2FA can be beaten
A new phishing attack method shows that even the mighty Two-Factor Authentication (2FA) can be beaten without needing to possess a user’s mobile device.
We’d like to think that using 2FA surrounds the logon process with such a high level of security that it can’t be broken. But a recent phishing attack shows that simple mix of social engineering and quick backend hacking can successfully work around the most basic of 2FA – two-factor, SMS one-time password (OTP) authentication.
Researchers at Certfa Labs recently identified the attack scheme created by the cybercriminal group Charming Kitten (who hacked HBO back in 2017). The phishing attack uses the Google’s Site Service (which uses the subdomain sites.google.com) to establish credibility and to deceive their potential victims.
Fake notices to Google users
Users are initially ... Read More
12 Ways to Hack MFA
Special thank you to Author Roger Grimes, KnowBe4's Data-driven Defense Evangelist.
It was a standing room-only crowd when I gave it at Blackhat USA in Las Vegas this year, and I’m giving it again at this coming year’s RSA. If you’re interested in seeing it before then, do an Internet search on ’12 Ways to Hack 2FA Grimes’ and you are sure to get lots of opportunities to view one of the many previous presentations.
It seems to have hit a digital nerve with computer defenders and end-users alike. I think the reason it is so interesting is that it is surprising to many people that multi-factor authentication (MFA) does not protect you from hackers (including simple phishing) as much as you would ... Read More