[WEB SECURITY] Phishing attacks circumventing two-factor auth

Nick Owen nowen at wikidsystems.com
Mon Jul 10 19:43:22 EDT 2006

> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
> Sent: Monday, July 10, 2006 5:13 PM
> To: Web Security
> Subject: [WEB SECURITY] Phishing attacks circumventing two-factor auth
> Brian Krebs (washingtonpost.com) has a good write up about a 
> recent phishing attack specifically designed circumvent 
> two-factor authentication. The technique used a fake web page 
> acting as a man-in- the-middle between the user and the real 
> website. A simple hack proving a good point. How can a user 
> defend themselves with any kind of solution if they can't 
> tell whether or not a website is real?
> Citibank Phish Spoofs 2-Factor Authentication 
> http://blog.washingtonpost.com/securityfix/2006/07/
> citibank_phish_spoofs_2factor_1.html
> "Security experts have long touted the need for financial Web 
> sites to move beyond mere passwords and implement so-called 
> "two-factor authentication" -- the second factor being 
> something the user has in their physical possession like an 
> access card -- as the answer to protecting customers from 
> phishing attacks that use phony e-mails and bogus Web sites 
> to trick users into forking over their personal and financial data."

I think the 2FA for financial sites "debate" has suffered from a lack of
definition of the tasks at hand and that thinking in terms of session,
host/mutual and transaction authentication can provide a more useful
framework for solving problems such as MITM, session hijackers, etc.
Unfortunately, there is no easy answer or magic bullet (as usual), but
clearly there are ways to reduce fraud to acceptable/insurable levels.

My .02,


Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
Open source: http://sourceforge.net/projects/wikid-twofactor/

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list