Multi-factor authentication (MFA) is a well-known and effective measure of protecting access to user accounts. MFA helps to reduce the number of attacks associated with stolen login data. Due to the use of two or more different authentication factors, it’s almost impossible to access the account even if an attacker has the user’s login and password. However, attackers constantly find new ways to bypass two-factor authentication, often exploiting human factors. One of such new growing threats based on human factor is the MFA fatigue attack. Let’s explore what an MFA fatigue attack is and how to counter it. What Is an MFA Fatigue Attack? An MFA fatigue attack is a type of social engineering technique in which an attacker repeatedly triggers authentication requests, typically through push-based MFA, in order to overwhelm the user. MFA fatigue attacks are also called MFA bombing, MFA push bombing, MFA prompt bombing, or MFA push spam. The main goal of this type of attack is not to steal a one-time password, but to make the user approve a login request themselves. In this scenario, the attacker already has valid credentials (a username and password). Instead of attempting to bypass MFA technically, they rely on persistence, timing, and psychological pressure to gain access. This makes MFA fatigue fundamentally different from classic MFA bypass techniques such as phishing, brute force, keyloggers, man-in-the-middle, or SMS interception. How MFA Fatigue Attacks Work? A typical step-by-step breakdown of an MFA fatigue attack looks like this: Credential compromise. The attacker obtains a valid username and password, often through techniques such as phishing, credential leaks, or malware. Repeated login attempts. The attacker initiates multiple login attempts that trigger MFA push notifications. Notification overload. The victim receives dozens of unexpected approval requests within a short period of time. Accidental approval. Due to fatigue, distraction, or confusion, the user taps “Approve” or “Yes” just to stop the notifications. Successful access. The attacker gains legitimate access, with logs showing a valid MFA-approved session. Why Push-Based MFA Is Vulnerable to MFA Fatigue? Push-based MFA is popular because of its convenience. A single tap is often all that’s required to complete authentication. However, this low friction also introduces risk. Push notifications often: Provide little context about the login attempt; Can be triggered repeatedly without meaningful limits; Rely entirely on user judgment at the moment of approval....
The cybersecurity landscape has become increasingly dangerous and challenging to navigate over the last number of years. Cybercrime has become a national and global threat to governments, corporations, as well as private individuals. Attacks are more frequent, and the potential consequences — including the loss of sensitive data, identity theft, business disruption and damage, and erosion of customer trust – are increasing exponentially year after year. With the conversation about cybersecurity becoming a matter of urgency in many boardrooms, IT specialists applying for a career in IT are more in demand than ever. As the need for cybersecurity becomes ever more urgent, it must surely be everyone’s top priority in the next twelve months. With that in mind, we teamed up with experts at Jooble to take a closer look at some of the main cybersecurity threats and trends in 2024. Cyber awareness in 2024 When we think of cyberwarfare, we imagine an ongoing battle between evil hackers, crafty criminal masterminds, and hostile foreign nations on the one side, and cybersecurity specialists fighting on the other side on behalf of the good guys. That’s not far off from reality. Cyber threats frequently originate from adversarial foreign countries and tech-savvy criminal organisations using ransomware and malware, social media attacks, and other means of all-out cyber warfare. However, threats to an organisation’s cybersecurity are just as likely to arise from poorly secured networks that unintentionally expose important data, or from careless employees operating unsecured devices. Consequently, in 2024, the need for strong cybersecurity awareness has never been more important. Cybersecurity risks & threats in 2024 The main objective, whether it is for an individual or an organisation, is to protect their digital data. Any minor weakness in computer software, a network, or a browser could allow hackers access to sensitive data, causing potentially irreparable harm to any business, government organisation, or private individual. Here are some of the potential threats to look out for in 2024: 1. Ransomware & Extortion In 2022, the most intense cyber threat to the UK’s cybersecurity has been ransomware attacks. Cyber attackers employ ransomware to extort money from an organisation or private individual in exchange for the recovery of their ‘stolen’ or corrupted data. This practice is particularly prevalent in industrialised countries where specialised software is frequently used to carry out regular and essential business operations....
The Rothschild brothers, who grew rich making profits on the results of the Battle of Waterloo, used to say: “He who owns information owns the world”. The only thing to specify here is who the information belongs to: yourself or somebody else. All throughout its history, mankind has been involved in authentication technique development, from making call signals imitating birds’ sounds and manual ciphering to logging into a system via...