The Channel logo

News

By | John Leyden 13th July 2006 15:06

Phishers rip into two-factor authentication

Man-in-the-middle

Phishers are seeking to circumvent two-factor authentication schemes using man-in-the-middle attacks. Last October, US federal regulators urged banks to adopt two-factor authentication as a means to combat the growing problem of online account fraud.

Two-factor authentication involves the use of a password-generating device along with conventional passwords. That means a thief must know more than just a password to gain access to a user's account. Although the technology helps guard against fraud, a recent attack against Citibank shows the technique is far from foolproof.

A bogus security warning ostensibly from Citibank, and targeting customers of its Citibusiness service, urged prospective marks to visit a website and enter not only their account details and password (as with conventional phishing scams) but also the code generated by the customer's token. These authentication key codes change every minute or so.

The fraudulent site is automated so it uses this information to log onto the real Citibusiness login site, allowing fraudsters access to compromised accounts. The site, based in Russia, operated last week but has since been shut down, the Washington Post reports.

The attack confirms concerns from security expert Bruce Schneier that two-factor authentication schemes have been oversold as a silver-bullet solution to online identity fraud.

Banks in the Netherlands and Scandinavia have used two-factor authentication for years, and the technology is widely credited with helping to make account fraud more difficult. But the Citibank attack shows the growing sophistication of fraudsters, and undermines any notion that this approach delivers complete protection. ®

alert Send corrections

Opinion

Neil McAllister

Claims that cloud will drive Oracle's future growth ring hollow
Pure Storage array

Neil McAllister

How the cloud taught Redmond to play by a new set of rules

Features

Pebble Steel
Meet the man who accidentally created the smartwatch hype
No, silly... he was the fall guy for years of Finnish folly
Fraud image