Multi-factor authorisation (MFA) is a baseline cyber security requirement. Without this protection, hackers can gain access to computer networks with relative ease, which is why it’s now standard practice for insurers to provide cyber security coverage only if MFA is in place.
As with all forms of security, cybercriminals are continually evolving new ways to breach defences, and ‘MFA fatigue’ is a social engineering tactic that’s on the rise. This is where cybercriminals attempt to access networks by repeatedly sending MFA prompts to users until they finally accept one.
Multi-factor authentication is an additional layer of security on top of standard username and password combinations and is one of the key methods to secure users access to IT resources. Users will be asked to provide two out of three possible security checks. Namely: ‘something you know’, ‘something you are’, and ‘something you have’.
MFA authentication is generally configured so that ‘push notifications’ are enabled. These are prompts that appear on mobile devices when you ask to login with your password. The MFA notifications will ask you to verify the login attempt and give the location of the request.
A push too many
A hacker will instigate an MFA fatigue attack when they try to login with stolen credentials. A relentless stream of MFA push notifications will be sent to the account of the individual who is being targeted. This continuous bombardment eventually results in fatigue, with the victim eventually approving access.
MFA fatigue attacks are now widespread, and Uber, Microsoft, and Cisco are just some of the companies that have fallen prey. Taking Uber as an example, the attack followed the standard approach: stolen credentials were used to bombard the target with continuous push notifications within an hour. In this instance, the hacker claimed in a WhatsApp message to be from Uber’s IT department and said that the push notifications would continue until approval was granted. The recipient eventually caved in and the attacker managed to access Uber’s intranet.
How to reinforce MFA with better education
MFA remains an important line of defence despite the resourcefulness of cybercriminals in finding and exploiting new points of weakness. As a form of social engineering, MFA fatigue underlines how the human factor plays a key role in undermining cyber security. Cyber insurers see a high number of claims resulting from human manipulation and so place strong emphasis on cyber security education. For example, simulated phishing attacks and regular training programmes to instil good practice and share knowledge on evolving cyber threats.
Many cyber insurers now provide cyber security training as part of their insurance offering. This encourages better risk management and can mitigate the effectiveness of future cyberattacks because threats such as MFA fatigue will be better understood and people will be on their guard. Cyber resilience depends on continual awareness and learning, backed by the right cyber insurance policy should a breach occur.
Written by Colin Fox – Cyber Risk Insurance and Media Liability Expert.