top of page

What Is Push-Bombing & How Can You Prevent It?

  • Writer: Sylvia Roberts
    Sylvia Roberts
  • Jun 20, 2023
  • 3 min read

Updated: Jan 18


A man coding on laptop and phone


Cloud account takeovers have become a major problem for organizations. Think about how much of your company’s work relies on usernames and passwords. Employees usually need to log in to several different systems or cloud apps.


Hackers use various methods to steal login credentials. Their goal is to access business data by pretending to be a real user. They might also launch advanced attacks or send phishing emails from within the company.


Account breaches are happening more often. Between 2019 and 2021, account takeover incidents rose by 307%.


Does Multi-Factor Authentication Prevent Credential Breaches?


Many organizations and individuals use multi-factor authentication (MFA) to block attackers who steal usernames and passwords. MFA has been an effective way to protect cloud accounts for years.


But since MFA works well, hackers have found ways to get around it. One method they use is called push-bombing.


How Does Push-Bombing Work?


When a user enables MFA on an account, they typically receive a code or authorization prompt of some type. The user enters their login credentials. Then the system sends an authorization request to the user to complete their login.


The MFA code or approval request usually comes as a push message. Users can receive it in several ways:

  1. SMS/text

  2. A device popup

  3. An app notification


Getting that notification is a normal part of logging in with multi-factor authentication. Users are familiar with this process.


With push-bombing, hackers start with the user’s credentials. They may get them through phishing or from a large data breach password dump.


They take advantage of the push notification process by trying to log in repeatedly. This makes the real user receive several push notifications in a row.


Many people question the receipt of an unexpected code that they didn’t request. But when someone is bombarded with these, it can be easy to mistakenly click to approve access.


Push-bombing is a type of social engineering attack meant to:

  1. Confuse the user

  2. Wear the user down

  3. Trick the user into approving the MFA request to give the hacker access


Ways to Combat Push-Bombing at Your Organization

Educate Employees


Knowledge is power. When a user experiences a push-bombing attack it can be disruptive and confusing. If employees have education beforehand, they’ll be better prepared to defend themselves.


Teach employees what push-bombing is and how it works. Give them training on what to do if they get MFA notifications they didn’t ask for.


Also, make sure your staff can report these attacks easily. This helps your IT security team warn others and take steps to protect everyone’s login credentials.


Reduce Business App “Sprawl”


On average, employees use 36 different cloud-based services per day. That’s a lot of logins to keep up with. The more logins someone has to use, the greater the risk of a stolen password.


Take a look at how many applications your company uses. Look for ways to reduce app “sprawl” by consolidating. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity.


Adopt Phishing-Resistant MFA Solutions


You can prevent push-bombing attacks by switching to a different type of MFA. Phishing-resistant MFA uses a device passkey or a physical security key for authentication.

With this type of authentication, there are no push notifications to approve. It may be more complex to set up, but it’s also more secure than text or app-based MFA.


Enforce Strong Password Policies


Hackers need a user’s login to send multiple push notifications. Enforcing strong password policies reduces the chance of a password being stolen.


Standard practices for strong password policies include:

  1. Using at least one upper and one lower-case letter

  2. Using a combination of letters, numbers, and symbols

  3. Not using personal information to create a password

  4. Storing passwords securely

  5. Not reusing passwords across several accounts


Put in Place an Advanced Identity Management Solution


Advanced identity management solutions can also help you prevent push-bombing attacks. They will typically combine all logins through a single sign-on solution. Users, then have just one login and MFA prompt to manage, rather than several.


Businesses can also use identity management solutions to set up contextual login policies. These add extra security by allowing flexible access controls. For example, the system can block login attempts from outside a certain area, during certain times, or when other conditions are not met.


Do You Need Help Improving Your Identity & Access Security?


Multi-factor authentication alone is not enough. Companies need several layers of protection to reduce the risk of a cloud breach.


Do you need help strengthening your access security? Contact us today to start a conversation.

Comments

bottom of page