2FA is only as strong as the trust its users place in it. Once a user receives a phishing message requesting them to log in to their account, the manipulation of social engineering begins
In a breakdown of the incident, custodian of the @6 account, Lucky225, said the attackers got around 2FA by first resetting the associated email address, then revoking 2FA, and finally resetting passwords. This worked to their advantage, as when a Twitter employee updates the email address on file, it doesn’t send a notification to the owner of the account,” Lucky said. “So after the email address is updated, an email about 2FA being revoked goes to the new email address. While what happened is clear, how it happened highlights major internal security flaws many companies still hold when relying on two-factor authentication as a fallback method for safeguarding employee access and security. Phishing attacks are only successful because of the psychological manipulation of social engineering. By using well-known security methods like 2FA, cybercriminals not only manipulate victims into handing over sensitive personal data but also reinforce a false sense of security for employees and company admins.
2FA data can also be recorded in session cookies. Once a victim adds their 2FA code to a website, a hacker has the ability to sniff session cookies from a developer tool in a web browser
2FA allows users to authenticate their identity using two separate authentication methods, such as a username and password coupled with a randomized or memorized pin/code. ATMs are good examples of systems that rely on two-factor authentication - for customers to access their account, they must present a debit card as well as a private pin. Financial institutions that provide digital services often require 2FA as a default security method where a randomized pin can be delivered via email, text message, or phone call.
The primary flaw in 2FA is that it’s only as strong as the trust its users place in it. Once a user receives a phishing message requesting them to log in to their account, the manipulation of social engineering begins. Next, the user may enter their username, password, and 2FA information into a site completely unaware it is a phishing site designed to convince them they are logging in to their real account. Since the user seemingly trusted the phishing site, they easily gave away their credentials and rendered 2FA useless. In addition, 2FA data can also be recorded in session cookies. Once a victim adds their 2FA code to a website, a hacker has the ability to sniff session cookies from a developer tool in a web browser. Using the session cookie, hackers have no need for a victim’s username and password – they simply need to paste the session cookie into a browser to log in to the victim’s account.