Phishers Defeat 2-Factor Auth

Full article at http: // blog.washingtonpost.com /
securityfix / 

Citibank Phish Spoofs 2-Factor Authentication
Security experts have long touted the need for financial Web
sites to move
beyond mere passwords and implement so-called
"two-factor authentication" --
the second factor being something the user has in their
physical possession
like an access card -- as the answer to protecting customers
from phishing
attacks that use phony e-mails and bogus Web sites to trick
users into
forking over their personal and financial data.

These methods work, however, only so long as the bad guys
don't fake those
as well. Take this latest phish, spotted by the people over
at Secure
Science Corp. It uses an impressively crafted Web-based
e-mail that targets
users of Citibank's Citibusiness service, which -- as its
name suggests --
caters to businesses. Citibusiness also requires customers
who want to log
into their accounts online to use a supplied token in
addition to their user
name and password. The small device generates an additional
password that
changes every minute or so.

The scam e-mail says someone (a nice touch added here -- the
IP address of
the imaginary suspect) has tried to to log in to your
account and that you
need to "confirm" your account info. Not a whole
lot that's revolutionary
there, but when you click on the link, you get a very
convincing site that
looks identical to the Citibusiness login page, complete
with a longish Web
address that at first glance appears to end in
"Citibank.com," but in fact
ends at a Web site in Russia called
"Tufel-Club.ru."

The site asks for your user name and password, as well as
the
token-generated key. If you visit the site and enter bogus
information to
test whether the site is legit -- a tactic used by some
security-savvy
people -- you might be fooled. That's because this site
acts as the "man in
the middle" -- it submits data provided by the user to
the actual
Citibusiness login site. If that data generates an error, so
does the
phishing site, thus making it look more real.
Update, 4:41 p.m. ET: I forgot to mention that while this
phishing site was
active late last week and during the weekend, it has since
been shut down.



------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Lance James wrote:
> Full article at http: // blog.washingtonpost.com /
securityfix / 

happen to mention more than a year ago ... that it would be
subject to 
mitm-attacks ... recent comment on the subject
http://www
.garlic.com/~lynn/aadsm24.htm#33 Threatwatch - 2-factor
tokens 
attacked by phishers.

in thread in this mailing list more than year ago
http://www
.garlic.com/~lynn/aadsm19.htm#20 Citibank discloses
private 
information to improve security
http://www
.garlic.com/~lynn/aadsm19.htm#21 Citibank discloses
private 
information to improve security
http://www
.garlic.com/~lynn/aadsm19.htm#22 Citibank discloses
private 
information to improve security
http://www
.garlic.com/~lynn/aadsm19.htm#23 Citibank discloses
private 
information to improve security
http://www
.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses
private 
information to improve security

... and so on

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Yep, the phishers finally started doing it. If it becomes a
threat to them,
they will adapt.

-----Original Message-----
From: owner-cryptographymetzdowd.com
[mailto:owner-cryptographymetzdowd.com] On Behalf Of
Anne & Lynn Wheeler
Sent: Tuesday, July 11, 2006 10:39 AM
To: cryptographymetzdowd.com
Subject: Re: Phishers Defeat 2-Factor Auth

Lance James wrote:
> Full article at http: // blog.washingtonpost.com /
securityfix / 

happen to mention more than a year ago ... that it would be
subject to 
mitm-attacks ... recent comment on the subject
http://www
.garlic.com/~lynn/aadsm24.htm#33 Threatwatch - 2-factor
tokens 
attacked by phishers.

in thread in this mailing list more than year ago
http://www
.garlic.com/~lynn/aadsm19.htm#20 Citibank discloses
private 
information to improve security
http://www
.garlic.com/~lynn/aadsm19.htm#21 Citibank discloses
private 
information to improve security
http://www
.garlic.com/~lynn/aadsm19.htm#22 Citibank discloses
private 
information to improve security
http://www
.garlic.com/~lynn/aadsm19.htm#23 Citibank discloses
private 
information to improve security
http://www
.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses
private 
information to improve security

... and so on

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com



------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Lance James wrote:
> The site asks for your user name and password, as well
as the
> token-generated key. If you visit the site and enter
bogus information to
> test whether the site is legit -- a tactic used by some
security-savvy
> people -- you might be fooled. That's because this
site acts as the "man in
> the middle" -- it submits data provided by the
user to the actual
> Citibusiness login site. If that data generates an
error, so does the
> phishing site, thus making it look more real.

So long as logins are registered and performed in a web
page, rather 
than in the chrome, we are hosed.

Creating a login, and logging into it, has to be a browser
and email 
client function, not a web page function.



------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com