Re: Phishers Defeat 2-Factor Auth
Lance James wrote: The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real. So long as logins are registered and performed in a web page, rather than in the chrome, we are hosed. Creating a login, and logging into it, has to be a browser and email client function, not a web page function. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Phishers Defeat 2-Factor Auth
Yep, the phishers finally started doing it. If it becomes a threat to them, they will adapt. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anne & Lynn Wheeler Sent: Tuesday, July 11, 2006 10:39 AM To: cryptography@metzdowd.com Subject: Re: Phishers Defeat 2-Factor Auth Lance James wrote: > Full article at http: // blog.washingtonpost.com / securityfix / happen to mention more than a year ago ... that it would be subject to mitm-attacks ... recent comment on the subject http://www.garlic.com/~lynn/aadsm24.htm#33 Threatwatch - 2-factor tokens attacked by phishers. in thread in this mailing list more than year ago http://www.garlic.com/~lynn/aadsm19.htm#20 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#21 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#22 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#23 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses private information to improve security ... and so on - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Phishers Defeat 2-Factor Auth
Lance James wrote: Full article at http: // blog.washingtonpost.com / securityfix / happen to mention more than a year ago ... that it would be subject to mitm-attacks ... recent comment on the subject http://www.garlic.com/~lynn/aadsm24.htm#33 Threatwatch - 2-factor tokens attacked by phishers. in thread in this mailing list more than year ago http://www.garlic.com/~lynn/aadsm19.htm#20 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#21 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#22 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#23 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses private information to improve security ... and so on - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Phishers Defeat 2-Factor Auth
http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2fa ctor_1.html Thought this might interest some. -Lance James - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Phishers Defeat 2-Factor Auth
Full article at http: // blog.washingtonpost.com / securityfix / Citibank Phish Spoofs 2-Factor Authentication Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" -- the second factor being something the user has in their physical possession like an access card -- as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data. These methods work, however, only so long as the bad guys don't fake those as well. Take this latest phish, spotted by the people over at Secure Science Corp. It uses an impressively crafted Web-based e-mail that targets users of Citibank's Citibusiness service, which -- as its name suggests -- caters to businesses. Citibusiness also requires customers who want to log into their accounts online to use a supplied token in addition to their user name and password. The small device generates an additional password that changes every minute or so. The scam e-mail says someone (a nice touch added here -- the IP address of the imaginary suspect) has tried to to log in to your account and that you need to "confirm" your account info. Not a whole lot that's revolutionary there, but when you click on the link, you get a very convincing site that looks identical to the Citibusiness login page, complete with a longish Web address that at first glance appears to end in "Citibank.com," but in fact ends at a Web site in Russia called "Tufel-Club.ru." The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real. Update, 4:41 p.m. ET: I forgot to mention that while this phishing site was active late last week and during the weekend, it has since been shut down. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]