The Broadband Guide
search advanced
 forgot password?

Hacker beats two-factor authentication with phishing attack

2018-05-10 16:24 by


Security researcher Kevin Mitnick has developed a social engineering attack to bypass two-factor authentication. Two-factor authentication (2FA) is an extra layer of security that requires something an employee HAS and something they KNOW. For instance, a combination password/username as well as something that only the user has like a code that was sent to them or they pulled from an app on their phone.

This particular new attack is based on proxying the user through the attacker's system with a credentials phish that uses a typo-squatting domain. Once the user falls for this social engineering tactic and enters their credentials, their authenticated session cookie gets intercepted and it is trivial to hack into the account.

Mitnick produced a video on YouTube showing how the exploit works by sending victims to a fake login page. For the demo, he used a fake LinkedIn page.

The website looks just like the Linkedin login page, but is on the domain. This is a point at which a suspicious user will stop, but most are just eager to get on to the site. So they fill in the details and click Sign in. That triggers the 2FA check, which when the right code is entered, creates a session cookie allowing secure access to the site.

What Mitnick is attempting to show here is, even with 2FA, the user is the weak link. If they don't take the time to check where they are entering their secure information, no user-dependent security, however strong, is going to work.

"A white hat hacker friend of Kevin's developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site," said Stu Sjouwerman, CEO, KnowBe4. "Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can't rely on it alone to protect your organization. This highlights the need for new-school security awareness training and simulated phishing because people are truly your last line of defense."

Read more -here-


  Post your review/comments
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About