Failure of Two-Factor Authentication
Here's a report of phishers defeating two-factor authentication using a man-in-the-middle attack.
The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.
I predicted this last year.
Posted on July 12, 2006 at 7:31 AM • 63 Comments