Phishers Defeat 2-Factor Auth

Lance James lancej at securescience.net
Mon Jul 10 18:08:17 EDT 2006 

Full article at http: // blog.washingtonpost.com / securityfix / 

Citibank Phish Spoofs 2-Factor Authentication
Security experts have long touted the need for financial Web sites to move
beyond mere passwords and implement so-called "two-factor authentication" --
the second factor being something the user has in their physical possession
like an access card -- as the answer to protecting customers from phishing
attacks that use phony e-mails and bogus Web sites to trick users into
forking over their personal and financial data.

These methods work, however, only so long as the bad guys don't fake those
as well. Take this latest phish, spotted by the people over at Secure
Science Corp. It uses an impressively crafted Web-based e-mail that targets
users of Citibank's Citibusiness service, which -- as its name suggests --
caters to businesses. Citibusiness also requires customers who want to log
into their accounts online to use a supplied token in addition to their user
name and password. The small device generates an additional password that
changes every minute or so.

The scam e-mail says someone (a nice touch added here -- the IP address of
the imaginary suspect) has tried to to log in to your account and that you
need to "confirm" your account info. Not a whole lot that's revolutionary
there, but when you click on the link, you get a very convincing site that
looks identical to the Citibusiness login page, complete with a longish Web
address that at first glance appears to end in "Citibank.com," but in fact
ends at a Web site in Russia called "Tufel-Club.ru."

The site asks for your user name and password, as well as the
token-generated key. If you visit the site and enter bogus information to
test whether the site is legit -- a tactic used by some security-savvy
people -- you might be fooled. That's because this site acts as the "man in
the middle" -- it submits data provided by the user to the actual
Citibusiness login site. If that data generates an error, so does the
phishing site, thus making it look more real.
Update, 4:41 p.m. ET: I forgot to mention that while this phishing site was
active late last week and during the weekend, it has since been shut down.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list