Kougar
07-12-2006, 03:01 AM
So much for this stuff being secure! I guess it really just shows that once you factor people into the equation, nothing is really secure... :roll:
Two-factor authentication has been touted as a solution to the problem of users giving up their passwords too easily. One group of phishers is determined to prove otherwise, as a recent attack demonstrates.
On the surface, two-factor authentication is a relatively simple solution. In order to log in to a protected site, users must enter a password as well as a second bit of information. In the case of Citibank and a handful of other financial institutions, users are given a USB dongle which displays a passphrase or string of numbers that updates every 60 seconds. It is only when the correct password is paired with a valid passphrase generated by the token that the user is granted access to their account information.
A group of phishers operating out of a Russian website attempted to trick Citibank customers in the customary manner, by directing them to a lookalike website and asking for the usual personal information. As an added bonus, the phishers also asked for the passphrase generated by the token. Once they had both pieces of the authentication information, they would presumably then transmit it onto Citibank within a 60-second time period and go about their nefarious business. It's a simple adaptation of existing methods: just add an additional field to existing forms and they are all set.
Quoted article taken from http://arstechnica.com/news.ars/post/20060711-7237.html (http://arstechnica.com/news.ars/post/20060711-7237.html)
Two-factor authentication has been touted as a solution to the problem of users giving up their passwords too easily. One group of phishers is determined to prove otherwise, as a recent attack demonstrates.
On the surface, two-factor authentication is a relatively simple solution. In order to log in to a protected site, users must enter a password as well as a second bit of information. In the case of Citibank and a handful of other financial institutions, users are given a USB dongle which displays a passphrase or string of numbers that updates every 60 seconds. It is only when the correct password is paired with a valid passphrase generated by the token that the user is granted access to their account information.
A group of phishers operating out of a Russian website attempted to trick Citibank customers in the customary manner, by directing them to a lookalike website and asking for the usual personal information. As an added bonus, the phishers also asked for the passphrase generated by the token. Once they had both pieces of the authentication information, they would presumably then transmit it onto Citibank within a 60-second time period and go about their nefarious business. It's a simple adaptation of existing methods: just add an additional field to existing forms and they are all set.
Quoted article taken from http://arstechnica.com/news.ars/post/20060711-7237.html (http://arstechnica.com/news.ars/post/20060711-7237.html)