The ultimate objective of multi-factor authentication is to identify users and ensure the protection of data from other unauthorized users. Multi-factor authentication verifies the consumer’s identity in multiple phases using several modes. So, it gives another covering of safety from just the login credentials. The process builds layered security that makes it tougher for an unauthorized person to access a target. If one factor is broken, the attacker still has more obstacles to break down before successfully breaking into the target.
The desired aim of multiple aspects of authentication can help make a hacker’s job more difficult. With the help of MFA, user individualities are tested every time they log in from different equipment. This includes authorization checks, such as a passcode, which is sent to an email account or a smartphone related to a user. The passcode must be entered before access is approved. MFA ensures that the wrong person is not gaining access.
Methods of MFA
Mainly, there are three types of MFA:
- What the user knows: It requires the user to answer personal questions. This includes One Time Password (OTP), Personal Identification Numbers (PIN) and secret knocks.
- What the user has: This requires the user to have something in hand to verify the identity. It can be a physical object like a mobile authentication, smart card, a link on your phone, or attaching a USB to generate OTP.
- What the user is: It requires any biological trait of the user to verify the identity. This process uses biometrics verification like retina scan, fingerprints scan, voice recording, hand geometry, digital signature and facial recognition.
All about LAPSU$: The group who hacked Microsoft
LAPSU$ is a group of hackers based in South America. This is the same group that has taken responsibility for some prominent security breaches at tech firms like Microsoft, Samsung, Ubisoft, and Okta. The group is famous for publicly broadcasting details about their hacks and sharing snippets of stolen data on social media platforms like Telegram and Twitter. One of the LAPSU$ members confessed that the MFA prompt-bombing method was effective against Microsoft.
“No limit is placed on the number of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device. ” source:
In the situation of Prompt Bombing, annoyance can lead us to irritation and distraction. And that could cause us to click on the notifications that would allow attackers to have access to our accounts. It uses a few tricks to confuse and disturb the target to make subconscious decisions.
Here are some of the methods of MFA Prompt bombing used by hackers:
- Hackers send tons of MFA requests and hope that the target will eventually accept them to stop the noise.
- The most conventional method is to send one or two prompts in a day. It often attracts less attention from the target but still, the chances remain the same.
- One of the most popular methods used by hackers is to call the target and pretend to be a part of the company. They ask the target to send an MFA request as part of a company operation.
“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”
Microsoft states that the group is also relying on some tactics like SIM-Swapping, which are less often used by other hackers. Hackers use social engineering attacks, they will take a survey revealing personal details such as their favourite dish or date of birth, etc. All of this evidence might be used to either guess passwords or answers to security questions for account verification. So, it’s highly recommended for businesses to rely on strong Multi-Factor Authentication (MFA) to defend themselves from such attacks.
Multi-factor authentication solutions are fairly inexpensive and incredibly easy to deploy. They provide modest but effective protection to particular users and the broader business network. Above all, we need to get educated about these activities like MFA prompt bombing to avoid such incidents.
Also, we need to make sure our employees at the workplace are trained enough to avoid data compromising incidents. So, in the era of information security breaches, prepare yourself to act instead of waiting to face problematic situations.