What are push-bombing attacks and how can you prevent them?

Cloud account takeover has become a major problem for organizations. Think about how much work in your company requires a username and password. Employees end up having to log in to many different cloud systems or applications.  

Hackers use a variety of methods to obtain these login credentials. The goal is to gain access to company data as a user, in addition to launching sophisticated attacks and sending internal phishing emails.

How bad has the account breach problem become? Between 2019 and 2021, account takeovers (ATOs) increased by 307% .

Doesn't multi-factor authentication stop credential breaches?

Many organizations and individuals use multi-factor authentication . It's a way to stop attackers who have gained access to their usernames and passwords. Multi-factor authentication has been very effective at protecting cloud accounts for many years.

On the other hand, it is this efficiency that has stimulated workarounds by hackers. One such nefarious way to bypass multi-factor authentication is push- bombing .  

How does push- bombing work ?

When a user enables multi-factor authentication on an account, they typically receive a code or authorization prompt of some type. The user enters their login credentials. Then, the system sends an authorization request to the user to complete their login .  

The multi-factor authentication code or approval request will typically be delivered via a push message. Users can receive it in several ways:

• SMS/Text
• A device pop-up window
• An app notification

Receiving this notification is a normal part of logging in with multi-factor authentication . It is something familiar to the user.

With push bombing, hackers start with user credentials. They can obtain them through phishing or from a large data transfer of passwords from a data breach.

They take advantage of this push notification process. Hackers attempt to log in multiple times. This sends the legitimate user multiple push notifications, one after the other.  

Many people question receiving an unexpected code they didn't request, but when someone is bombarded with these, it can be easy to mistakenly click to approve access.  

Push- bombing is a form of social engineering attack designed to:  

• Confuse the user  
• Carry the user down
• Trick the user into approving the multi-factor authentication request to give the hacker access

Ways to combat push- bombing in your organization

Educate employees

Knowledge is power. When a user experiences a push- bombing attack , it can be disruptive and confusing. If employees have been trained beforehand, they will be better prepared to defend themselves.

Educate employees about push- bombing and how it works. Provide training on what to do if they receive multi-factor authentication notifications they didn't request.  

You should also give your staff a way to report these attacks. This allows your IT security team to alert other users. They can then also take steps to secure everyone's login credentials.  

Reduce the 'sprawl' of commercial applications

On average, employees use 36 different cloud services per day. That's a lot of logins to track. The more logins a person has to use, the greater the risk of password theft.  

Find out how many applications your company uses. Look for ways to reduce application sprawl by consolidating them. Platforms like Microsoft 365 and Google Workspace offer multiple tools behind a single login. Organizing your cloud environment improves security and productivity .  

Adopt phishing-resistant multi-factor authentication solutions

You can completely prevent push- bombing attacks by switching to another form of multi-factor authentication . Phishing-resistant multi-factor authentication uses a device passkey or a physical security key for authentication.  

There are no push notifications to approve with this type of authentication. This solution is more complex to set up, but it is also more secure than  text-based or app-based  multi-factor authentication.

Implement strong password policies

For hackers to send multiple push notifications, they need to have the username. Enforcing strong password policies reduces the risk of a password being compromised.  

Standard practices for strong password policies include:  

• Use at least one uppercase letter and one lowercase letter
• Use a combination of letters, numbers and symbols
• Do not use personal information to create a password
• Store passwords securely
• Do not reuse passwords across multiple accounts

Implement an advanced identity management solution

Advanced identity management solutions can also help you prevent push- bombing attacks . They typically combine all logins through a single sign-on solution. Users then only have one login and one multi-factor authentication prompt to manage, rather than multiple ones.  

Additionally, organizations can use identity management solutions to implement contextual (pop-up) login policies. These allow for a higher level of security by adding flexibility in access enforcement. The system could automatically block login attempts outside a desired geographic area. It could also block logins at certain times or when other contextual factors are not met.  

Do you need help improving your access and identity security?

Multi-factor authentication alone is not enough. Businesses need multiple layers of protection to reduce their risk of cloud breaches. Looking for help strengthening your access security? Contact us now to schedule a meeting.  

About Nexxo

Nexxo Computer Solutions specializes in providing IT and technology services to Quebec businesses. Its mission is to offer Quebec companies IT services tailored to their needs. Acting as an external IT department, it handles all of a company's IT tasks, allowing it to focus on its business activities. It achieves this by collaborating closely with its clients and putting their interests at the center of its concerns.