Many services today use two-factor authentication (2FA) to improve the security of user accounts. In most cases, 2FA utilizes a password and a code sent via SMS or email as the two factors of verification. Compared to the password-only approach, 2FA is significantly stronger and offers better security.
That being said, 2FA is also vulnerable toattacks and exploits by hackers. Most notably, hackers use social engineeringtactics to bypass 2FA and hack into user accounts. For this reason, it isimportant to have a good awareness of how social engineering works and how bestto counter it.
What issocial engineering and why its awareness is important?
As a security professional, you may already knowthis but most people at your organization probably don’t. Social engineeringexploits human behaviors and psychology. By using emotional triggers as well asother psychological tactics, hackers persuade users to give up their personalinformation and other details.
Because social engineering uses human psychology,there is no fool-proof way of countering it. There is virtually no software ortool to effectively block social engineering attacks.
This is why humans are the first and only line ofdefense against social engineering attacks. If a user knows what a socialengineering attack is and how is it executed, he is more likely to identify itand not fall for it.
The first step towards countering socialengineering is to understand how it works. Below are some of the most commonscenarios where hackers bypass two-factor authentication.
How doessocial engineering work?
Hackers use a variety of tactics to executesocial engineering attacks. When it comes to 2FA, the two most common types ofsocial engineering attacks follow the scenarios explained below.
Scenario1: Hacker knows your username and password
Data leaks are common in today’s digital world.Even major companies and online retailers suffer from it. During such dataleaks, large amounts of user data including login usernames and passwords aredumped on hacker sites.
Any hacker can access this data and get theirhands on your login credentials. But with two-factor authentication, the hackercan’t log in by using only the username and password. So the hacker uses socialengineering to get the code for the second step of verification.
During such an attack, the hacker sends a warningmessage to the user. This message says something along these lines: your useraccount has been accessed from a suspicious IP address if the IP does notbelong to you please reply with the verification code sent to your number.
Behind the scenes, the hacker uses your usernameand password to log into the service. The service then sends the verificationcode to your number.
If the user responds to the fake warning messagewith the verification code, the hacker is able to use it to bypass the secondstep of 2FA. Once signed in, the hacker also steals session cookies and hasfull, unauthorized access to the user account.
Scenario2: Hackers has no user data
Now consider this scenario. The hacker does notknow your username, password, phone number or the verification code. And still,he can use a social engineering attack to get all of this and more.
This type of attack uses a phishing website – afake website pretending to be a genuine website. Phishing websites usually useURLs which look or read similar to the real websites, for instance Gmaiil.cominstead of Gmail.com or LunkedIn.com instead of LinkedIn.com.
The hacker first creates a persuasive email thatlooks like it is coming from someone you know or from the service itself. Theemail has a link that looks real and you are asked to sign in. Once you clickthe link, you are taken to the fake website.
On the fake website, you are asked to provideyour username and password for login. When you provide these details, thehacker uses them to sign in on the real login website. The real website sends averification code to your number. When you enter this code on the fake loginsite, the hacker gets the code as well and uses it to complete login on thereal website.
In this way, the hacker is able to bypass 2FA andgain access to a user account on a service or a website.
How toprevent 2FA social engineering hacks?
Now that we have seen how hackers can use socialengineering to bypass 2FA, it is time to explore some ways in which socialengineering hacks can be prevented. Using these tools and tips, you can avoidsocial engineering pitfalls yourself and also educate coworkers and colleaguesin the workplace.
SecurityKeys
Security keys are an alternative form ofauthentication used in 2FA. These are physical keys that contain hardware chipswith one or more passwords. These passwords are recognized by the service andare accepted as a legitimate second factor in authentication.
Security keys also have built-in mechanism todetermine whether a website is legitimate before providing the password storedon them. In this way, they are able to prevent phishing websites and fake loginpages from getting user login information.
VPN
Most social engineering tactics use phishingattacks and session hijacking to get user details. A quality VPN encrypts datatraffic and secures browsing sessions. This reduces the chances of a social engineeringattack.
A VPN is also effective in countering advancedphishing and social engineering attacks that use HTTPS for fake sites. It isimportant that you invest in a reputable VPN in order to achieve goodprotection against social engineering. This is because even some well-knownVPNs, such as the Avast Secureline, can come with serious vulnerabilities. Readour detailed Avast review here.
SocialEngineering Awareness
Awareness is the most important way of counteringsocial engineering. Users who understand what social engineering is and how itworks can generally avoid social engineering attacks more effectively.
Organizations can invest in social engineeringawareness trainings to equip their employees so that they can withstand socialengineering attacks. Simulation hacks and mock scenarios are a great way ofhelping users understand how social engineering works.