> They then sent a complicated jumble of computer code and asked me to run it as a command on my work laptop and report back what it said. They wanted to know what internal IT access I had to start planning their next steps once inside.
He should share that script for companies to protect themselves.
> As I held my phone in my hands, the screen filled with a new request every minute or so.
> I knew exactly what this was - a hacker technique known as MFA bombing. Attackers bombard a victim with these pop ups by attempting to reset a password or login from an unusual device.
> Eventually the victim presses accept either by mistake or to make the pop-ups go away. This is famously how Uber was hacked in 2022.
Authenticator apps should not give notifications, users must open them manually. In Denmark the government have followed this security practice for the authentication app MitID. In the beginning there was a lot of complaints, but now we know that is just how it works.
mpeg•4mo ago
Or they could balance usability with security and do some sort of throttling at least, there’s no reason to DoS the user with notifications
chrisjj•4mo ago
There was no DoS here.
mpeg•4mo ago
I know, I wasn't talking literally, but in spirit that's what MFA bombing is – they flood your phone with notifications until you approve one, either accidentally or our of the mental fatigue of having a ton of notifications come in.
chrisjj•4mo ago
That's different in spirit. No denial at all. In fact this action needs to avoid denying service in order to succeed.
lesuorac•4mo ago
It's denying you from using your phone if a notification constantly pops up.
chrisjj•4mo ago
But it doesn't. The screenshot shows avg. only one each 5 min. That is not denying use of phone.
mpeg•4mo ago
A notification even every few minutes is extremely stressful, and would cause most people to either put their phone in airplane mode (therefore, denying normal use) or accepting the login
But I don't really know why we're arguing over semantics, you understood what I meant.
more_corn•4mo ago
User can’t use their phone for fear of accidentally touching accept as it scrolls by in notifications.
tehwebguy•4mo ago
> Authenticator apps should not give notifications, users must open them manually.
Agreed, the constant “Are you trying to log in / reset your password?” notifs Google send me are concerning because I’m afraid I’ll accidentally tap “Yes / Allow”!
dybber•4mo ago
He should share that script for companies to protect themselves.
> As I held my phone in my hands, the screen filled with a new request every minute or so.
> I knew exactly what this was - a hacker technique known as MFA bombing. Attackers bombard a victim with these pop ups by attempting to reset a password or login from an unusual device.
> Eventually the victim presses accept either by mistake or to make the pop-ups go away. This is famously how Uber was hacked in 2022.
Authenticator apps should not give notifications, users must open them manually. In Denmark the government have followed this security practice for the authentication app MitID. In the beginning there was a lot of complaints, but now we know that is just how it works.
mpeg•4mo ago
chrisjj•4mo ago
mpeg•4mo ago
chrisjj•4mo ago
lesuorac•4mo ago
chrisjj•4mo ago
mpeg•4mo ago
But I don't really know why we're arguing over semantics, you understood what I meant.
more_corn•4mo ago
tehwebguy•4mo ago
Agreed, the constant “Are you trying to log in / reset your password?” notifs Google send me are concerning because I’m afraid I’ll accidentally tap “Yes / Allow”!