Many services today use two-factor authentication (2FA) to improve the security of user accounts. In most cases, 2FA utilizes a password and a code sent via SMS or email as the two factors of verification. Compared to the password-only approach, 2FA is significantly stronger and offers better security.
That being said, 2FA is also vulnerable to
attacks and exploits by hackers. Most notably, hackers use social engineering
tactics to bypass 2FA and hack into user accounts. For this reason, it is
important to have a good awareness of how social engineering works and how best
to counter it.
social engineering and why its awareness is important?
As a security professional, you may already know
this but most people at your organization probably don’t. Social engineering
exploits human behaviors and psychology. By using emotional triggers as well as
other psychological tactics, hackers persuade users to give up their personal
information and other details.
Because social engineering uses human psychology,
there is no fool-proof way of countering it. There is virtually no software or
tool to effectively block social engineering attacks.
This is why humans are the first and only line of
defense against social engineering attacks. If a user knows what a social
engineering attack is and how is it executed, he is more likely to identify it
and not fall for it.
The first step towards countering social
engineering is to understand how it works. Below are some of the most common
scenarios where hackers bypass two-factor authentication.
social engineering work?
Hackers use a variety of tactics to execute
social engineering attacks. When it comes to 2FA, the two most common types of
social engineering attacks follow the scenarios explained below.
1: Hacker knows your username and password
Data leaks are common in today’s digital world.
Even major companies and online retailers suffer from it. During such data
leaks, large amounts of user data including login usernames and passwords are
dumped on hacker sites.
Any hacker can access this data and get their
hands on your login credentials. But with two-factor authentication, the hacker
can’t log in by using only the username and password. So the hacker uses social
engineering to get the code for the second step of verification.
During such an attack, the hacker sends a warning
message to the user. This message says something along these lines: your user
account has been accessed from a suspicious IP address if the IP does not
belong to you please reply with the verification code sent to your number.
Behind the scenes, the hacker uses your username
and password to log into the service. The service then sends the verification
code to your number.
If the user responds to the fake warning message
with the verification code, the hacker is able to use it to bypass the second
step of 2FA. Once signed in, the hacker also steals session cookies and has
full, unauthorized access to the user account.
2: Hackers has no user data
Now consider this scenario. The hacker does not
know your username, password, phone number or the verification code. And still,
he can use a social engineering attack to get all of this and more.
This type of attack uses a phishing website – a
fake website pretending to be a genuine website. Phishing websites usually use
URLs which look or read similar to the real websites, for instance Gmaiil.com
instead of Gmail.com or LunkedIn.com instead of LinkedIn.com.
The hacker first creates a persuasive email that
looks like it is coming from someone you know or from the service itself. The
email has a link that looks real and you are asked to sign in. Once you click
the link, you are taken to the fake website.
On the fake website, you are asked to provide
your username and password for login. When you provide these details, the
hacker uses them to sign in on the real login website. The real website sends a
verification code to your number. When you enter this code on the fake login
site, the hacker gets the code as well and uses it to complete login on the
In this way, the hacker is able to bypass 2FA and
gain access to a user account on a service or a website.
prevent 2FA social engineering hacks?
Now that we have seen how hackers can use social
engineering to bypass 2FA, it is time to explore some ways in which social
engineering hacks can be prevented. Using these tools and tips, you can avoid
social engineering pitfalls yourself and also educate coworkers and colleagues
in the workplace.
Security keys are an alternative form of
authentication used in 2FA. These are physical keys that contain hardware chips
with one or more passwords. These passwords are recognized by the service and
are accepted as a legitimate second factor in authentication.
Security keys also have built-in mechanism to
determine whether a website is legitimate before providing the password stored
on them. In this way, they are able to prevent phishing websites and fake login
pages from getting user login information.
Most social engineering tactics use phishing
attacks and session hijacking to get user details. A quality VPN encrypts data
traffic and secures browsing sessions. This reduces the chances of a social engineering
A VPN is also effective in countering advanced
phishing and social engineering attacks that use HTTPS for fake sites. It is
important that you invest in a reputable VPN in order to achieve good
protection against social engineering. This is because even some well-known
VPNs, such as the Avast Secureline, can come with serious vulnerabilities. Read
our detailed Avast review here.
Awareness is the most important way of countering
social engineering. Users who understand what social engineering is and how it
works can generally avoid social engineering attacks more effectively.
Organizations can invest in social engineering
awareness trainings to equip their employees so that they can withstand social
engineering attacks. Simulation hacks and mock scenarios are a great way of
helping users understand how social engineering works.