Two-factor authentication (2FA), aka two-step verification, has long been considered an essential step for securing our online accounts.
With 2FA enabled, you will have another layer of security to protect your accounts. These codes are typically sent via text message or via authentication apps. It’s like the bank or DMV asking for two forms of ID. The idea is that a hacker is going to have a much harder time getting both forms of ID, and it’s true.
But is two-factor authentication still as secure as everyone originally thought? As usual, hackers and cybercriminals will always find a way to circumvent it. Read on and learn why this new attack can be devastating.
Two-factor authentication can be hacked
Black hat turned white hat hacker and KnowBe4 head Kevin Mitnick said that two-factor authentication is not as secure as previously thought and it is vulnerable to simple phishing attacks.
If Mitnick’s name sounds familiar it’s because he led the FBI on a manhunt in the mid-1990s. Back then, he was one of the most notorious black hat hackers in the world and hacked into a bunch of large corporations. He was eventually caught and spent over four years in prison.
Now, he works with various companies to discover and fix security vulnerabilities in their computer systems.
Mitnick recently demonstrated the exploit to CNBC and showed how hackers can send a user to a fake login page to spoof two-factor authentication code requests then steal usernames, passwords and, more importantly, session cookies.
The particular attack technique was first revealed by white hacker Kuba Gretzky and it is now known as evilginx. Mitnick warned that the tools to recreate this attack are now available publicly.
How the attack works
The attack starts with a phishing email or instant message with a link that closely resembles the domain name of a legitimate website, except for a letter or two. This devious tactic is known as typosquatting.
For example, instead of LinkedIn.com, a hacker can send a link from “LunkedIn.com” (notice the “u” instead of the “i”) hoping that it’s enough to fool a would-be victim.
Once the victim clicks the link, and they are passed on to the real site with the hacker’s site in the middle.
When the victim enters their login name, password and two-factor authentication codes, the hacker can then intercept and steal the login name, password and more importantly, the session cookie associated with the account.
Once this data is in the hacker’s hands, they can use the session cookie to log in indefinitely as the victim, without even the need for the login credentials nor any two-factor authentication codes.
Basically, it’s another clever phishing attack which can be implemented via social engineering. However, this time, it is shown that even the security mechanism that can supposedly protect us from phishing is vulnerable to phishing itself.
How to protect yourself from this attack
Since this attack starts out as a regular phishing attack, all the strategies against these types of scams are likewise recommended:
Be cautious with links – If you get an email or notification from a site that you find suspicious, don’t click on its links. It’s better to type the website’s address directly into a browser than clicking on a link. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn’t what the link claims, do not click on it.
Double check the URL spelling – When typing a URL into your browser, take the time to verify you’re spelling it correctly. With typosquatting, misspelling a URL could lead to a phishing scam.
Watch for typos – Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Before clicking on a link, hover over it and check for spelling. The safest move is to type the URL into your browser, with the correct spelling of course.
Keep in mind that this attack, if successful, steals session cookies, so it doesn’t matter if you’re using SMS text message or authenticator app codes as your two-factor authentication method. Your best line of defense is not to fall victim to phishing scams in the first place.
Perhaps the ultimate defense from these types of attacks is to skip code-based two-factor authentication altogether and rely on hardware USB security keys instead.
These types of hardware security keys are starting to become popular with some online services.
In fact, Google introduced its own brand of security hardware last year with the launch of its Titan Security Keys.
And with the evilginx attack now in the open, we are expecting more companies to follow suit.