Slashdot Mirror


Phishers Defeat Citibank's 2-Factor Authentication

An anonymous reader writes "Crypto experts and U.S. Government regulations (FFIEC) have been pushing the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" — the second factor being something the user has in their physical possession like a token — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data. According to a Washington Post Blog, 'SecurityFix,' phishers have now started phishing for the two-factor token ID from the user as well. The most interesting part is that these tokens only give you one minute to log in to the bank until that key will expire. The phishers employ a man-in-the-middle attack against the victim and Citibank to log in via php and conduct money transfers immediately when logged in." (An update to the blog entry notes that the phishing site mentioned has since been shut down.)

2 of 233 comments (clear)

  1. It's simple -- make browser never access ANY .RU by Anonymous Coward · · Score: -1, Flamebait


    It's simple -- make all browsers never access ANY .RU because any .ru is by definition a scam. .il too since that's always a pesky pinko commie ruskie too.

  2. Re:carding by Anonymous Coward · · Score: -1, Flamebait

    Sure, make it hold not just one credit card number but all of them... that way if it's lost or cracked they don't just get one of our debit/crdt cards they get all of them with one single effort.

    Erik