Two-factor authentication may not be the panacea of securing access to online accounts that many believe it is as KnowBe4's Kevin Mitnick shows how easily this defensive measure can be spoofed.
Mitnick, KnowBe4's chief hacking officer, has put together a video showing how a phishing email containing a bit of code capable of swiping login information placed into a login box can be stolen to totally compromise a person's account and eliminate the level of protection normally afforded by two-factor authentication. The core of the attack comes in a phishing email, in this case, one purportedly sent by LinkedIn, to a member indicating someone is trying to connect with them on that social network.
Mitnick points out that at a brief glance the email looks legitimate, but upon closer scrutiny, the return address is not correct. So, if the target falls for the fake email and clicks the “interested” button the malware is downloaded onto the victim's computer. At this point, the person is taken to the real LinkedIn site where login information is required to complete the connection process, including having the site send an access code to the account holder's phone. However, in the background, the malware has grabbed the email and password associated with the account, along with the session cookie.
This cookie then can be used by the attacker to access the account directly, thus avoiding the 2FA part of the sign in.
For a complete run through of the process check out the video below.