Passwords still remain a security feature we all have to deal with. Managing them has become easier through the introduction of password managers, but they aren't perfect. Two-factor authentication (2FA) is seen as a way of greatly improving security, but it turns out bypassing it is pretty simple.
As TechCrunch reports, Kevin Mitnick is Chief Hacking Officer at security awareness training company KnowBe4. In the video below, he demonstrates how easy it is to grab a LinkedIn user's details simply by redirecting them to a website that looks like LinkedIn and using 2FA against them to steal their login credentials and site access.
The attack is simple. It requires an email that looks "right" for the website being targeted so the recipient doesn't take the time to check the domain it was sent from. In the example above, the email actually comes from llnked.com rather than the legitimate linkedin.com.
Clicking the "Interested" button in the email takes the user to a website that looks just like the Linkedin login page, but is on the llnked.com domain. This is another point at which a suspicious user will stop, but most are just eager to get on to the site. So they fill in the details and click Sign in. That triggers the 2FA check, which when the right code is entered, creates a session cookie allowing secure access to the site.
During this process it is possible to steal the username, password, and session cookie for the LinkedIn account. At this point the username and password aren't even necessary. Mitnick simply loads the Chrome browser, visits LinkedIn, opens the browser developer tools, pastes the session cookie into the console, then hits refresh on LinkedIn. Access is then granted.
What Mitnick is attempting to show here is, even with 2FA, the user is the weak link. If they don't take the time to check where they are entering their secure information, no user-dependent security, however strong, is going to work.