A significant portion of all crime involves social engineering—always has, and likely always will. Accordingly, social engineering is one of the most popular ways hackers can bypass MFA solutions. This chapter explores social engineering attacks on MFA and other hardware authentication solutions.

Introduction

Social engineering is the process of someone or something (e.g., email, malware, program) fraudulently and maliciously masquerading as someone or something else to acquire unauthorized information or to create a desired action that is contrary to the victim's or their organization's self-interests. Simply put, it's a “con” with malicious intent. It is often done in person, using mailed advertisements, using email, in messaging apps, or over the phone.

There are various forms and applications of social engineering, each having their own descriptive names, such as phishing (digital social engineering), spear phishing (targeted phishing), smishing (phishing using SMS), vishing (phishing using voice over phone), and whaling (targeting senior executives). Social engineering includes emails, messages, SMS, and voice calls claiming to be from work, vendors, bosses, friends, coworkers, popular social websites, banks, auction sites, or IT staff. Any weakly authenticated or unauthenticated communication channel that can be used to successfully lure any unsuspecting victim will be used.

Social engineering and phishing are the number one cause of successful ...