WATCH: Well, that was easy: Two-factor authentication hack feeds on phony e-mail

Two-factor authentication can be beat, as a hacker demo has shown. Lots of attention is being paid to a video posted where Kevin Mitnick, KnownBe4 chief hacking officer, revealed the two-factor exploit.

Two-factor authentication is "an extra layer of security that requires something an employee HAS and something they KNOW."

"The core of the attack comes in a phishing email, in this case, one purportedly sent by LinkedIn, to a member indicating someone is trying to connect with them on that social network," said Doug Olenick, SC Magazine.

The user gets a fake login page. The attack method is described in security parlance as a credentials phishing technique, which requires the use of a typo-squatting domain. The idea is to let the user give away his/her credentials. A white hat hacker friend of Kevin's developed the tool designed to bypass two-factor authentication.

In this kind of attack what is meant by a typo-squatting domain? It's a trick, and the "squatting" reflects how it cybersquats on another entity. Internet users who use the deliberately incorrect-lettered address with its typographical error plant may be led to a hacker-run alternative website.

Mitnick showed how this all works, in logging into his gmail account, via a phony Linked-In email.

Matthew Humphries, PCMag's UK-based editor and news reporter, said in the attack, an email appears ok regarding the website being targeted, "so the recipient doesn't take the time to check the domain it was sent from."

In this instance, the email was from rather than—easy to miss if you are not on the lookout for phony come-ons. Clicking the "Interested" button in the email takes the user to a website that looks just like the LinkedIn login page. All in all, Mitnick showed it was not that hard to just go ahead and nab a LinkedIn user's details, "simply by redirecting them to a website that looks like LinkedIn and using 2FA against them to steal their login credentials and site access," said Humphries.

The demo used LinkedIn as an example, but it could be used on Google, Facebook, and anything else carrying two-factor login; reports said the tool could be "weaponized" for just about any website.

Interestingly, it was last year when Russell Brandom said in The Verge that it was "time to be honest about its limits" in reference to two-factor authentication. Brandom gave an account of how the promise of two-factor began to unravel early on with mischief makers getting around it. He said, "it's become clear that most two-factor systems don't stand up against sophisticated users."

Nonetheless, he said, in most cases, the problem isn't two-factor itself. It's "everything around it. If you can break through anything next to that two-factor login—whether it's the account-recovery process, trusted devices, or the underlying carrier account—then you're home free."

One obvious piece of advice, however, was offered and that is to be vigilant about links. Also, a perspective on what two-factor authentication is and isn't is helpful. It is a tighter solution than a basic password only mechanism. It is an extra layer of security. But as Stu Sjouwerman, CEO, KnowBe4, stated:. "Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can't rely on it alone to protect your organization."

For other great tech information and to WATCH THE VIDEO please go to the source.

Source: Tech Xplore

Topics: The Verge, Two-Factor Authentication, Chief Hacking Officer, cybersquats, keynote speaker, phishing email, Russell Brandom, security, KnowBe4, Stu Sjuowerman, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Redefining Your Enterprise’s Cyber Security Posture During Mergers & Acquisitions

With 3,205 data compromises occurring in 2023 alone, fortifying your enterprise’s cybersecurity posture is more important than ever.

Read more ›

Choosing a Penetration Testing Company for Mac-based Environments

Powering your business with Apple devices because of their reputable security and privacy features? You may be surprised to learn that while Apple dev..

Read more ›

AI in Cyber Security: Impacts, Benefits, and More To Be Aware Of

Artificial intelligence in cybersecurity has been a hot topic lately, especially with the rise of OpenAI’s ChatGPT. But does that mean it would make a..

Read more ›