[WEB SECURITY] Phishing attacks circumventing two-factor auth

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

Brian Krebs (washingtonpost.com) has a good write up about a recent  
phishing attack specifically designed circumvent two-factor  
authentication. The technique used a fake web page acting as a man-in- 
the-middle between the user and the real website. A simple hack  
proving a good point. How can a user defend themselves with any kind  
of solution if they can't tell whether or not a website is real?

Citibank Phish Spoofs 2-Factor Authentication
http://blog.washingtonpost.com/securityfix/2006/07/ 
citibank_phish_spoofs_2factor_1.html

"Security experts have long touted the need for financial Web sites  
to move beyond mere passwords and implement so-called "two-factor  
authentication" -- the second factor being something the user has in  
their physical possession like an access card -- as the answer to  
protecting customers from phishing attacks that use phony e-mails and  
bogus Web sites to trick users into forking over their personal and  
financial data."



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]