
Exploit allows hackers to spoof 2FA by sending a user to a fake login page - rmason
https://techcrunch.com/2018/05/10/hacker-kevin-mitnick-shows-how-to-bypass-2fa/
======
miohtama
Two factor is not designed to protect against man-in-the-middle attack. The
usual purpose of two factor authentication is to protect against password
compromising (reuse, brute forcing weak passwords, using a stolen password
over a different connection or a device).

Also if your computer is compromise d nothing can protect you if the only
interaction channel is your computer screen. A true two factor would use a
side channel to confirm a transaction (main interaction on the desktop screen,
confirm with a mobile app).

~~~
badrabbit
Fyi,U2F and Webauthn are phish (mitm/compromise) proof without using a side
channel.

------
colemannugent
Link to the blog detailing the attack: [https://breakdev.org/evilginx-
advanced-phishing-with-two-fac...](https://breakdev.org/evilginx-advanced-
phishing-with-two-factor-authentication-bypass/)

Looks more like an extended spoofing attack rather than an exploit.

~~~
testplzignore
Yeah. I'm not seeing anything novel about this. It's just straight up
phishing/spoofing.

From the TechCrunch article:

> He estimates that hackers will begin trying this technique in the next few
> weeks and urges users and IT managers to harden their security protocols.

Why the next few weeks? The blog post is from last year. Again, there's
nothing new about it. The TechCrunch article seems to basically be a press
release for the "KnowBe4" company.

~~~
colemannugent
Yeah, I was kinda wary since if TechCrunch picked it up it's probably been in
the wild for months. But you're right, there's nothing new about this other
than this being the first time TechCrunch has seen this.

------
alphabettsy
This wouldn’t fool a browser autofill or password manager, but I can see some
still falling for this. This is still essentially a phishing attack.

------
optimuspaul
Ugh, again with the title change, I don't think HN should be editorializing
like this.

~~~
platinumrad
"Crack" is both misleading and not found in the title or body of the linked
article.

------
platinumrad
Phishing != cracking

Edit: the title previously had the word "crack" in it

~~~
optimuspaul
I disagree. If there is a human element to a process then a human element to
cracking it seems legit to me.

~~~
tomhoward
HN's policy is that the title should be the same as the original article's
title, unless it's misleading or clickbait, in which case a title may be
constructed using representative wording from the article.

If nothing else, the point of this rule is to avoid off-topic debates about
the title.

"Crack" doesn't appear in the Techcrunch article or title, so adding to the
title on HN is against the guidelines, plain and simple.

