Citibank Phish Spoofs 2-Factor Authentication
A new phishing site was recently located, which ended up breaking the two-factor authentication in use by Citibank by conducting a man in the middle attack. Two-factor authentication is any authentication protocol that requires two independent ways to establish identity and privileges. By necessitating the need to have a combination of something you know (i.e. username and password), something you have (i.e. a token or smart card) or something you are (i.e. biometrics), security is greatly enhanced. This contrasts with traditional password authentication, which requires only one factor (knowledge of a password) in order to gain access to a system.
Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called “two-factor authentication” — the second factor being something the user has in their physical possession like an access card — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.
This attack was fairly complex and done exceptionally well. Most security experts would have been able to spot it immediately, however the lay person might not know any better. Just goes to show that just because something is two-factor does not automatically mean that the entirety of its security design is better than if it were single-factor.