One of the growing major problems for organizations is Cloud account takeover. Consider how much of your company’s workload requires logging into apps with a username and password. Employees end up having to log into many different systems or cloud apps, which opens the door to ‘push-phishing’ or even worse, ‘push-bombing.’

Hackers want those login credentials and employ various methods to get them. Gaining access to business data as a user is a very productive inroad for these criminals, allowing them to launch sophisticated attacks and send insider phishing emails.

How bad has the problem of account breaches become? Between 2019 and 2021, account takeover (ATO) rose by 307%. That was a severe high-water mark, which occurs when any new method of cyber attack is put into practice.

Doesn’t Multi-Factor Authentication Stop Credential Breaches?

The use of Multi-Factor Authentication (MFA) is growing exponentially. It's a way to stop attackers that have gained access to their usernames and passwords. One of the most common MFA practices sends a code to your smartphone. Enter that code and you’re in. It is very effective at protecting cloud accounts and has been for many years.

But every time something stops hackers, they look for a way around it. Enter ‘Push-Bombing.’

How a Push-Bombing Attack Works

When the company admin or IT Support enables MFA on an account, it becomes an automated procedure. The user requesting access typically enters their login credentials and receives a code or an authorization prompt of some type. The user enters the code, and the system filters the entered code to complete the login.

The MFA code or approval request will usually come through some type of ‘push’ message, so named because the message or notification is ‘pushed’ to the user even if they are not yet active on the app. Users can receive it several ways:

  • SMS/text
  • A device popup
  • An app notification

Receiving that notification is a normal part of a multi-factor authentication login. Once initiated to MFA, the user would ‘know the drill.’.

With push-bombing, hackers start with the user’s stolen credentials, possibly getting them through phishing or from a large data breach password dump.

They take advantage of that push notification process. Hackers attempt to log in many times. This sends the legitimate user several push notifications, one after the other.

It’s more than reasonable to question receiving an unexpected code that you didn’t request. This should immediately raise a red flag, but when someone is bombarded with these, it can be easy to mistakenly click to approve access.

Push-bombing is a form of social engineering attack designed to:

  • Confuse the user
  • Wear the user down
  • Trick the user into approving the MFA request to give the hacker access

Ways to Defend Against Push-Bombing

Employee Training

When a user experiences a push-bombing attack it can be disruptive and confusing, but educating employees beforehand makes them better prepared to defend themselves.

Train employees on what a push-bombing attack is, how it works, and what it’s going to look like when it happens. Provide them with training on what to do if they receive MFA notifications they didn’t request.

Institute a specific Incident Response Plan for your staff to report these attacks. This enables your IT security team to alert other users. They can then also take steps to secure everyone’s login credentials.

Pare Down Business App ‘Sprawl’

Employees use 36 different cloud-based services per day on average. That’s a lot of logins to keep up with, so many workers try to get through the login and MFA quickly. The more logins someone has to use, the greater the risk of a stolen password and the greater possibility of push-bombing.

Look at how many applications your company uses, and ways to reduce app ‘sprawl’ by consolidating them and getting rid of apps that do the same thing. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity.

Initiate Phishing-Resistant MFA Solutions

It’s possible to thwart push-bombing attacks altogether by moving to a different form of MFA. Phishing-resistant MFA uses a device passkey or physical security key for authentication.

This takes push-notification out of the picture. This solution is a bit more complex to set up, but it’s also more secure than text or app-based MFA.

Adopt and Enforce Strong Password Policies

Hackers need to have the user’s login to send multiple push-notifications. Enforcing strong password policies reduces the chance that a password will get breached. Take a look at our section on this site titled Creating Strong Passwords.

Standard practices for strong password policies include:

  • Using at least one upper and one lower-case letter
  • Using a combination of letters, numbers, and symbols
  • Not using personal information to create a password
  • Storing passwords securely with a Password Manager
  • Not reusing passwords across several accounts

Adopt an Advanced Identity Management Solution

Initiating Advanced Identity Management solutions can also help you prevent push-bombing attacks. They will generally combine all logins through a single sign-on solution. Users then have just one login and MFA prompt to manage, rather than several.

Businesses can use identity management solutions to install contextual login policies as well. These enable a higher level of security by adding access enforcement flexibility. For example, the system could automatically block login attempts outside of a desired geographic area. It could also block logins during certain times (when users usually are NOT logging in) or when other contextual factors aren’t met.

Frequently Asked Questions

Q: What is push phishing?

A: In effect, it works the same as push-bombing, but it sends a phony notification only once, whereas bombing sends them many times.

Q: Do I really need a password manager?

A: It is a handy tool, especially if you’re juggling dozens of passwords. On your main work device, once you plug the login credentials in, then when you go back to that app or website, the password manager will open a small window asking if you want it to provide the credentials. One click and you’re in!

Q: What are the three A's of identity and access management?

A: Identity and Access Management (IAM) is made up of these core elements:

Authentication - simply ensures that the user logging is who they say they are.

Authorization - simply determines the user trying to log in is authentic, authorizes and grants their access.

Analytics - specifically concerning user behavior: If Sally only logs in between 8am and 5pm Monday through Friday, her logging in at 10pm Saturday bears looking into.

Q: When should security awareness training be provided to new employees?

A: New hires should complete security awareness training within the first 10 days of employment. Once they have access to the network apps, they are either a danger or a defender. Training should be repeated every 3 to 4 months for all employees.

How secure is your network?

As a reputable member of the IT Support Los Angeles community since 2002, IT Support LA offers a FREE, no-risk network and security assessment. It is a non-intrusive scan that allows us to deliver a comprehensive report that is yours to keep. No strings, and no obligation to ever use our Managed IT Services.

The best defenses are expert Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider (MSP) to ensure continued reliability and defenses against newly emerging threats.

With our 100% Money Back Guarantee in writing, we offer a risk-free way for prospective clients to try us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.

Among the Managed IT services we provide:

IT HelpDesk Service
Onsite IT Support
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)

IT Support LA is an award-winning Managed Services Provider (MSP):
o  3 Years awarded Best IT Support by the Small Business Expo
o  Awarded 2nd best company of any type in the US by the Small Business Expo SB100
o  Awarded Best IT Support in California by Channel Futures
o  Winner of Best IT Support in Los Angeles by Channel Futures
o  Listed as one of the world’s Top 501 Managed Services Providers by CRN and in the top 250 in the   ‘Pioneer’ listing
o  4 years listed as one of the Top 501 Managed Services Providers in the World by Channel Futures
o  Listed as #21 Managed Services Provider in the World in Channel Futures NextGen 101
o  Globee 2021 Bronze Award winner for Chief Technology Officer of the Year
o  Globee 2022 Gold Award winner for Chief Technology Officer of the Year
o  Named one of 2022’s 50 ‘Best’ businesses in California by UpCity
o  Named Best of IT winner by UpCity
o  Winner of Local Excellence Award for 2021, 2022 and 2023 by UpCity
o  Named Best of Cloud Consulting winner by UpCity
o  Certified as Top Managed Services Provider and Cybersecurity Pro by UpCity
o  Named Best IT Services in Los Angeles by

Do You Need Help Improving Your Identity & Access Security?

Multi-factor authentication alone isn’t enough. Companies need several layers of protection to reduce their risk of a cloud breach.

Are you looking for some help to reinforce your access security? Give us a call today to schedule a chat.
At the same time, take advantage of our FREE network and security assessment.