Two-factor authentication is being touted by many as the "next big thing" in security, and as such is increasingly being adopted by enterprises. Of course, as with any highly-hyped security technology, there exist numerous flaws, and even the most mature implementations can be bypassed. The first half of this talk goes over the design, implementation, and effectiveness of a credential harvester the authors built that steals both username-password pairs and two-factor authentication tokens. The second half focuses on practically mitigating attacks like these, and provides suggestions and guidance for people currently rolling out two-factor authentication to avoid and detect this kind of attack in their environments.
JP and Eric are hackers at UIUC who enjoy programming things. If their combined exploits fit in 140 characters, they'd be pretty sad
JP and Eric are hackers at UIUC who enjoy programming things. If their combined exploits fit in 140 characters, they'd be pretty sad