2-factor authentication may be hackable, expert says

2-factor authentication may be hackable, expert says 105660992 1546641627751closeupcode

2-factor authentication may be hackable, expert says 468x60 club cash banner


This code shows a session cookie, which Kevin Mitnick, the chief hacking officer at KnowBe4, a cybersecurity company that trains people to spot phishing, or spoofed emails, says can be used to bypass two-factor authentication.

Mitnick showed CNBC that he was able to enter that code into his browser. “When I hit refresh I’m going to be magically logged into the victims account,” he said.

Mitnick used LinkedIn to demo the attack for CNBC, but said many other websites are also vulnerable. The email he clicked on looked like a real LinkedIn connection request — but actually came from a fake domain, He said most people may not realize the difference.

“It’s not LinkedIn that’s vulnerable. It’s the actual user… It’s a security flaw with the human,” Mitnick said.

In a statement, Mary-Katharine Juric, a LinkedIn spokesperson, told CNBC that the professional network took Mitnick’s demonstration “very seriously,” and that LinkedIn has “a number of technical measures in place to protect our members from fraudulent activity including phishing scams.”

She added: “When we detect this type of activity, we work to quickly remove it and prevent future re-occurrences. We strongly encourage members to report any messages or postings they believe are scams, and utilize our member help center as a resource to educate and protect themselves from frauds online.”

This attack is part of what is known as social engineering, when hackers take advantage of human behavior to get you to do something, like click on a link. Another way to protect yourself is to pay close attention to email you get, even if you use two-factor authentication.

“Social engineering if you do it right can be used to get into almost anything,” said Stu Sjouwerman, KnowBe4’S CEO.

To protect from attacks like this one, some companies are making tools called security keys.

Instead of sending a code to your cell phone, security keys — which look like a keychain — contain a hardware chip, and use Bluetooth or USB to be the additional factor needed to log into your account. Recently, Google released its own version of the device, which it calls the Titan Security Key.

Source : CNBC

Related posts

Manchester United vs Barcelona LIVE STREAM: How to watch Champions League online


OnePlus 7 has already achieved a massive victory ahead of its release


As Galaxy S9 deals continue Samsung releases ‘critical’ update for this popular phone


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.