Blog

CyberScout is the nation’s premier consultative provider of identity and data risk management, resolution and education services.

Two-Factor Authentication Can’t Stop This Phishing Attack

Two-Factor Authentication Can’t Stop This Phishing Attack
May 11, 2018

KnowB4’s chief hacking officer Kevin Mitnick released a video that should send shudders down the spine of anyone using 2-factor authentication.

Implementing a standard attack mode, in this case a spoofed invitation to connect from LinkedIn, Mitnick demonstrates how a hacker can bypass the multi-factor authentication by
dint of session recording malware.

This hack captures all the information needed for an account takeover: user name, password and the authenticated session cookie that is issued after 2-factor authentication has been completed by a user. That cookie allows an attacker to then simply insert the session code and make LinkedIn (or any other site) think that the attacker’s machine is legit. After all, it has a cookie that proves the authenticity of the page request.

The upshot: Employees need to be constantly drilled on the dangers of phishing.

We all have a built-in forgetter when it comes to this persistent, yet common, threat. Real-time tests are a must. While hacks are the third certainty in life, there are many ways to make your attackable surface smaller. Prime among them: continuing education. To borrow from Peter Drucker, culture continues to beat strategy when it comes to cybersecurity.

For a fascinating blow-by- blow of this hack, watch the video here.

Offer 24/7 CyberScout Protection

CyberScout's partnership options help you safeguard the identity and privacy of your policyholders, customers, members and employees. Discover how a customized program can help build brand loyalty, customer retention, and quickly generate long-term recurring revenue.

Get Started