Two-Factor Authentication and Phishing Attacks: Kevin Mitnick’s Warning
White Hat Hacker Kevin Mitnick
Two-factor authentication (2FA) does not provide automatic protection against phishing attacks, according to Kevin Mitnick, chief hacking officer at security awareness training platform company KnowBe4.
In fact, 2FA can be used to launch a cyberattack against any website, Mitnick said in a prepared statement.
Cybercriminals can use phishing emails associated with LinkedIn and other popular websites that require 2FA, Mitnick indicated. Once an email recipient clicks on a malicious link in a message, this individual will be asked for his or her account login information. After the email recipient enters his or her login information, a 2FA code will be sent to this individual’s mobile device. Lastly, the 2FA code can be entered on a verification screen to provide account access.
With the aforementioned phishing attack, cybercriminals can steal session cookies, Mitnick pointed out. This means cybercriminals can use 2FA attacks to hack user accounts on LinkedIn and other websites.
How Can Organizations Limit the Impact of 2FA Attacks?
Education and training are key for organizations that want to minimize the effects of 2FA attacks, according to Mitnick. If organizations develop and deploy cybersecurity training programs and update these programs regularly, they can teach employees how to identify 2FA attacks and other advanced cyberattacks before they escalate.
In addition, conducting simulated phishing attacks enables an organization to understand its cyber risks, Mitnick noted. These simulated attacks allow an organization to assess the short- and long-term ramifications of cyberattacks and update its cybersecurity strategy accordingly.
KnowBe4’s Market Focus, Talent
KnowBe4 offers a security awareness training and simulated phishing platform designed to help organizations address social engineering attacks. The KnowBe4 platform is used by over 17,000 organizations worldwide, and the company is taking steps to further expand its global reach.
Mitnick, meanwhile, is well-known within hacking circles for his cyber crimes and run from justice in the 1990s. He flipped roles and became a white hat hacker in 2003, building a consulting business and penchant for public speaking along the way. He works with a range of companies, including a KnowBe4 relationship that stretches back to 2012, according to his LinedIn bio.
KnowBe4 has made additional talent grabs in recent months. Roger Grimes, a 30-year computer security consultant and cybersecurity expert, this week joined the company as a data-driven defense evangelist.
Also, KnowBe4 this month appointed Jeffrey de Graaf as its managing director of EMEA. de Graaf, who possesses more than 20 years of experience as a sales and marketing professional with IT security and channel relations expertise, will drive security awareness training expansion across the EMEA region.
FULL DISCLOSURE: My company holds two patents on an SMS-based 2FA that eliminates this problem so this is NOT an unbiased or objective opinion.
The real problem here, as it always is with SMS-based 2FA where a message is sent to the user, is excatly that: that the message is sent TO the user.
Text messages sent to phones are, by definition, both unencrypted and easy to intercept, as Mr. Mitnick has amply demonstrated. The answer to this problem is to reverse the process and have the user authenticate their login or identity by sending a message FROM their phone.
Here’s why this works: the U.S. short code system eliminates spoofing of phone numbers thanks to the carriers. Cloning/spoofing/duplicating SIMs and IMEIs is a problem for carriers for a simple reason: the lose money when someone doesn’t pay for another line. They solved this problem long ago by implementing a barrier that has yet to be successfully hacked.
This more secure approach reverses the process by having the user send a text from their device into an independent third-party server. The server then makes a secure handshake with the web page where the authentication is occurring. This completely eliminates the type of attack Mr. Mitnick successfully used (man-in-the-middle or man-in-the-browser) and confirms that the inbound SMS has come from the right number, registered IMEI and contains the right code. I welcome Mr. Mitnick to test the system. I will be happy to provide him with complete information about it and give him a test account.
Nothing is unhackable (although ours has not yet been successfully hacked) but we are confident that SnapID is substanially LESS hackable than any other SMS-based 2FA method on the market.
If it wasn’t hard enough to get people to adopt new cybersecurity practices!! This will be fun. We are a NY based Insurance company that needs to comply with 23 NYCRR Part 500 and 2FA is essential. We use a MSP that uses a multi layered security approach to deal with things like this in case there is a failure in something like 2FA they monitor for Geo Diverse logins.. I like these guys and they know what that are doing so if anyone out there is looking for a great MSSP check out these guys. https://www.dcsny.com
Scott, Mike: Thank you both for adding your views to the conversation. Let us know how your 2FA efforts play out, especially as they pertain to learnings for the MSSP ecosystem.
-jp
I just wanted to follow up on this thread from 2018. The reality is that our company did follow through with the MSP (https://www.dcsny.com), which really worked out well. Our entire team is using MFA on any systems at this point, all data is encrypted, and we have successfully passed several DFS audits, and we are in full compliance. It is an evolution and change in culture, ultimately making the difference and having a great IT partner like Delaney Computer Services, Inc. One important note; the real improvement beyond the technical services and new gear was implementing ongoing cybersecurity awareness training for our team. This is what ultimately helped to change the security culture here. More info on the cyber training here: https://www.dcsny.com/cybersecurity-services/cybersecurity-awareness-training/
Mike: Thanks for providing the additional context/follow-up.
-jp