NEWS
Someone Has Figured Out How to Bypass Two-Factor Authentication
3501
2018-05-11
Posted by 3uTools

Security is not an easy thing at all, and while we may have thought that two-factor authentication was a protection against having our accounts hacked, a new exploit now allows hackers to spoof those authentication requests by sending users to fake login pages and subsequently stealing their username, password, and session cookie.


The exploit was shown by KNowBe4 Chief Hacking Officer Kevin Mitnick in a video that was made public today.


Someone Has Figured Out How to Bypass Two-Factor Authentication


The hack requires a user to visit a fake web site where their login, password, and authentication code could be stolen. At this point, the hacker can pass the correct credentials to a legitimate website before capturing the session cookie. This would allow a successful login, partly because the hack uses the same one-time two-factor authentication code as a way to spoof an authenticated login.


“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, CEO of KnowBe4 said. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization.”


That system was created by hacker Kuba Gretzky, who subsequently named it evilginx. Gretzky also detailed the whole thing in a post on his website, which makes for quite the read.


The only protection that would work against this method of attack would be to decrease the risk of phishing attacks on users, possibly via education. Technologically savvy users are unlikely to fall foul of such a hack, but with those who do not know better also being more likely to be fooled into visiting fake websites that look like the target site, the problem is most definitely a case of education.


“This highlights the need for new-school security awareness training and simulated phishing because people are truly your last line of defense,” according to Sjouwerman. We couldn’t agree more.


Source: redmond pie


Related Articles
Apple Removes iCloud Activation Lock Status Tool From Website macOS High Sierra 10.13.2 Beta 4 Now Available Alibaba Pandora Lab Jailbreaks iOS 11.2 Successfully Apple Releases macOS Catalina With Find My, Screen Time, and No More iTunes Rumor: Apple Blocks Activation on iOS 9.0-9.3.5 Firmware Apple Still Signing iOS 11.3 Beta 5/6, Downgrade to It to Jailbreak Your iPhone iCloud Bypass Bug Discovered in iOS 11 iOS 10.3 Jailbreak / iOS 10.3.1 Jailbreak