« June 2006 | Main | October 2006 »
July 13, 2006
Attacks on two-factor authentication...
Phishers are seeking to circumvent two-factor authentication schemes using man-in-the-middle attacks. Last October, US federal regulators urged banks to adopt two-factor authentication as a means to combat the growing problem of online account fraud.Two-factor authentication involves the use of a password-generating device along with conventional passwords. That means a thief must know more than just a password to gain access to a user's account. Although the technology helps guard against fraud, a recent attack against Citibank shows the technique is far from foolproof.
A bogus security warning ostensibly from Citibank, and targeting customers of its Citibusiness service, urged prospective marks to visit a website and enter not only their account details and password (as with conventional phishing scams) but also the code generated by the customer's token. These authentication key codes change every minute or so.
Two-factor authentication has been around for a while now, but its use has usually been limited to VPN tunnels, corporate nets, etc. Giving consumers a number-generating "token" to authenticate access in addition to a password has been done in Europe and is growing in the US.
So, a bank or company requires you to use a password, for your security and theirs. They then give you a token and say "key in the number you see on here." Still, people get suckered by phishing sites. Social engineering is powerful, and the old Fox Mulder axiom "trust noone" is so appropos today.