The Uber breach last week highlighted how the bad actors are getting around security controls we put in place to stop them in their tracks.
Multi-factor authentication (MFA) also known as DUO for UTHSC, was established so that if your password was compromised, either because it was easily guessed or given away in a phishing attempt, the scammers couldn’t gain access because they didn’t have the cell phone or token that was needed.
These bad actors are getting around MFA by causing stress and fatigue around those MFA pushes to your cell phone.
Here is how it happens. Someone falls victim to a phishing attempt and logs into a fake webpage with a username and password. The scammers then push MFA notifications over and over and over again to that person’s device. They may even get communication from “IT” that they are aware of the issue and for the person to accept the push to make them stop. After accepting the push, the scammer then adds their own device to the MFA notifications, and voila, they have both the password and the push, the two things they need to gain access.
To protect against this, be very cautious in accepting DUO pushes and verify that the request is coming from you and your geo-location. If you get constant DUO pushes, you are probably under attack. Notify ITS immediately if this happens during business hours, or let us know as soon as possible.