What Is Push-Bombing & How Can You Prevent It?

6 min read

Cloud account takeover has become a significant problem for organisations. Think about how much work your company does that requires a username and password. Employees have to log in to many different systems or cloud apps.

Hackers use various methods to get those login credentials. The goal is to gain access to business data as a user. As well as launch sophisticated attacks, and send insider phishing emails.

How bad has the problem of account breaches become? Between 2019 and 2021, account takeover (ATO) rose by 307%.

Doesn’t Multi-Factor Authentication Stop Credential Breaches?

Many organisations and individuals use multi-factor authentication (MFA). It’s a way to stop attackers that have gained access to their usernames and passwords. MFA has been very effective at protecting cloud accounts for many years.

But it’s that effect that has spurred workarounds by hackers. One of these nefarious ways to get around MFA is push-bombing.

How Does Push-Bombing Work?

When users enable MFA on an account, they typically receive a code or authorisation prompt of some type. The user enters their login credentials. Then the system sends an authorisation request to the user to complete their login.

The MFA code or approval request usually comes through a “push” message. Users can receive it in a few ways:

  • SMS/text
  • A device popup
  • An app notification

Receiving that notification is a normal part of the multi-factor authentication login. It’s something the user would be familiar with.

With push-bombing, hackers start with the user’s credentials. They may get them through phishing or a significant data breach password dump.

They take advantage of that push notification process. Hackers attempt to log in many times; this sends the legitimate user several push notifications, one after the other.

Many people question the receipt of an unexpected code that they didn’t request. But when someone is bombarded with these, it can be easy to click to approve access mistakenly.

Push-bombing is a form of social engineering attack designed to:

  • Confuse the user
  • Wear the user down
  • Trick the user into approving the MFA request to give the hacker access

Ways to Combat Push-Bombing at Your Organisation

Educate Employees

Knowledge is power. When a user experiences a push-bombing attack, it can be disruptive and confusing. If employees have education beforehand, they’ll be better prepared to defend themselves.

Let employees know what push-bombing is and how it works. Train them on what to do if they receive MFA notifications they didn’t request.

You should also give your staff a way to report these attacks; this enables your IT security team to alert other users. They can then also take steps to secure everyone’s login credentials.

Reduce Business App “Sprawl”

On average, employees use 36 different cloud-based services per day. That’s a lot of logins to keep up with. The more logins someone has to use, the greater the risk of a stolen password.

Take a look at how many applications your company uses. Look for ways to reduce app “sprawl” by consolidating. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity.

Adopt Phishing-Resistant MFA Solutions

You can thwart push-bombing attacks by moving to a different form of MFA. Phishing-resistant MFA uses a device passkey or physical security key for authentication.

There is no push notification to approve this type of authentication. This solution is more complex to set up but also more secure than text or app-based MFA.

Enforce Strong Password Policies

To send several push notifications, hackers must have the user’s login. Enforcing strong password policies reduces the chance that a password will get breached.

Standard practices for strong password policies include:

  • Using at least one upper and one lower-case letter
  • Using a combination of letters, numbers, and symbols
  • Not using personal information to create a password
  • Storing passwords securely
  • Not reusing passwords across several accounts

Put in Place an Advanced Identity Management Solution

Advanced identity management solutions can also help you prevent push-bombing attacks. They will typically combine all logins through a single sign-on solution. Users have just one login and MFA prompt to manage rather than several.

Additionally, businesses can use identity management solutions to install contextual login policies. These enable a higher level of security by adding access enforcement flexibility. The system could automatically block login attempts outside a desired geographic area. It could also block logins during certain times or when other contextual factors aren’t met.

Do You Need Help Improving Your Identity & Access Security?

Multi-factor authentication alone isn’t enough. Companies need several layers of protection to reduce their risk of a cloud breach.

Are you looking for some help to reinforce your access security? Give us a call today to schedule a chat.

We’re unique because…

  • We don’t tie our clients into long-term contracts we don’t feel the need to
  • We don’t enforce our technical stack on you | each client’s needs are bespoke, and we work for you, not for us
  • We have 5* Google ratings from genuinely satisfied clients
  • 80% of our growth has been through current client referrals
  • We’re proud to have 100% client retention since Penntech was established
  • We’ve achieved the above through our customer obsession, passion for innovation, and commitment to service excellence.  Everyone could say that but ask our current clients.

We’re always just a phone call away; we live and breathe IT services. We’re here to help your business with anything that could go wrong with your systems or devices.

Contact us today or explore the range of support packages on offer.

IT Support in London
Me Mo
10 February 2023
We cannot recommend Penntech highly enough for their continuous IT support, we have worked with them for years and there is truly nothing that they cannot solve or help with. Their vast amount of knowledge and speed in response is second to none.
Alasdair Gray
6 February 2023
We have been using Penntech for around 6 years now and have had a great experience. Every member of the team we interreact with is friendly and helpful and our queries are always answered quickly.
Chris Sheasby
22 March 2021
I've known Lewis since working with him at CIFF in 2011. More recently, he has built-up an excellent business which supports a number of my past and present clients. He also supports my business. Lewis is first rate and equally importantly, he has built a good team around him to provide quality, responsive IT support. I can't recommend Penntech highly enough.
Rebecca Groves
20 July 2020
Penntech have worked with us for a number of years now and have always gone above and beyond to provide an efficient professional service in every circumstance. Their friendly responsive approach is refreshing and nothing is too big or too small to assist with.
nick groves
20 July 2020
Lewis and his team are fantastic! Highly recommended
Demstone Chambers
29 May 2020
Friendly and approachable, but also excellent technically. As a barristers chambers we have industry-specific data protection requirements. Penntech showed in-depth knowledge about the interaction between these requirements and technical IT aspects.
Marion Caillat
20 May 2020
Penntech helped us migrate and merge our inbox's for our small restaurant and bar group. They were super efficient and got everything done within 24 hours. I highly recommend them and will be using them again.
Jonathan Davies
18 May 2020
Heartstyles have worked with Penntech for 3 years. The initial brief to sort out our global IT requirements. Penntech have always been refreshing clear in their comms, avoiding IT gobbledygook. No job has been too small to support and they always deliver above and beyond what was required and within budget. They clearly know what they’re doing and the level of service is always outstanding
leigh ryan
18 May 2020
Lewis and the team at Penntech are seen very much as an extension of our business. They are professional, technically brilliant, don't over complicate things, very friendly and the staff feel comfortable dealing with them on a daily basis. They have a good understanding of our needs and go above and beyond to ensure we can get on with our day to day business, safe in the knowledge that if anything goes wrong technically that Penntech will resolve it efficiently. Leigh Ryan, CIO, MGAM Ltd

Related news

View all News

Menu