While we don’t know for certain, I am fairly confident that AI was utilized to pull personal data in real-time
            and trick the unsuspecting users in follow-up calls. AI’s role in this attack makes it orders of magnitude
            more effective because of how convincing it is to the user. For the average cell phone user or non-tech
            savvy individual, this is where identity theft begins.




            Here are 5 mitigation measures to take against MFA prompt bombing attacks:

            Adopt Phishing-Resistant MFA:

            Multi-factor  authentication  requires  at  least  two  independent  factors,  something  you  know  (e.g.,
            password, PIN, security question), something you have (e.g., OTP code, device), or something you are
            (e.g.,  fingerprint  or  another  biometric  marker).  Unfortunately,  the  most  common  second  factor  in
            traditional MFA is “something you have” in the form of an SMS or OTP. These verification methods are
            also highly vulnerable to phishing and MitM attacks. In the case of the MFA bombing attack, it is using
            the "something you have" (i.e., cell phone) to carry out the exploit. For MFA to resist phishing, it cannot
            use SMS, OTPs or identification attempts through voice calls or interceptable push notifications.

            Phishing-resistant MFA removes the vulnerabilities that undermine traditional MFA. Instead, it uses a
            strong possession factor in the form of a private cryptographic key (embedded at the hardware level in a
            user  owned  device)  and  strong  user  inherence  factors  such  as  touch  or  facial  recognition.  Equally
            important, the backend authentication process does not require or store a shared secret.


            By shifting toward phishing-resistant MFA methods such as passkeys, which are not susceptible to replay
            attacks, you can significantly increase security against MFA bombing and phishing attempts.




            Employ User-Initiated Authentication:

            MFA flows which can be initiated from remote locations and untrusted devices are more likely to succeed
            in overload attacks on end users. Authentication that requires the end user to initiate login from a trusted
            device improves the likelihood that a user can identify attempts they didn't originate.



            Targeted Awareness Training:


            Run targeted training to educate on MFA bombing, phishing attacks, and caller ID spoofing, emphasizing
            caution against unexpected MFA prompts and being dubious of provider calls related to password resets.
            Note: Apple will not initiate outbound calls to customers. A customer must first request to be contacted.



            Rate Limiting and MFA Request Controls:

            IT departments can enforce rate limiting and introduce controls on MFA requests to prevent this type of
            bombardment of users, thus diminishing attackers' success rates.





                                                                                                            109