Push-Bombing Cybersecurity

June 28, 2023 by
Mark Nash

One of the most common risks to an organization's cybersecurity is cloud account takeover. Employees frequently have many different systems or cloud apps, each requiring their own login with credentials that can be compromised. Hackers use various methods to get those login credentials, but the end goal is always the same, to gain access to business data through a stolen user account. Hackers will additionally use this access to launch sophisticated attacks and send insider phishing emails. The problem of hacked accounts has been a growing issue for years; between 2019 and 2021, account takeovers rose by 307%. Many organizations and individuals use multi-factor authentication (MFA) to help stop attackers that have gained access to their usernames and passwords. MFA has been very effective at protecting cloud accounts for many years and continues to be, but that has not stopped hackers from creating workarounds. One of these nefarious ways to get around MFA is push-bombing.

What is Push-Bombing?

When a user with MFA enabled on their account attempts to log in with their username and password, the system follows up by sending an approval request to the user to complete their login. The MFA code or approval request will usually come through some type of "push" message, such as from a:

  • SMS/text
  • A device popup
  • An app notification

With push-bombing, hackers start with compromised user credentials to attempt to log in to an account many times in a row. This sends the legitimate user several push notifications, one after the other. Many people question the receipt of an unexpected code that they didn't request and reject it, which is good; that is what they should do. But when someone is bombarded with these, it can be easy to click to approve access mistakenly or get so fed up that they approve access simply to get the push notifications to stop. Push-bombing is a form of social engineering attack designed to:

  • Confuse the user
  • Wear the user down
  • Trick the user into approving the MFA request to give the hacker access

Ways to Combat Push-Bombing at Your Organization

Educate Employees

Push-bombing attacks are disruptive and can be confusing to an unprepared user. However, if that user was educated beforehand, they'll be better prepared to defend themselves. Provide employees with training on what push-bombing is and how it works, and what to do if they receive MFA notifications they didn't request. They should have a method of reporting these attacks to your IT security team. Once reported, your IT team can take steps to secure everyone's login credentials.

Reduce Business App "Sprawl"

On average, employees use 36 different cloud-based services per day. The more logins a user has, the greater the risk of a stolen password. Review the various applications your company uses and their functions, and look for ways to reduce app "sprawl" by consolidating them. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity.

Adopt Phishing-Resistant MFA Solutions

You can thwart push-bombing attacks altogether by moving from a push-based MFA to a passkey-based version. Passkey MFA uses a physical security key or key generator app that randomly generates a one-time passcode that must also be entered upon a log in attempt for authentication. There is no push notification to approve with this type of authentication. This solution is more complex to set up, but it's also more secure than text or app-based MFA.

Enforce Strong Password Policies

For hackers to start a push-bombing attack in the first place, they need to have already compromised the user's login. Enforcing strong password policies reduces the chance that a password will get breached. Standard practices for strong password policies include:

  • Using at least one upper and one lower-case letter
  • Using a combination of letters, numbers, and symbols
  • Not using personal information to create a password
  • Storing passwords securely
  • Not reusing passwords across several accounts

Put in Place an Advanced Identity Management Solution

Advanced identity management solutions can also help you prevent push-bombing attacks. They will typically combine all logins through a single sign-on solution so that users have just one login and MFA prompt to manage rather than several. Additionally, businesses can use identity management solutions to install contextual login policies that enable a higher level of security by adding access enforcement flexibility. The system could automatically block login attempts outside a desired geographic area, during certain times, or when other contextual factors aren't met.