Citibank Hit With Phishing Attack
July 14, 2006 — (WEB HOST INDUSTRY REVIEW) — An ongoing phishing attack against Citibank (citibank.com) is employing man-in-the-middle tactics to overcome two-factor authentication and access online banking accounts, reports research and analysis firm Netcraft (netcraft.com).
The second authentication factor used by Citibank is provided by a security token – a physical item possessed by an account holder – which creates a one-time password that is valid for approximately one minute.
The one-time password is worthless to an attacker if it is captured via keylogging trojans, as it will not work immediately after the victim has used it, nor will the attacker be able to access the victim’s account in the future.
However, by duping a victim into entering these items of data into a form, the attacker’s site can automatically forward the authentication ID to the real Citibank site instantly, and allow the attacker to successfully log in on behalf of the victim.
