This Tool Can Hack Your Accounts Even with Two-Factor Authentication

This Tool Can Hack Your Accounts Even with Two-Factor Authentication

The internet is a dangerous place, replete with shady people looking to steal your personal information. Enabling two-factor authentication (sometimes called two-factor verification) is one of the best way to keep your online accounts secure. However, famed hacker Kevin Mitnick shows how even this security measure can’t completely protect your data if you don’t remain constantly vigilant.

The hack in question was not developed by Mitnick, who works as Chief Hacking Officer for security firm KnowBe4. Credit for that goes to Mitnick’s friend and white hat hacker Kuba Gretzky. The tool is known as evilginx, and it makes phishing feasible even when the target uses two-factor authentication. It’s essentially a man-in-the-middle attack, but it uses proxy_pass and sub_filter to modify and capture HTTP traffic. It requires a Nginx HTTP server and some familiarity with Debian Linux. Many people have the necessary expertise to do it.

You can get a complete technical rundown of evilginx on Gretzky’s site, but Mitnick has a nice, digestible video demo of the tool in action(embedded below). He uses LinkedIn as an example, but it could be used on Google, Facebook, and anything else that uses standard two-factor login. The attack starts in the same way all phishing attacks do — with a cleverly crafted email. You have to convince the target to click on a link that loads your site, which masquerades as the page your target expects. In this case, it’s LinkedIn.

Stealing a username and password like this is simple because they don’t change. A two-factor code changes every few seconds, so taking that from your fake page is pointless. Using evilginx, Mitnick shows how the page captures not the 2FA code but the session cookie. That identifies the user to a site, allowing the attacker to hop onto your account immediately.

Mitnick goes on to show how you can load the session cookie manually via the Chrome developer console, which only takes a few clicks. Then, all you need to do is reload the page, and LinkedIn displays the logged-in session. You don’t need to enter a username, password, or even the 2FA code.

Gretzky has published the code for his 2FA hack on GitHub, so everyone has access to it. That means people could try to use it for phishing purposes, but security researchers and educators can also help protect users. It just goes to show you; even two-factor authentication won’t protect you from your own poor decisions.

Continue reading

Nvidia Goes All-In On G-Sync With New ‘BFGD’ Ultra-High-End Displays

Nvidia is bringing some of the highest-end displays imaginable to market in 2018, with 4K panels, 120Hz refresh rates, low latency displays, integrated Nvidia Shields, and support for 1,000 nits of brightness in HDR. Yowza.

Huawei’s Phone Deal With AT&T Reportedly Killed On Account of Politics

The upcoming (and unannounced) deal with AT&T to sell the new Mate 10 series was supposed to be the start of Huawei's push into North America, but the deal has reportedly fallen apart at the last minute after AT&T got cold feet, and some sources point to a political cause.

ET Deals Roundup: $200 Gift Card with Samsung 4K TV for $600, $50 Price Drop on Inspiron 15 7000, and more

Ready to upgrade to a 4K television? Maybe you're looking for a new laptop for school, or searching for the perfect camera for an upcoming vacation. Well, there are plenty of discounts floating around this week, so we've put together a list of the hottest deals. If you're looking to save big on new gear, you're bound to find something worthwhile below.

Rivet Launches Blazing Fast, Intel-Based Killer Wireless-AC 1550 Chip, New Xbox Router

Rivet Networks has launched a new Wi-Fi chip based on an Intel solution, as well as a new, Xbox One-optimized router debuting this spring.