We are switching to Two-factor authentication (2FA) for securing our data and system, but does it provide fool-proof security?
No, according to Kevin Mitnick, a security researcher at KnowBe4 it is very easy to deceive this defensive measure.
While showcasing his new exploit, he proved that hackers could easily spoof the 2FA requests by sending users a fake login page which appears to be a legitimate one to the victims. This could lead to exposure of sensitive data like username, password and session cookie.
2FA is a technique which provides an extra layer of security famously known as “multi-factor authentication” it requires not only a password and username but also a phone number that is only with user immediately as they send some kind of code or OTP.
“Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization,” said Kuba Gretzy, a white hat hacker.
“The tool is called evilginx. The attack method is based upon proxying the user via the hacker’s system through a credentials phishing technique, which requires the use of a typo-squatting domain. The idea is to let the user give away his/her credentials so that the hacker could steal a session cookie,” added Gretzy.