The Channel logo

News

By | John Leyden 13th July 2006 15:06

Phishers rip into two-factor authentication

Man-in-the-middle

Phishers are seeking to circumvent two-factor authentication schemes using man-in-the-middle attacks. Last October, US federal regulators urged banks to adopt two-factor authentication as a means to combat the growing problem of online account fraud.

Two-factor authentication involves the use of a password-generating device along with conventional passwords. That means a thief must know more than just a password to gain access to a user's account. Although the technology helps guard against fraud, a recent attack against Citibank shows the technique is far from foolproof.

A bogus security warning ostensibly from Citibank, and targeting customers of its Citibusiness service, urged prospective marks to visit a website and enter not only their account details and password (as with conventional phishing scams) but also the code generated by the customer's token. These authentication key codes change every minute or so.

The fraudulent site is automated so it uses this information to log onto the real Citibusiness login site, allowing fraudsters access to compromised accounts. The site, based in Russia, operated last week but has since been shut down, the Washington Post reports.

The attack confirms concerns from security expert Bruce Schneier that two-factor authentication schemes have been oversold as a silver-bullet solution to online identity fraud.

Banks in the Netherlands and Scandinavia have used two-factor authentication for years, and the technology is widely credited with helping to make account fraud more difficult. But the Citibank attack shows the growing sophistication of fraudsters, and undermines any notion that this approach delivers complete protection. ®

alert Send corrections

Opinion

WWI French tank picture via Shutterstock
Vinod_Khosla

Chris Mellor

A VC with startup agenda slams established suppliers. Surprised? Neither were we
ZenPad_RealRacing
Boy writes a letter to Santa. Pic via Shutterstock

Kat Hall

Cornwall's win over BT should be a cautionary relationship tale

Features

Eclipse image via Shutterstock
The Azure Portal: Microsoft is betting on cloud for its future business
container_ship_hamburg_shutterstock_648
Michael Dell. Pic by Joi Ito
Cool Texas dude is just your average billionaire