Spotting false MFA requests
Multi-factor Authentication (MFA) is a form of technology security that requires the user to provide two or more verification factors to gain access to a service or system.
When MFA is added to your account, you will be required to provide not only your username and password, but also an additional form of identification, such as a code that is sent via text to your mobile device. This additional requirement reduces the risk of a cyber-attack however, cyber criminals can still attempt to gain access to your information through MFA prompt bombing.
Below is information on how this can occur and steps you can take to prevent it from happening to you.
What is MFA prompt bombing?
MFA prompt bombing is a cyber-attack that uses multi-factor authentication, such as SMS, email and MFA apps to trick you into giving a hacker access to your account. The hacker repeatedly sends MFA requests to your device in the hope you will be caught off guard or irritated by the multiple notifications and approve the request without checking if it is from a legitimate source.
How does MFA prompt bombing work?
To be able to perform MFA prompt bombing on your account, the hacker would need to already have access to your username and password from a separate incident but is unable to access your account without the MFA login approval.
Once approval has been granted, the hacker may then have access to change the MFA device to their own and thereby have the ability to approve future logins and account changes without your knowledge.
How to protect against MFA prompt bombing?
- Never approve a login attempt that you did not initiate yourself
- Use an MFA that requires a code to be entered rather than just a prompt-based MFA request. Security keys and tokens are considered more phishing-resistant than device-based authentication
- Change your password - If you are receiving MFA notifications from an unknown source it is most likely your password(s) have been stolen.
- If the authentication request relates to a UQ device notify your IT team immediately
For more information on setting up MFA on your social media accounts follow this link