Attackers are targeting Citibank in a "man-in-the-middle" attack that circumvents the company's hardware tokens, which generate one-time-use passwords for customers.

Gregg Keizer, Contributor

July 14, 2006

2 Min Read

Nearly three-dozen phishing Web sites are scamming Citibank business customers with a new scheme that hijacks accounts even though the users are protecting their information with state-of-the-art two-factor authentication, a security firm said Friday.

According to U.K.-based Netcraft, the ploy is a "man-in-the-middle" scam that tricks users into entering a second authenticator generated by a physical security token. That token cranks out one-time passwords which are valid for about a minute, and are required -- along with the usual username and password -- to access an online account.

Dubbed "man-in-the-middle" because the technique passes the actual token-generated password to the real Citibank site -- leaving the phishing site between user and bank -- the scam effectively lets the phisher successfully sign on on behalf of the victim, said Netcraft.

Two-factor authentication like that provided by secondary tokens was recommended by the Federal Financial Institutions Examination Council (FFIEC) last year when it told banks and other financial institutions to beef up online transaction security. In particular, one-time passwords make keylogging Trojans moot, since by the time the keylogger transmits the password to the hacker, the password is useless.

About 35 phishing sites using the strategy have been spotted by Netcraft; all are based in Russia. Some are reportedly still in operation.

"While this might sound shocking to the financial industry since we haven't seen too many of these attacks, the theory of the attack and the risk have certainly been well understood within the security community," wrote Internet Storm Watch analyst Jason Lam in an online alert Wednesday.

"This is a classic problem of 'you are only as secure as the weakest link,'" added Lam. "Two-factor authentication is good for secure authentication but does not take care of mutual authentication or endpoint security."

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights