Phishers Defeat Citibank's 2-Factor Authentication

← Back to Stories (view on slashdot.org)

Phishers Defeat Citibank's 2-Factor Authentication

Posted by ryuzaki0 on Monday July 10, 2006 @09:18PM from the time-is-of-the-essence dept.

An anonymous reader writes "Crypto experts and U.S. Government regulations (FFIEC) have been pushing the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" — the second factor being something the user has in their physical possession like a token — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data. According to a Washington Post Blog, 'SecurityFix,' phishers have now started phishing for the two-factor token ID from the user as well. The most interesting part is that these tokens only give you one minute to log in to the bank until that key will expire. The phishers employ a man-in-the-middle attack against the victim and Citibank to log in via php and conduct money transfers immediately when logged in." (An update to the blog entry notes that the phishing site mentioned has since been shut down.)

1 of 233 comments (clear)

Min score:

Reason:

Sort:

Re:Rabobank security by jawtheshark · 2006-07-10 21:52 · Score: 1, Redundant

both of which require only a one-time, 5/6-digit, non-changing, numeric password.

I'm surprised. I live in Luxembourg and all banks I know of don't do simple password systems. For the ING, it's the same system as you describe: electronic device that spits out numbers.

The other banks that I know of, have the following system: Username, Password (usually, easy passwords are not allowed) and finally they give you a 16-digit (actually, often alphanumeric) separated in 4 blocks of 4 chars. At login 2, 3 or 4 chars of this digit are asked (usually only one in each block). They do not ask different digits at each trial. After three failed logins, your account is blocked. You know this. So, even if a phisher would perform a man-in-the-middle attack, he would in worst case obtains 4 digits of the 16-digit code. The probability that the phisher gets exactly those 4 digits to login are 0.25^4. Not exactly high.

Sure, there is still a risk and it's still not foolproof. Especially, if the phisher decides to ask all codes, but most clients would become wary of that, I hope.

Of course, the system with an electronic device seems the best to me. No ebanking system should use a simple username/password authentication.

--
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)