Fraudsters are using a new technique to beat two-factor authentication systems and break into online bank accounts, security experts have warned.
Security firm Netcraft warned that the “man-in-the-middle” technique - luring users into filling in an electronic form to intercept single-use passwords - was being used in phishing attacks aimed at Citibank customers.
Citibank uses physical security tokens, held by bank customers, to generate one-off security passwords that remain valid for about one minute as a second authentication factor. Single-use passwords are useless to attackers who capture them with keyloggers or through other methods because they become invalid after use.
But Netcraft warned that victims were being conned into entering the passwords into website forms – a method that allows the attacker to use the password.
“By tricking a victim into entering these items of data into a form, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly. Effectively, this allows the attacker to successfully log in on behalf of the victim.”
The security firm added: “It is now clear that fraudsters are already making efforts to bypass the protection features being added by banks.”
Netcraft has received reports of 35 websites using this method to attack Citibank customers – all with a .ru Russian domain name, although hosting locations varied.
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats