What You Need to Know About Prompt Bombing: Circumventing 2FA Through Irritation
The importance of using Two Factor Authentication (2FA) as an additional security check when accessing an account or service is now well understood. Criminals and fraudsters attempting to compromise accounts know how effective it can be better than anyone.
With 2FA, getting an account password is only the first step for would be hackers- they also access a device that belongs to the target, either through a text message, email, or authenticator prompt. Social engineering has long been the go-to for getting around a device lockout ( pretending to be a bank representative and asking for a confirmation code) but a new technique is rising in popularity that manipulates a very basic human emotion to bypass 2FA: frustration.
This is prompt bombing.
By triggering an authentication request repeatedly, an attacker is hoping that the target will relent and authorize, just to make the requests stop. The specifics of this attack vary, but the following example may illustrate how it works.
Imagine you’re sleeping peacefully when you’re suddenly awakened by your buzzing phone. You check to see multiple authorization requests to confirm a bank account or company email login. You’re groggy, maybe confused, and almost certainly irritated. You keep declining, but the requests are relentless.
In order to get some much-needed sleep, you take the path of least resistance and approve the authentication, justifying it by telling yourself the system has an error, or that IT is making a change. You go back to bed to deal with it in the morning, but when morning comes, you find a compromised account waiting for you.
It’s a simple enough concept, but simplicity can often be effective, as the expansion of prompt bombing proves.
So, what can merchants do to protect their customers from prompt bombing?
Your first response should be to educate your teams, and to encourage increased vigilance around authentication requests. Your IT and security teams should be made aware of this attack vector if they aren’t already, but also be sure every person on staff can recognize prompt bombing and are familiar with appropriate next steps when encountered.
Anyone who has implemented 2FA should also implement velocity checks as they’ve proven to be an effective mitigator against similar fraud attacks. With a properly implemented , if there are an unusual amount of authorization requests in a short time period, the account is automatically locked or frozen for a few hours. This is often enough to deter criminals and the account can be reactivated or unlocked once it’s safe to do so.
As with most social engineering-based attacks, the clearest defense is awareness of the tactic. Be sure to share this information with your teams and anyone else you think may be vulnerable to prompt bombing.
There are no related Events
To effectively fight fraud, it’s critical to understand the economic and geographical factors that drive attacks. These include financial factors like currency exchange rates, wages, cost of labor, and more.
This informative MRC Virtual session explores the idea of an Attack Incentive Index, an industry-wide index that effectively combines relevant economic data with known attack patterns to provide a holistic insight into attacker motivation.
When it comes to 3DS implementation, it’s not just Abandonment you need to worry about. Errors in the set-up at the Issuer or ACS side stop the challenge flow, and the options available to how people authenticate is also not always straightforward on a country-by-country basis.
This presentation provides merchant strategies to mitigate these concerns.
The value of IoT developments rests in allowing customers to disengage from tasks they would otherwise perform. This poses interesting challenges for merchants in connection with fraud and risk.
This presentation from a team of experts with a rich background in merchant fraud covers important considerations, such as:
- What will happen with traditional means of authentication that rely on actions from users?
- What changes will have to be made to payment systems?
- What new fraud patterns will attackers develop?
Collaboration is an important part of modern eCommerce, but it’s not always prioritized across industries and verticals the way it should be.
This presentation explores the results of a positive collaboration between a card network, issuer, and merchant, and details how it impacted approval rates by more than 10 p.p. This, in turn, directly reflected in sales and better Customer Experience, aligning with all stakeholder’s goals.
There are no related Surveys
This webinar examines four key SCA principles for the sector as well as payment flows where SCA applies, then discusses options for indirect bookings/indirect sales. After sharing a brief overview of the Secure Corporate Payment exemption, tips and resources are provided to help merchants, travel agents, acquirers, and issuers. A brief Q&A period concludes the broadcast.
In this webinar, Identiq explores what has changed from a risk perspective and what it means for fraud prevention. Three approaches companies can take to combat today's threats are also considered. An extensive Q&A period closes out the broadcast.
Better fraud prevention, all around.
Many organizations rely on two-factor authentication (2FA) using one‑time passcodes (OTPs) sent by Short Message Service (SMS) to authenticate banking and ecommerce transactions. 2FA performed this way can be fast and easy, but SMS wasn’t designed to be a security tool.
Learn how your organization can leverage voice biometrics to protect customers and your brand by building the highest levels of protection, trust and loyalty.
In Nethone's Frictionless white paper, you will learn:
- How to reduce checkout friction to maximise your revenue?
- How to manage UX friction associated with PSD2/SCA?
- How to prepare for Transaction Risk Analysis (TRA)
- How to keep your customers happy
- How to achieve all this while effectively combating payment fraud
At SEON Technologies we have released new information on the collection countries that are most and least at risk of cyberattacks. We have also taken a close look at the most common types of cybercrime occurring in the US.
Dubbed the Global Cybercrime Report, the report explains how several countries are the safest in the world from fraud and other cybercrime. and why others are not. Our methodology for this research was based on how companies and public infrastructure are all being fairly well protected through both legislation and technology at their disposal.