Privacy has always been a major concern among the users while surfing the web. With the rise in numbers of e-commerce portals and countries' own effort for a digital India, the use of various modes of authentication is also quite evident these days. We all know about the various digital wallet companies that use two-factor authentication for data protection.
Although, the two-factor authentication might sound foolproof solution, however, this is not the case. As per security awareness training provider, KnowBe4's Chief Hacking Officer Kevin Mitmil had recently explained about an exploit that allowed him to easily bypass the two-factor authentication (2FA). It is being reported that the hack was demonstrated in a public video that showcased Mitnick convincing a victim to visit a domain that was an imitation to capture their login details along with 2FA authentication code.
Also, by using the exploit, Mitnick was able to use the credential on the actual website. He was also able to capture the session cookie in order to login indefinitely. Further, Mitnick also used time two-factor authentication in order to trick a login and get all the authentication data. CEO of KnowBe4 Stu Sjouwerman quoted on the same stating:
"A white hat hacker friend of Kevin's developed a tool to bypass two-factor authentication using social engineering tactics - and it can be weaponized for any site...Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can't rely on it alone to protect your organizations."
It is being reported that the tool called evilginx, was first developed by a white hat hacker Kuba Gretzky and it has been detailed in a post on his website. As the tool was publically demonstrated, Sjouwerman has estimated that hackers might begin to use it in the next few weeks. He has further urged the users and IT managers to toughen up their security protocols in order to prevent any security breaches.