-------------------SANS Newsletter Extract---------------
Phishing Attack Defeats Two-Factor Authentication
(13 10 July 2006)
Phishers are targeting Citibank Citibusiness customers using a
man-in-the-middle attack to exploit people's trust in two-factor
authentication. The scheme, if successful, would provide the phishers
with Citibank Citibusiness customers' names and passwords in addition
to temporary passwords generated by security tokens. The scheme passes
on the customers' entered information to the legitimate site to see if
it authentic. In a real-time attack scenario, the temporary passwords
could be used before they expire. The phony site has reportedly been
shut down.
http://www.vnunet.com/vnunet/news/2160250/phishers-crack-two-factor
http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs
_2factor_1.html

On 7/27/06, Peter Boosten <peter.boosten (at) valid (dot) nl [email concealed]> wrote:
> I don't understand how you've implemented two-way authentication:
>
> Two-way means "something I know" (password) and "something I have" (token?).
>
> We use securID tokens from RSA which regenerate onetime passwords
> that only last for one minute maximum. I don't understand how this
> could be used in a phising attack.
>
> Could somebody explain this to me?
>
> TIA.
>
> Peter
>

[ reply ]