The end result was a captured session cookie which can be used indefinitely. This involved tricking a victim into visiting a typo-squatted domain and presenting the user with a proxy login page the user interaction allowed evilginx to capture the user’s login credentials and authentication code, which is then passed to the legitimate site. It has been said that there are hundreds of ways to perform cookie session hijacking even if 2FA is used for authentication.Ī recently publicized method for performing this technique was demonstrated by hacking expert Kevin Mitnick, using a man-in-the-middle attack framework called evilginx. Cookie session hijackingĬookie session hijacking has been with us since the dawn of networked computers. This is a natural point of vulnerability for 2FA, as any tech support interaction will make the odds of sensitive user information disclosure near inevitable, and by asking just a few questions (or none at all, if the user volunteers this information).
Attackers have been observed social engineering tech support in order to get the user to reset their password or steal sensitive information related to 2FA. 2FA relies heavily on knowledge that is only known by the user and when a website or service that uses 2FA is seemingly not working, users naturally reach out to tech support.
Without a doubt, the top technique to attack 2FA is social engineering. Top 6 techniques for attacking two-factor authentication 1. It is not as common as one-way authentication but is more secure
Instead of relying solely on the traditional combination of a username and password, 2FA schemes require that users authenticate with the following: 2FA is a method of authentication that brings an extra dish of security with it to the proverbial information security potluck.