Failure of Two-Factor Authentication
Here’s a report of phishers defeating two-factor authentication using a man-in-the-middle attack.
The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit—a tactic used by some security-savvy people—you might be fooled. That’s because this site acts as the “man in the middle”—it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.
I predicted this last year.
Mads Krog-Jensen • July 12, 2006 8:10 AM
You have a point however, it’s not just that easy. Yes this works in a lab, but there are many factors to consider here.
This is more of a phishing issue. There is only “so much” you can do for user mistakes, and frankly, visiting a bogus site like the one in the article is a user mistake. (Just like going to a bogus ebay site or similar,). I really dont think that this is a Two-Factor Authentication mistake.
I think that two factor Authentication does the job very well a long way, but you need to combine this with education meaning proper training of the users involved.
Also, if people do visit the “right” site, the “man in the middle” also has some SSL do deal with and a certificate.
I in general like the idea of TFA – we use it here in our company, and if you have some systems that require that level of privacy or security, maybe you should consider removing it from the public internet.
I am much more worried of people “forgetting” to close their sessions, or Citrix apps on a public computer than I am of a Man in the middle attack but if I did not have two factor Authentication, I would not be sleeping at night.