By John Leyden for The
Register.
This article has been reproduced with permission.
Two-factor authentication involves the use of a
password-generating device along with conventional passwords. That
means a thief must know more than just a password to gain access to
a user's account. Although the technology helps guard against
fraud, a recent attack against Citibank shows the technique is far
from foolproof.
A bogus security warning ostensibly from Citibank, and targeting
customers of its Citibusiness service, urged prospective marks to
visit a website and enter not only their account details and
password (as with conventional phishing scams) but also the code
generated by the customer's token. These authentication key codes
change every minute or so.
The fraudulent site is automated so it uses this information to
log onto the real Citibusiness login site, allowing fraudsters
access to compromised accounts. The site, based in Russia, operated
last week but has since been shut down, the Washington
Post
reports.
The attack confirms concerns from
security expert Bruce Schneier that two-factor authentication
schemes have been oversold as a silver-bullet solution to online
identity fraud.
Banks in the Netherlands and Scandinavia have used two-factor
authentication for years, and the technology is widely credited
with helping to make account fraud more difficult. But the Citibank
attack shows the growing sophistication of fraudsters, and
undermines any notion that this approach delivers complete
protection.
© The Register
2006
