Hi Hordakk, long time no see! 

I did a similar test about 3 months ago. Sorry I am currently in a rush, I will try to add more details later. The way I approached it is in two parts:

A) Figuring out requests between the browser and the server

- Create an account on the tested web site;
- While trying all possible scenarios, sniff every single requests and responses between your browser and the server.

B) Figuring out how the session is managed

- Are they using "anti-CSRF" techniques?
- If not, try to craft a single URL (usually quite complex) that tries to reproduce each functionalities found in step A). Execute then on your logged in machine.
- If at least one crafted URL succeed, you have just found a CSRF vulnerability.
- Finally, just draft a fake email that demonstrate how a user could click on a link and trigger some activity on the web server. You can also add your URL in a fake Christmas executable (dancing santa, etc) or something like that.

CSRF examples almost always use money transfer or things like that. A CSRF vulnerability could ba as simple as login the user out or just change the way things are displayed. But everything found in a pentest is valuable for the client. They will be scared to "miss" something bigger next time...

And all this was achieve in a Black Box pentest, without really involving social engineering (because you can test it yourself).

Woo, going after 3 factor authentication is indeed another ball game. I understand more your worries now.

Good luck, I hope you will find something "interesting" on this site...