Hackers Bypassing 2-Factor Authentification

By:  |  Category: Blog, Security Wednesday, May 9th, 2018  |  No Comments
2-Factor Authentification

There is a scary new exploit out in the wild.

KnowBe4’s Chief Hacking Officer Kevin Mitnick reveals some startling news. A white hat hacker friend created a tool to bypass 2-factor authentication, and it can be weaponized for any site! This is officially scary.

There is a video demo, compliments of KnowBe4 and you can view it below.

This specific attack is based on proxying the user through the attacker’s system with a credentials phish that uses a typo-squatting domain. Once the user falls for this social engineering tactic and enters their credentials, their authenticated session cookie gets intercepted and it’s trivial to hack into the target’s account.

Video here. (6 min in length)

At the end of the video Kevin recommends: “Of course you need to have user education and training, that’s a no-brainer, but you also need to conduct simulated phishing attacks so you can inoculate your users against this type of risk. And more importantly, you have to Stop, Look and Think before you click that link.”

What Percentage Of Your Users Would Click On That Link?
Organizations are moving to 2FA to improve security. However, this video proves that using 2FA does not mean you are automatically protected. The Phish-prone percentage of your users remains your number one vulnerability, as employees continue to be the weakest link in your IT security, 2FA or not.

Phishing Security Test
EnhancedTECH now offers KnowBe4’s Security Awareness Training which provides:

  • Custom Phishing & Landing Pages
    Apart from the existing templates, you can customize scenarios based on personal information, creating targeted spear phishing campaigns. Each Phishing Template can also have its own Custom Landing Page, which allows for point-of-failure education and specifically phish for sensitive information.
  • Detailed Reporting
    You’ll see reporting for phishing campaigns as well as a general overview of your last 5 campaigns, and you can drill-down into one-time and recurring campaigns for more detail.
  • Simulated Attachments
    Your customized Phishing Templates can also include simulated attachments in the following formats: Word, Excel, PowerPoint and PDF, (also zipped versions of these files).
  • New Smart Groups
    With the powerful new Smart Groups feature, you can use each employees’ behavior and user attributes to tailor phishing campaigns, training assignments, remedial learning, and reporting.

Contact EnhancedTECH for more information at [email protected] or call us at 714-970-9330.

Samantha Keller

Director of Marketing and PR at EnhancedTECH
Samantha Keller (AKA Sam) is a published author, tech-blogger, event-planner and mother of three fabulous humans. Samantha has worked in the IT field for the last fifteen years, intertwining a freelance writing career along with technology sales, events and marketing. She began working for EnhancedTECH ten years ago after earning her Bachelor’s degree from UCLA and attending Fuller Seminary. She is a lover of kickboxing, extra-strong coffee, and Wolfpack football.Her regular blog columns feature upcoming tech trends, cybersecurity tips, and practical solutions geared towards enhancing your business through technology.
Samantha Keller
Leave a Comment
Read previous post:
social engineering test assessment
Is Your Business at Risk? Consider a Social Engineering Test Assessment

While news of the latest cyber-attack are headlines in the security world, it has been revealed that the biggest threats...