Hacker beats two-factor authentication with phishing attack

Newsfeed · May 10, 2018

Hacker beats two-factor authentication with phishing attack

A security researcher has developed a social engineering attack to bypass two-factor authentication, TechCrunch reported.

Hacker Kevin Mitnick produced a video on YouTube showing how the exploit works by sending victims to a fake login page.

Ninja'd · May 10, 2018

THREE-FACTOR!

gregmcc · May 10, 2018

That's the problem with session cookies. With that you have the skeleton key to everything.

CataclysmZA · May 10, 2018

Hacker Kevin Mitnick produced a video on YouTube showing how the exploit works by sending victims to a fake login page.

This really isn't very impressive, or new. MITM attacks allow this sort of thing to happen.

Like, bravo, you've succeeded in spoofing a website and luring visitors into giving up their credentials. Well done. Here's a noddy badge.

Gordon_R · May 10, 2018

For anyone who doesn't know, Kevin Mitnick is the original hacker: https://en.wikipedia.org/wiki/Kevin_Mitnick

MrGray · May 10, 2018

Logical, I suppose. If a phishing site can "relay" your user/pass, it can also relay the 2FA request and response. Hopefully, they will come up with some way to thwart this soon, perhaps some way of encoding the real server's public SSL key and IP address into the 2FA so that it will only work when that is valid.

MrGray · May 10, 2018

CataclysmZA said:
This really isn't very impressive, or new. MITM attacks allow this sort of thing to happen.

Like, bravo, you've succeeded in spoofing a website and luring visitors into giving up their credentials. Well done. Here's a noddy badge.

No need to be cynical. The problem is that most people have been mislead into believing that if they have to use 2FA to login it's rock solid, and this is a more complicated variation on the normal phishing exploit as it requires a two way transfer of information when most phishing attacks simply relay the auth details one way. If nothing else, this is important awareness.

Knyro · May 10, 2018

Gordon_R said:
For anyone who doesn't know, Kevin Mitnick is the original hacker: https://en.wikipedia.org/wiki/Kevin_Mitnick

Haha no. The original hackers are the members of the MIT tech model railroad club in the 60s and guys like John Draper.

gregmcc · May 10, 2018

Gordon_R said:
For anyone who doesn't know, Kevin Mitnick is the original hacker: https://en.wikipedia.org/wiki/Kevin_Mitnick

Been following him since the beginning. Some interesting stories. Government thought he could launch the nukes by whistling the codes down the phone

supersunbird · May 10, 2018

garp said:
Logical, I suppose. If a phishing site can "relay" your user/pass, it can also relay the 2FA request and response. Hopefully, they will come up with some way to thwart this soon, perhaps some way of encoding the real server's public SSL key and IP address into the 2FA so that it will only work when that is valid.

Capitec works like this, if you want to pay an existing beneficiary you have to enter new OTP, to add and pay a new beneficiary, they would need to get your secondary authentication 3 times, login, adding and paying.

ActivateD · May 10, 2018

https://github.com/ustayready/CredSniper has been doing this for some time now.

NeoAcheron · May 10, 2018

Nothing new about this, it's a man-in-the-middle attack. Nothing new, nothing to see here, internet 101...

SYNERGY · May 10, 2018

Kevin Mitnick? Guys a legend.

Join the MyBroadband community

Get started

Hacker beats two-factor authentication with phishing attack

Newsfeed

MyBroadband Newsfeed

Ninja'd

A Djinn

gregmcc

Honorary Master

CataclysmZA

Executive Member

Gordon_R

Honorary Master

MrGray

Honorary Master

MrGray

Honorary Master

Knyro

PhD in Everything

gregmcc

Honorary Master

supersunbird

Honorary Master

ActivateD

Expert Member

NeoAcheron

Well-Known Member

SYNERGY

Executive Member