blog.washingtonpost.com — Phishers have now started phishing for the two-factor token ID from victims. The most interesting part is that these tokens only give you one minute to log in to the bank until that key will expire. The phishers employ a man-in-the-middle attack against the victim and Citibank to log in via php and conduct money transfers immediately when
Jul 10, 2006 View in Crawl 4
rkuchikiJul 11, 2006
The problem with the 'man-in-the-middle' proxy is that it would be pretty hard to defeat it. For all the banking machine knows, you are just at a terminal in Russia logging in. The only thing I can think of off the top of me head to prevent this kind of crap, aside from *proper education of users* would be an IP white list configurable from your account.Thus if you accidentally hit a phishing site, the proxy would not be in the white list. Then again, anyone smart enough to set up a white list would also be smart enough to not fall for a phishing site.
stesunJul 11, 2006
How hard is it to add a challenge-response authentication also when the user makes a transfer. Rendering all these attacks useless.
br0ckJul 11, 2006
I don't see how the picture adds any protection agains this attack. The attacking site asks for your name and password, which they submit to the bank. The bank sends them the picture and the attacker simply displays to you the picture that the bank sent them. You then enter the keyfob and now the attacker can use that to access the account.
gorkishJul 11, 2006
The real missing piece of the puzzle is that the end users do not have their own public keys. This is one-ended authentication. You have to authenticate to the bank but the bank does not have to authenticate to you. Web browsers support browser certificates but who uses them? Obviously not banks.What's worse is that they come up with all these ridiculous methods like "We will show you a picture that only YOU have provided!" or some other s**t that will cave in under a MiM attack. Too much focus is being put on making sure the customer is talking to the bank when all that you have to do is put some responsibility on the bank to make sure they are talking to the customer...
pkkidJul 11, 2006
Easiest Solution when logging into your bank..NEVER click on links to your bank or any online store.ALWAYS type in the URL yourself.
againJul 12, 2006
There are three parts to the solution to this problem. The first is the existence of the SSL protocol which allows the authentication of remote hosts. This is the part of the solution that we already have. The second part is that we have to get the implementation of SSL correct both in terms of the browser interface (to make it as absolutely easy as possible for people to follow very simple and clear rules to work out whether or not they are dealing with a site they can trust) and in terms of the PKI infrastructure (to reduce as much as possible the opportunity for failure in this area). I think a lot of the elements of this part of the solution are already in place and there is work progressing on the others -- ultimately perhaps the thing which will slow this down the most is the deployment of browsers which implement these sorts of things and getting these out to enough people to actually make a difference. The third part of the solution is user education, specifically getting them to know how to interact with the browser in a reliable way and also to be able to verify the identity of the site they're dealing with by doing things such as checking the name of the site on the certificate. Of course, this third part of the solution has proven to be the most difficult but ultimately if people continue to lose money then perhaps they will eventually have enough incentive to take sufficient care!
trinitronxJan 21, 2008
Quite true. Too bad there's no patch for a PEBKAC
cardcrackerJun 29, 2008
The solution to the greatest problem may be very simple, perhaps if we focus on the origin of the entire financial system that is too much dependent on numbers, i.e. credit/debit card numbers. Instead of focusing on the numbers we are focusing on the means of securing the commuting and storing processes of these numbers. I guess it is the time to play with numbers :)