Two-Factor Authentication Can’t Stop This Phishing Attack

Authentication with phone security key and password login. Vector illustration muti factor authentication cyber security concept.

KnowB4’s chief hacking officer Kevin Mitnick released a video that should send shudders down the spine of anyone using 2-factor authentication.

Implementing a standard attack mode, in this case a spoofed invitation to connect from
LinkedIn, Mitnick demonstrates how a hacker can bypass the multi-factor authentication by
dint of session recording malware.

This hack captures all the information needed for an account takeover: user name, password and the authenticated session cookie that is issued after 2-factor authentication has been completed by a user. That cookie allows an attacker to then simply insert the session code and make LinkedIn (or any other site) think that the attacker’s machine is legit. After all, it has a cookie that proves the authenticity of the page request.

The upshot: Employees need to be constantly drilled on the dangers of phishing.
We all have a built-in forgetter when it comes to this persistent, yet common, threat. Real-time tests are a must. While hacks are the third certainty in life, there are many ways to make your attackable surface smaller. Prime among them: continuing education. To borrow from Peter Drucker, culture continues to beat strategy when it comes to cybersecurity.

For a fascinating blow-by- blow of this hack, watch the video here.