Abstract
An MFA fatigue attack is a cyber tactic where attackers bombard a victim’s device or account with repeated multi-factor authentication (MFA) push notifications until the victim becomes overwhelmed or annoyed.
The goal is to exhaust the target, eventually leading them to accidentally approve one of the authentication requests, thereby giving the attacker access to their account.
MFA (Multi-Factor Authentication) Fatigue Attacks are Increasing and People are Becoming Victims
Introduction
Multi-factor authentication (MFA) is a security method that requires users to provide more than one form of verification to access an account or application. MFA is an important way to protect online accounts and the data they contain, and it’s becoming more common as cyber threats increase.
An MFA fatigue attack is a method used by cybercriminals to exploit the human element of multi-factor authentication (MFA) systems. In these attacks, an attacker who has already obtained a user’s login credentials bombards the user’s device with continuous MFA push notifications, attempting to wear them down to the point where the user mistakenly or out of frustration approves the authentication request, thereby granting the attacker access to their account.
These attacks exploit the human element of MFA security. Instead of bypassing MFA through technical means, the attacker uses persistence, hoping the user will inadvertently approve the request, thinking it’s legitimate or simply to stop the flood of notifications. This type of attack often accompanies other social engineering methods, such as impersonating IT support to convince the victim that the notifications are legitimate.
This attack method has been used by groups like Scattered Spider and has proven effective against high-profile targets when traditional security defenses are in place
How MFA Fatigue Attacks Work
Here are the MFA Fatigue Attack steps:
- Credential Compromise: The attacker initially gains access to the victim’s username and password, usually through phishing or other social engineering tactics.
- MFA Bombardment: With credentials in hand, the attacker tries to log into the victim’s account. This triggers the MFA system to send repeated push notifications or prompts to the user’s mobile device or email.
- Exhausting the User: The attacker continues to send these authentication requests at frequent intervals. Over time, the victim may become overwhelmed, annoyed, or confused by the barrage of prompts.
- Unintentional Approval: The aim is for the user to accidentally approve one of the prompts, either out of confusion, frustration, or a mistaken belief that it’s legitimate. Once approved, the attacker gains full access to the account.
Examples of MFA Fatigue Attacks
- Uber Hack (2022): A high-profile MFA fatigue attack occurred during the Uber hack in 2022. The attacker obtained an employee’s login credentials and initiated an MFA fatigue attack by repeatedly sending push notifications to the employee’s phone. Eventually, the employee approved one of the authentication requests, allowing the attacker to breach Uber’s internal systems. The hacker then gained access to sensitive company information and openly taunted Uber’s security team.
- Okta Hack (2022): Another example involved Scattered Spider (LUCR-3), which targeted the identity provider Okta. Attackers used MFA fatigue to target an employee of a subcontractor to Okta. After a series of push notifications, the employee inadvertently granted access, allowing attackers to infiltrate Okta’s systems and later other client companies through the breached identity platform.
How to Prevent MFA Fatigue Attacks
- Educating Users: One of the most effective ways to prevent MFA fatigue attacks is through user awareness. Employees and individuals need to be educated about the dangers of approving unexpected MFA requests. If they receive repeated MFA prompts they did not initiate, they should report the incident to their IT or security team immediately.
- Time-based Lockouts: Organizations can configure MFA systems to temporarily lock accounts after a certain number of failed or rejected MFA attempts. This reduces the likelihood of an attacker successfully exploiting MFA fatigue.
- Phishing-resistant MFA: Using stronger forms of authentication, such as hardware-based security keys (like FIDO2 or YubiKey), can make it harder for attackers to bypass MFA by reducing reliance on push notifications or SMS codes.
- Additional Authentication Layers: Adding extra layers of security, such as biometric authentication or requiring contextual information (like location or device) to approve logins, can make it harder for attackers to succeed.
MFA fatigue attacks demonstrate how social engineering can bypass even robust security measures by exploiting human error and frustration. As attackers continue to evolve their techniques, organizations must combine technical controls with user training to mitigate the risks.
Please Leave Us Your Comment
Also, tell us of any topics we might have missed.
Leave a Reply
Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.
