June 29, 2022
What You Need to Know About Prompt Bombing: Circumventing 2FA Through Irritation
The importance of using Two Factor Authentication (2FA) as an additional security check when accessing an account or service is now well understood. Criminals and fraudsters attempting to compromise accounts know how effective it can be better than anyone.
With 2FA, getting an account password is only the first step for would be hackers- they also have to access a device that belongs to the target, either through a text message, email, or authenticator prompt. Social engineering has long been the go-to for getting around a device lockout (i.e. pretending to be a bank representative and asking for a confirmation code) but a new technique is rising in popularity that manipulates a very basic human emotion to bypass 2FA: frustration.
This is prompt bombing.
By triggering an authentication request repeatedly, an attacker is hoping that the target will relent and authorize, just to make the requests stop. The specifics of this attack vary, but the following example may illustrate how it works.
Imagine you’re sleeping peacefully when you’re suddenly awakened by your buzzing phone. You check to see multiple authorization requests to confirm a bank account or company email login. You’re groggy, maybe confused, and almost certainly irritated. You keep declining, but the requests are relentless.
In order to get some much-needed sleep, you take the path of least resistance and approve the authentication, justifying it by telling yourself the system has an error, or that IT is making a change. You go back to bed to deal with it in the morning, but when morning comes, you find a compromised account waiting for you.
It’s a simple enough concept, but simplicity can often be effective, as the expansion of prompt bombing proves.
So, what can merchants do to protect their customers from prompt bombing?
Your first response should be to educate your teams, and to encourage increased vigilance around authentication requests. Your IT and security teams should be made aware of this attack vector if they aren’t already, but also be sure every person on staff can recognize prompt bombing and are familiar with appropriate next steps when encountered.
Anyone who has implemented 2FA should also implement velocity checks as they’ve proven to be an effective mitigator against similar fraud attacks. With a properly implemented velocity check, if there are an unusual amount of authorization requests in a short time period, the account is automatically locked or frozen for a few hours. This is often enough to deter criminals and the account can be reactivated or unlocked once it’s safe to do so.
As with most social engineering-based attacks, the clearest defense is awareness of the tactic. Be sure to share this information with your teams and anyone else you think may be vulnerable to prompt bombing.