Multifactor authentication (MFA) is the gold standard in offices around the world. We all know the drill: you use your username (often, and inadvisably, your email address) and, perhaps, as the password, the name of your first dog and the last four digits of your social security number.

Not very foolproof, but often the user isn’t too worried. In their mind, they know that if the hacker does figure out their login credentials using various tools or techniques, they still must find their way around MFA’s second layer of security.

Beware of “push bombing”

However, what the user may not realize is that hackers have developed many tried-and-true methods for accomplishing this, including social engineering attacks, spear-phishing, and DDoS attacks. And there is another favorite tool hackers have at their disposal, and it relies on users being tired, frazzled, or annoyed enough to “cave in.” And who isn’t fatigued or frazzled in the final sprint to wrap up Q4 and holiday gifts? The technique hackers like to employ this time of year is called “push bombing.”

The Cybersecurity and Infrastructure Security Agency (CISA) describes push bombing as a situation where the user is bombarded with push notifications until they hit the ‘accept’ button.

“It is a surprisingly effective tool, although it’s very low-tech and brute-force based,” says Sandy Duncan, a cybersecurity expert in Cincinnati, Ohio. Duncan adds that the hackers are preying upon various factors when using a push bombing campaign.

“The biggest appeal of push bombing is that it is cheap, and if you choose the most inconvenient time of day to launch such an attack, your odds of success are greater,” Duncan explains. Duncan notes these are some of the specific times of day that push-bombers like to target:

Beginning of the workday: “There’s no greater hassle than wanting to start your workday and having to wade through a bunch of prompts,” Duncan points out.

Right before lunch: “Who doesn’t want to finish up their work and head to lunch?” Duncan asks.

Middle of the night: “Believe it or not, this is effective,” says Duncan. “Some people, including essential personnel and others check email or log on at night, and then there are those who simply want to check in and then go back to sleep. If they get a bunch of prompts, they might be tempted to cave in so they can get back to sleep.”

Thwart attacks with proper training and preventative techniques

The push-bombing tool is so effective during the sprint to the holidays that CISA included push-bombing in its list of MFA threats to watch. To add a layer to thwart push-bombing, CISA recommends a token-based OTP.

According to CISA’s warning:

“In mobile push notification, the user accepts a “push” prompt sent to the mobile application to approve an access request. When numbers matching is implemented, there is an additional step between receiving and accepting the prompt: the user must enter numbers from the identity platform into the application to approve the authentication request.”

MFA is evolving, Duncan says, but so are the hackers’ techniques.

“Human nature has always been the weakest cybersecurity link,” Duncan adds. “Hackers know that people get tired and annoyed and sometimes numb to the constant MFA requests; if they are worn down enough, hackers count on users entering their information to get rid of the prompt.”

So, how do you avoid being victimized by a push-bombing campaign? Duncan recommends the following steps:

User training

The more someone knows, the more they can be vigilant. “Some people don’t even know that this is a thing, and they’ll just assume the constant prompts are some over-muscular security and do what they can to get rid of it,” Duncan says. So, user training is the cheapest way to alert people to the threat that push-bombing poses.

Number matching

This is an effective method to ward off MFA fatigue and push-bombing campaigns. Number matching is a setting that forces the user to enter numbers from the identity platform into their app to approve the authentication request. CISA’s site provides insight into implementing number matching in MFA applications. If you look at Figures 3 and 4, they provide the user’s view of an identity platform login screen that uses number matching. Microsoft number matching and DUO are two of the most popular ones.

“Of course, this technique isn’t immune from phishing, but it’s a good stopgap. Unfortunately, though, every time we seem to get ahead of the hackers, they catch up,” Duncan says.


NUMENTIS is a Canadian-owned Managed Services provider that offers Managed IT, Cybersecurity Solutions, Cloud Services and VoIP to help their customers control costs, secure their data and make their people more productive.