No, not all MFA solutions are vulnerable to prompt bombing
And Uber is anything but an isolated case. Today's cybercriminals are constantly innovating by exploiting the smallest loopholes of the digital world. They are able to bypass some strong authentication systems (2FA) that do provide an additional layer of security to user accounts, but a layer that is largely insufficient given the complexity of current attacks.
The Identity Defined Security Alliance (IDSA) recently released a report on the 2022 Trends in Securing Digital Identities. Among the 500 IT professionals interviewed, 84% reported that their organization had experienced identity theft in the past year¹. An increase of 5 points from the previous year's report.
How does prompt bombing work?
To access their targets' data, hackers illegally obtain valid credentials. During the login attempt, they rely on the fact that a user flooded with notifications will at some point approve the authentication. The term "MFA Fatigue" refers to the weariness of the users caused by these countless notifications.
It sounds trivial, but it worked with Uber. The hacker used an employee's login data and sent him push notifications in an aggressive manner. Before approving the operation, the user was even contacted on WhatsApp by a so-called member of his company's IT team, asking him to accept the notification so it would stop. This is a form of social engineering.
A successful prompt bombing attempt can give hackers the ability to add their device to the cracked account and remove the original user's access. Depending on the permissions the victim has within the organization, attackers can access and exploit more or less confidential data and resources.
Fight prompt bombing with inWebo MFA
Set up the service for more security
inWebo provides an additional level of security through its setting options. For example, it is possible to make the PIN code mandatory and not to allow biometrics on cell phones, which favors involuntary or habit-based acceptance.
Setting up inWebo MFA
Enroll your users' browser
The inWebo Browser token solution enables the enrollment of web and mobile browsers. It certifies that the connection attempt comes from a trusted browser, i.e. from a device listed by the company. It is possible to make this handling mandatory to substantially increase the security of the connections. This system provides an answer to both prompt bombing and potential attacks from the Evil Proxy phishing service.
Want to enroll your browser?
Find out how to add a user to your platform and to allow him to authenticate safely. Activate your account by following the procedures outlined in the email invitation. Enroll your trusted browser by activating and setting your PIN and anti-phishing phrase. Add your cell phone or complete the steps directly on your browser.
Disable push notifications
The inWebo multi-factor authentication system allows the user to disable push notifications. To login, he will have to validate directly by himself the login attempts in the application. Without untimely solicitations, the user is protected from prompt bombing attacks.
Generate a one-time password (OTP)
The methods described above can be further enhanced with inWebo's one-time password (OTP). This solution requires the user to generate a unique password on his cell phone. This OTP must then be entered on the trusted browser. Without any external solicitation, through a chain of certified devices, the connection to the most sensitive data is protected at the highest level.
How to generate an OTP with inWebo?
To perform this operation, simply go to your organization's authentication portal and select "Show me other options". You will be asked for your login and OTP. Go to your mobile application and select "Generate an OTP". You will then be given a one-time password, which will automatically expire after 30 seconds. Enter this password on your browser to complete your authentication.
Raise awareness and educate users on best practices
For example, some inWebo customers have launched campaigns based on the ability of our API to send push notifications. With a simple script, administrators simulate prompt bombing attacks on all or part of the users of the solution. This way, they can detect which users are correctly reporting the attack or, on the contrary, those who give in to it. It is then possible to target and adapt the awareness messages to the technological maturity of the different audiences.
Strengthen your security infrastructure with inWebo Browser Token
This year, 82% of data breaches involved a human factor². These are the results of Verizon's 2022 Data Breach Investigations Report. This study based on 23,000 incidents and 5,200 confirmed breaches worldwide highlights the importance of awareness programs. The Uber case is in line with the results of this survey.
How does prompt bombing work?
What is MFA fatigue?
MFA fatigue refers to the users' weariness with the countless push notifications they receive during an MFA prompt bombing attempt.
What is multi-factor authentication (MFA)?
Multi-factor authentication (MFA), or strong authentication, is a security mechanism process that requires two or more validation factors to prove a user's identity. Most often, it involves connecting to a network, application or other resource without having to rely on a simple username and password combination.
Our latest news
The terms "authentication" and "authorization" are fundamental concepts in IAM and CIAM. They form the framework of cybersecurity. Their proximity in meaning and pronunciation...
With the rapid evolution of technology, there is a massive migration of industries and large organizations to the cloud. Almost all resources, data and other entities...
This year again, inWebo is in the starting-blocks to participate in the Cybersecurity Conference with 4 days of business and networking from October 12 to 15, 2022. Meet us at booth n°18...