Phishable: Push
What is Push?
Push authentication is a method that sends a push notification to a dedicated app on a user's mobile device, prompting them to approve or deny a login attempt.
Why is it phishable?
Push notifications are susceptible to phishing attacks such as pump-bombing and do not provide any protection against AitM (Adversary-in-the-Middle) attacks.
In addition, push notifications require a second device, which is not inherently linked to the first device that starts the authentication. There is no guarantee that the origin of the push notification prompt on the second device is from the authentication on the first device.
Common attacks on Push
- Push Bombing: Push bombing is where an attacker overwhelms a user with a barrage of push notifications. This confusion and frustration could ultimate trick a user into approving an unauthorized access attempt. The 2022 Uber breach was caused by push bombing.
- AitM (Adversary-in-the-Middle): a convincingly fake login phishing website created by an adversary can lead to a session hijack. Check an exploit on Push here.
- Social Engineering: an attacker might trick a user into approving a push notification through phishing, pretexting, or other deceptive practices.
What should you do if your organization uses Push?
If your organization currently relies on Push for authentication, we recommend the following steps for improvement:
1. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.
2. Implement phish-resistant MFA, such as Beyond Identity, for hardened security.
If you want to see what other steps you can take to improve your overall security, check out our zero trust assessment for a full analysis on your authentication and device management practices.