Two-factor authentication (2FA) does not provide automatic protection against phishing attacks, according to Kevin Mitnick, chief hacking officer at security awareness training platform company KnowBe4.
In fact, 2FA can be used to launch a cyberattack against any website, Mitnick said in a prepared statement.
Cybercriminals can use phishing emails associated with LinkedIn and other popular websites that require 2FA, Mitnick indicated. Once an email recipient clicks on a malicious link in a message, this individual will be asked for his or her account login information. After the email recipient enters his or her login information, a 2FA code will be sent to this individual's mobile device. Lastly, the 2FA code can be entered on a verification screen to provide account access.
With the aforementioned phishing attack, cybercriminals can steal session cookies, Mitnick pointed out. This means cybercriminals can use 2FA attacks to hack user accounts on LinkedIn and other websites.
How Can Organizations Limit the Impact of 2FA Attacks?
Education and training are key for organizations that want to minimize the effects of 2FA attacks, according to Mitnick. If organizations develop and deploy cybersecurity training programs and update these programs regularly, they can teach employees how to identify 2FA attacks and other advanced cyberattacks before they escalate.
In addition, conducting simulated phishing attacks enables an organization to understand its cyber risks, Mitnick noted. These simulated attacks allow an organization to assess the short- and long-term ramifications of cyberattacks and update its cybersecurity strategy accordingly.
KnowBe4's Market Focus, Talent
KnowBe4 offers a security awareness training and simulated phishing platform designed to help organizations address social engineering attacks. The KnowBe4 platform is used by over 17,000 organizations worldwide, and the company is taking steps to further expand its global reach.
Mitnick, meanwhile, is well-known within hacking circles for his cyber crimes and run from justice in the 1990s. He flipped roles and became a white hat hacker in 2003, building a consulting business and penchant for public speaking along the way. He works with a range of companies, including a KnowBe4 relationship that stretches back to 2012, according to his LinedIn bio.
KnowBe4 has made additional talent grabs in recent months. Roger Grimes, a 30-year computer security consultant and cybersecurity expert, this week joined the company as a data-driven defense evangelist.
Also, KnowBe4 this month appointed Jeffrey de Graaf as its managing director of EMEA. de Graaf, who possesses more than 20 years of experience as a sales and marketing professional with IT security and channel relations expertise, will drive security awareness training expansion across the EMEA region.