Be mindful of MFA push notification fatigue - it led to the LA County Health Department breach
Take action: The MFA push notifications are not the greatest solution to avoid entering the MFA code. It's very easy to trick a tired person or just hassle them enough until they click "confirm". Sometimes a little discomfort of entering an MFA code goes a long way for security. If you do get bombarded with MFA push notifications, reset your password because that's already breached.
Learn More
The Los Angeles County Department of Health Services (DHS) has disclosed the root cause of a data breach reported earlier this month.
The breach was caused by an employee falling victim to a push notification spamming attack. Ths method, also known as push notification fatigue, targets multi-factor authentication (MFA) systems by bombarding the user with numerous push notifications on their mobile devices.
Anatomy of the attack:
- The MFA push notifications are designed to aleviate the need for entering the MFA 6-digit code by sending a message on the mobile phone of the user to request confirmation.
- If a user is tired, not focused or is busy while the notification arrives, he or she may accidentaly confirm the login although it's a hacker logging in.
- It's not unrealistic that another member of the same household clicks on the confirm button because the phone is constantly buzzing with notifications.
Regardless of how the user is compelled to confirm, the net effect for LA County DHS is that the hacker managed to compromise a user email and then proceed to deploy a phishing attack and steal data.
