> They then sent a complicated jumble of computer code and asked me to run it as a command on my work laptop and report back what it said. They wanted to know what internal IT access I had to start planning their next steps once inside.
He should share that script for companies to protect themselves.
> As I held my phone in my hands, the screen filled with a new request every minute or so.
> I knew exactly what this was - a hacker technique known as MFA bombing. Attackers bombard a victim with these pop ups by attempting to reset a password or login from an unusual device.
> Eventually the victim presses accept either by mistake or to make the pop-ups go away. This is famously how Uber was hacked in 2022.
Authenticator apps should not give notifications, users must open them manually. In Denmark the government have followed this security practice for the authentication app MitID. In the beginning there was a lot of complaints, but now we know that is just how it works.
I know, I wasn't talking literally, but in spirit that's what MFA bombing is – they flood your phone with notifications until you approve one, either accidentally or our of the mental fatigue of having a ton of notifications come in.
> Authenticator apps should not give notifications, users must open them manually.
Agreed, the constant “Are you trying to log in / reset your password?” notifs Google send me are concerning because I’m afraid I’ll accidentally tap “Yes / Allow”!
> They then sent a complicated jumble of computer code and asked me to run it as a command on my work laptop and report back what it said. They wanted to know what internal IT access I had to start planning their next steps once inside.
He should share that script for companies to protect themselves.
> As I held my phone in my hands, the screen filled with a new request every minute or so.
> I knew exactly what this was - a hacker technique known as MFA bombing. Attackers bombard a victim with these pop ups by attempting to reset a password or login from an unusual device.
> Eventually the victim presses accept either by mistake or to make the pop-ups go away. This is famously how Uber was hacked in 2022.
Authenticator apps should not give notifications, users must open them manually. In Denmark the government have followed this security practice for the authentication app MitID. In the beginning there was a lot of complaints, but now we know that is just how it works.
Or they could balance usability with security and do some sort of throttling at least, there’s no reason to DoS the user with notifications
There was no DoS here.
I know, I wasn't talking literally, but in spirit that's what MFA bombing is – they flood your phone with notifications until you approve one, either accidentally or our of the mental fatigue of having a ton of notifications come in.
That's different in spirit. No denial at all. In fact this action needs to avoid denying service in order to succeed.
It's denying you from using your phone if a notification constantly pops up.
But it doesn't. The screenshot shows avg. only one each 5 min. That is not denying use of phone.
> Authenticator apps should not give notifications, users must open them manually.
Agreed, the constant “Are you trying to log in / reset your password?” notifs Google send me are concerning because I’m afraid I’ll accidentally tap “Yes / Allow”!