The Failure of Two-Factor Authentication
In 2005, I wrote an essay called “The Failure of Two-Factor Authentication,” where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint.
This BBC article describes exactly that:
After logging in to the bank’s real site, account holders are being tricked by the offer of training in a new “upgraded security system”.
Money is then moved out of the account but this is hidden from the user.
Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered.
The solution is to authenticate the transaction, not the person.
EDITED TO ADD (2/6): Another link.