People are still the last line of defense in social engineering attacks
KnowBe4, provider of the world’s largest security awareness training and simulated phishing platform, today announced that its chief hacking officer Kevin Mitnick revealed a new exploit that hacks two-factor authentication.
Two-factor authentication (2FA) is an extra layer of security that requires something an employee HAS and something they KNOW. For instance a combination password/username as well as something that only the user has like a code that was sent to them or they pulled from an app on their phone. This particular new attack is based on proxying the user through the attacker’s system with a credentials phish that uses a typo-squatting domain. Once the user falls for this social engineering tactic and enters their credentials, their authenticated session cookie gets intercepted and it is trivial to hack into the account.
Organizations are moving to 2FA to improve security, and they *should* but it’s not foolproof. A video link on the KnowBe4 blog demonstrating this exploit shows that using 2FA does not mean a user is automatically protected.
“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, CEO, KnowBe4. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization. This highlights the need for new-school security awareness training and simulated phishing because people are truly your last line of defense.”
For more information on KnowBe4, please visit www.knowbe4.com.
About KnowBe4
KnowBe4, the provider of the world’s largest integrated new-school security awareness training and simulated phishing platform, is used by more than 17,000 organizations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new-school approach to security awareness training. Kevin Mitnick, internationally recognized computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s training based on his well-documented social engineering tactics. Thousands of organizations trust KnowBe4 to mobilize their end-users as the last line of corporate IT defense.
Number 231 on the 2017 Inc. 500 list, #70 on 2017 Deloitte’s Technology Fast 500 and #6 in Cybersecurity Ventures Cybersecurity 500. KnowBe4 is headquartered in Tampa Bay, Florida with European offices in England and the Netherlands.