This post is also available in: עברית (Hebrew)
In a quest to make online accounts safer, many services now offer two-factor authentication. Cybersecurity professionals have advised enabling two-factor to add an extra layer of security. The system typically sends a code to a user’s mobile phone that they need log in, along with a username and password. However, Kevin Mitnick, one of the FBI’s most wanted hacker who now helps companies defend themselves, found that two factor authentication can be vulnerable.
“The tool to actually pull these attacks off has been made public. So any 13-year-old could download the tool and actually carry out these attacks,” he said, according to cnbc.com.
The attack begins when a cybercriminal sends an email that looks real, and asks the receiver to click on a link. Once the user clicks on the link, they are directed to log into the real website, including entering the code sent to their cellphone. Secretly, however, the log in went through the hacker’s server.
“If we can steal the user’s details, we could become them, and we don’t need their username, their password, or their two-factor”..
Mitnick used LinkedIn to demo the attack, but said many other websites are also vulnerable. The email he clicked on looked like a real LinkedIn connection request — but actually came from a fake domain, lnked.com. He said most people may not realize the difference.
“It’s not LinkedIn that’s vulnerable. It’s the actual user… It’s a security flaw with the human,”
In a statement a LinkedIn spokesperson said that the professional network took Mitnick’s demonstration “very seriously,” and that LinkedIn has “a number of technical measures in place to protect our members from fraudulent activity including phishing scams.”
She added: “When we detect this type of activity, we work to quickly remove it and prevent future re-occurrences. We strongly encourage members to report any messages or postings they believe are scams, and utilize our member help center as a resource to educate and protect themselves from frauds online.”
To protect from attacks like this one, some companies are making tools called security keys.
Instead of sending a code to your cell phone, security keys — which look like a keychain — contain a hardware chip, and use Bluetooth or USB to be the additional factor needed to log into your account. Recently, Google released its own version of the device, which it calls the Titan Security Key.
“The security key stores its own password and requires the site to prove it’s legit before releasing the password and getting you signed in,” according to Google.