[WEB SECURITY] Phishing attacks circumventing two-factor auth

Jeremiah Grossman jeremiah at whitehatsec.com
Mon Jul 10 17:13:10 EDT 2006

Brian Krebs (washingtonpost.com) has a good write up about a recent  
phishing attack specifically designed circumvent two-factor  
authentication. The technique used a fake web page acting as a man-in- 
the-middle between the user and the real website. A simple hack  
proving a good point. How can a user defend themselves with any kind  
of solution if they can't tell whether or not a website is real?

Citibank Phish Spoofs 2-Factor Authentication

"Security experts have long touted the need for financial Web sites  
to move beyond mere passwords and implement so-called "two-factor  
authentication" -- the second factor being something the user has in  
their physical possession like an access card -- as the answer to  
protecting customers from phishing attacks that use phony e-mails and  
bogus Web sites to trick users into forking over their personal and  
financial data."

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list