Hacker Kevin Mitnick shows how can bypass Two-factor authentication

A major exploit allows hackers to spoof two-factor authentication applications by sending a user to a fake login page and then keeping the username, password, and session cookie

KnowBe4 is the world’s protecting security awareness training provider and also phishing firm with a massive client base of 17,000 organizations across the world.

Chief Hacking Officer knowbe4, Kevin Mitnick showed that how hackers to spoof two-factor authentication in a public video. By persuading a victim to visit a typo-squatting domain liked “Lunked.com” and capturing the login, password, and authentication code, the hacker can pass the credentials to the actual site and capture the session cookie. Once this is done the hacker can login frequently. This actually uses the one time 2FA code as a way to spoof a login and grab data.

“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, KnowBe4 CEO. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization.”

“Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization,” added Sjouwerman.

This is the scene of the victim is taken to the authentic LinkedIn website so as to enter login information and cookie, which the hacker required. the hacker takes that direct access to the account and manages to avoid the 2FA phase of the signing-in process