Fraudsters are using a new technique to beat two-factor
authentication systems and break into online bank accounts,
security experts have warned.
Security firm Netcraft warned that the “man-in-the-middle”
technique - luring users into filling in an electronic form to
intercept single-use passwords - was being used in phishing attacks
aimed at Citibank customers.
Citibank uses physical security tokens, held by bank customers,
to generate one-off security passwords that remain valid for about
one minute as a second authentication factor. Single-use passwords
are useless to attackers who capture them with keyloggers or
through other methods because they become invalid after use.
But Netcraft warned that victims were being conned into entering
the passwords into website forms – a method that allows the
attacker to use the password.
“By tricking a victim into entering these items of data into a
form, the attacker's site can automatically relay the
authentication credentials to the real Citibank site instantly.
Effectively, this allows the attacker to successfully log in on
behalf of the victim.”
The security firm added: “It is now clear that fraudsters are
already making efforts to bypass the protection features being
added by banks.”
Netcraft has received reports of 35 websites using this method
to attack Citibank customers – all with a .ru Russian domain name,
although hosting locations varied.
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats