Turning Credential Harvesting Into Credential Clearcutting: Phishing 2FA Systems

Presented at THOTCON 0x7 (2016), May 5, 2016, 1:30 p.m. (25 minutes).

Two-factor authentication is being touted by many as the "next big thing" in security, and as such is increasingly being adopted by enterprises. Of course, as with any highly-hyped security technology, there exist numerous flaws, and even the most mature implementations can be bypassed. The first half of this talk goes over the design, implementation, and effectiveness of a credential harvester the authors built that steals both username-password pairs and two-factor authentication tokens. The second half focuses on practically mitigating attacks like these, and provides suggestions and guidance for people currently rolling out two-factor authentication to avoid and detect this kind of attack in their environments.


Presenters:

  • JP Smith
    JP and Eric are hackers at UIUC who enjoy programming things. If their combined exploits fit in 140 characters, they'd be pretty sad
  • Eric Hennenfent
    JP and Eric are hackers at UIUC who enjoy programming things. If their combined exploits fit in 140 characters, they'd be pretty sad

Similar Presentations: