Many services today use two-factor authentication (2FA) to improve the security of user accounts. In most cases, 2FA utilizes a password and a code sent via SMS or email as the two factors of verification. Compared to the password-only approach, 2FA is significantly stronger and offers better security.
That being said, 2FA is also vulnerable to attacks and exploits by hackers. Most notably, hackers use social engineering tactics to bypass 2FA and hack into user accounts. For this reason, it is important to have a good awareness of how social engineering works and how best to counter it.
What is social engineering and why its awareness is important?
As a security professional, you may already know this but most people at your organization probably don’t. Social engineering exploits human behaviors and psychology. By using emotional triggers as well as other psychological tactics, hackers persuade users to give up their personal information and other details.
Because social engineering uses human psychology, there is no fool-proof way of countering it. There is virtually no software or tool to effectively block social engineering attacks.
This is why humans are the first and only line of defense against social engineering attacks. If a user knows what a social engineering attack is and how is it executed, he is more likely to identify it and not fall for it.
The first step towards countering social engineering is to understand how it works. Below are some of the most common scenarios where hackers bypass two-factor authentication.
How does social engineering work?
Hackers use a variety of tactics to execute social engineering attacks. When it comes to 2FA, the two most common types of social engineering attacks follow the scenarios explained below.
Scenario 1: Hacker knows your username and password
Data leaks are common in today’s digital world. Even major companies and online retailers suffer from it. During such data leaks, large amounts of user data including login usernames and passwords are dumped on hacker sites.
Any hacker can access this data and get their hands on your login credentials. But with two-factor authentication, the hacker can’t log in by using only the username and password. So the hacker uses social engineering to get the code for the second step of verification.
During such an attack, the hacker sends a warning message to the user. This message says something along these lines: your user account has been accessed from a suspicious IP address if the IP does not belong to you please reply with the verification code sent to your number.
Behind the scenes, the hacker uses your username and password to log into the service. The service then sends the verification code to your number.
If the user responds to the fake warning message with the verification code, the hacker is able to use it to bypass the second step of 2FA. Once signed in, the hacker also steals session cookies and has full, unauthorized access to the user account.
Scenario 2: Hackers has no user data
Now consider this scenario. The hacker does not know your username, password, phone number or the verification code. And still, he can use a social engineering attack to get all of this and more.
This type of attack uses a phishing website – a fake website pretending to be a genuine website. Phishing websites usually use URLs which look or read similar to the real websites, for instance Gmaiil.com instead of Gmail.com or LunkedIn.com instead of LinkedIn.com.
The hacker first creates a persuasive email that looks like it is coming from someone you know or from the service itself. The email has a link that looks real and you are asked to sign in. Once you click the link, you are taken to the fake website.
On the fake website, you are asked to provide your username and password for login. When you provide these details, the hacker uses them to sign in on the real login website. The real website sends a verification code to your number. When you enter this code on the fake login site, the hacker gets the code as well and uses it to complete login on the real website.
In this way, the hacker is able to bypass 2FA and gain access to a user account on a service or a website.
How to prevent 2FA social engineering hacks?
Now that we have seen how hackers can use social engineering to bypass 2FA, it is time to explore some ways in which social engineering hacks can be prevented. Using these tools and tips, you can avoid social engineering pitfalls yourself and also educate coworkers and colleagues in the workplace.
Security Keys
Security keys are an alternative form of authentication used in 2FA. These are physical keys that contain hardware chips with one or more passwords. These passwords are recognized by the service and are accepted as a legitimate second factor in authentication.
Security keys also have built-in mechanism to determine whether a website is legitimate before providing the password stored on them. In this way, they are able to prevent phishing websites and fake login pages from getting user login information.
VPN
Most social engineering tactics use phishing attacks and session hijacking to get user details. A quality VPN encrypts data traffic and secures browsing sessions. This reduces the chances of a social engineering attack.
A VPN is also effective in countering advanced phishing and social engineering attacks that use HTTPS for fake sites. It is important that you invest in a reputable VPN in order to achieve good protection against social engineering. This is because even some well-known VPNs, such as the Avast Secureline, can come with serious vulnerabilities. Read our detailed Avast review here.
Social Engineering Awareness
Awareness is the most important way of countering social engineering. Users who understand what social engineering is and how it works can generally avoid social engineering attacks more effectively.
Organizations can invest in social engineering awareness trainings to equip their employees so that they can withstand social engineering attacks. Simulation hacks and mock scenarios are a great way of helping users understand how social engineering works.