Recent Reader Comments
- on Recent Stolen Photos – Stolen Faces – 2024-2: “If you really are her friend, please have her contact us by email to contact@againstscams.org – we can help her.” Nov 6, 19:45
- on Recent Stolen Photos – Stolen Faces – 2024-2: “Talia shepard and I have been best friends since 2006 these scamers are destroying her. Please help us.she gets leud…” Nov 5, 19:24
- on KNOW YOUR ENEMY: Monroe Lee – Is Another Favorite Of African Scammers: “[COMMENT REMOVED FOR VIOLATION OF OUR COMMENT POLICIES]” Nov 4, 09:13
- on SCARS™ Scammer Gallery: Collection Of Latest Stolen Male/Men Photos #51280: “Scammers use Google account phone numbers to make believe they are from the US. Why is it that there are…” Nov 1, 12:02
- on Things Scam Victims Can Do to Improve Their Mental Health Every Day: “I’ve added a daily swim to my exercise routine to help me practice deep breathing while exercising my body. It…” Oct 31, 18:55
- on The 3 Types of Grooming That Are Hard to Spot – 2024: “I agree, it is a very eloquent article containing very valuable information. To stay safe online, read this article…” Oct 30, 10:21
- on Scam Victim Homelessness: “Homelessness has reached epidemic levels overwhelming the system’s capability to properly respond to the needs. The huge assumption is a…” Oct 29, 11:17
- on The Art Of Deception: The Fundamental Principals Of Successful Deceptions – 2024: “I am so thankful for the way you explain how our minds work during the “artful” deception of being scammed.…” Oct 27, 21:59
- on Why People Blame Victims?: “I find comfort in knowing that what ever happens good or bad, I will be able to rise above the…” Oct 27, 19:03
- on Scam Victim Relapse: “It has been a learning experience. One that will last a life time.” Oct 27, 10:36
Important Information for New Scam Victims
- Please visit www.ScamVictimsSupport.org – a SCARS Website for New Scam Victims & Sextortion Victims
- Enroll in FREE SCARS Scam Survivor’s School now at www.SCARSeducation.org
- Please visit www.ScamPsychology.org – to more fully understand the psychological concepts involved in scams and scam victim recovery
If you are looking for local trauma counselors please visit counseling.AgainstScams.org or join SCARS for our counseling/therapy benefit: membership.AgainstScams.org
If you need to speak with someone now, you can dial 988 or find phone numbers for crisis hotlines all around the world here: www.opencounseling.com/suicide-hotlines
A Question of Trust
At the SCARS Institute, we invite you to do your own research on the topics we speak about and publish, Our team investigates the subject being discussed, especially when it comes to understanding the scam victims-survivors experience. You can do Google searches but in many cases, you will have to wade through scientific papers and studies. However, remember that biases and perspectives matter and influence the outcome. Regardless, we encourage you to explore these topics as thoroughly as you can for your own awareness.
SCARS Resources:
- Getting Started Right: ScamVictimsSupport.org
- Sextortion Scam Victims: Sextortion Victims Support – The Essentials (scamvictimssupport.org)
- For New Victims of Relationship Scams newvictim.AgainstScams.org
- Subscribe to SCARS Newsletter newsletter.againstscams.org
- Sign up for SCARS professional support & recovery groups, visit support.AgainstScams.org
- Join our Scam Survivors United Chat & Discussion Group facebook.com/groups/scam.survivors.united
- Find competent trauma counselors or therapists, visit counseling.AgainstScams.org
- Become a SCARS Member and get free counseling benefits, visit membership.AgainstScams.org
- Report each and every crime, learn how to at reporting.AgainstScams.org
- Learn more about Scams & Scammers at RomanceScamsNOW.com and ScamsNOW.com
- Scammer photos ScammerPhotos.com
- SCARS Videos youtube.AgainstScams.org
- Self-Help Books for Scam Victims are at shop.AgainstScams.org
- Donate to SCARS and help us help others at donate.AgainstScams.org
- Worldwide Crisis Hotlines: https://blog.opencounseling.com/suicide-hotlines/
Other Cyber Resources
- Block Scam Domains: Quad9.net
- Global Cyber Alliance ACT Cybersecurity Tool Website: Actionable Cybersecurity Tools (ACT) (globalcyberalliance.org) https://act.globalcyberalliance.org/index.php/Actionable_Cybersecurity_Tools_(ACT)_-_Simplified_Cybersecurity_Protection
- Wizer Cybersecurity Training – Free Security Awareness Training, Phishing Simulation and Gamification (wizer-training.com)
-/ 30 /-
What do you think about this?
Please share your thoughts in a comment below!
To Learn More Also Look At Our Article Catalogs
Scam & Crime Types
More SCARS
- ScamsNOW Magazine – ScamsNOW.com
- ContraEstafas.org
- ScammerPhotos.com
- AnyScam.com – reporting
- AgainstScams.org – SCARS Corporate Website
- SCARS YouTube Video Channel
Sempre achei invasivo deixar a minha localização em qualquer sítio ‘web’, mas pelos vistos é útil.