Multi-Factor Authentication Fatigue Attacks Are On The Rise: How To Defend Against Them

Credential compromise has been a leading cause of network security breaches for a long time, leading more organizations to adopt multi-factor authentication (MFA) as a defense. While enabling MFA for all accounts is highly recommended and a good practice, the implementation details are important because attackers are finding ways around it.

One of the most popular ways is to spam an employee whose credentials have been compromised with MFA authorization requests until they get angry and approve the request through their authenticator app. It’s a simple but effective technique known as MFA Fatigue, and it was also used in the recent Uber breach.

Uber, LAPSUS$ and past violations

Uber suffered a security breach last week when a hacker managed to gain access to some of its internal systems, including G-Suite, Slack, OpenDNS and the HackerOne bug bounty platform. As details about the attack emerged, some security researchers managed to speak with the hacker, who seemed eager to take responsibility and share some of the details about how the attack was carried out.

in a conversation shared on twitter by security researcher Kevin Beaumont, the hacker said, “I was spamming [an] employee with push authentication for more than an hour. I then contacted him on WhatsApp and claimed to be from Uber IT. I told him that if he wants it to stop, he must accept it. And well, he accepted and I added my device.”

Uber has since partially confirmed this information, saying in a security incident update that the victim was a third-party Uber contractor who had his Uber credentials stolen after his device was infected with malware. The company believes that the hacker likely purchased the credentials from the dark web and initiated the MFA fatigue attack.

“The attacker repeatedly tried to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. However, eventually the contractor accepted one, and the attacker successfully logged in.”

Copyright © 2022 IDG Communications, Inc.

Leave a Comment