Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:20 PM
Gregg Keizer, Tech Web, with reporting by Maria Bruno-Britz
Gregg Keizer, Tech Web, with reporting by Maria Bruno-Britz
Connect Directly

Phishers Beat Citibank’s Two-Factor Authentication

Phishing scheme circumvents two-factor authentication.

Nearly three-dozen phishing Web sites have targeted Citibank (New York; more than $1 trillion in assets) business customers with a new scheme that circumvents two-factor authentication, reported Bath, England-based Netcraft in early July. The security firm says the ploy is a man-in-the-middle scam that tricks users into entering a second authenticator generated by a physical security token. Dubbed "man in the middle" because the technique passes the actual token-generated password to the real Citibank site -- leaving the phishing site between the user and the bank -- the scam effectively lets the phisher sign on on behalf of the victim, says Netcraft.

The attacks, however, were not completely successful, the bank claims. "We moved quickly to have the fraudulent site closed down, and we are not aware of any customers who were affected by this scam," says Mark Rodgers, VP of public affairs with Citigroup.

"Man-in-the-middle attacks are a serious problem because they undermine fundamental security assumptions about a site," Jon Gossels, president of SystemExperts (Sudbury, Mass.), says. "You can no longer trust authentication credentials."

Citigroup's Rodgers acknowledges that phishing is an industrywide problem, noting that when the bank issued the tokens to its commercial users, it warned them to beware of such scams. "We continued to warn them about phishing e-mails and other types of online fraud," he says. Two-factor authentication, like that provided by secondary tokens, was recommended by the Federal Financial Institutions Examination Council (FFIEC) last year.

Education still is vital to thwarting phishing attacks, says SystemExperts' Gossels. "The Citi attacks show conclusively that strong authentication technology by itself cannot solve the phishing problem or the identity theft problem," he asserts. Banks "must train their customers not to divulge sensitive information from any unsolicited e-mail message. Further, they need to implement technology -- such as displaying a customer selected picture or symbol -- that makes it easy for customers to know that they are at the legitimate site."

Acccording to SystemExperts VP Brad Johnson, "Now that a man-in-the-middle attack has been identified in this two-factor authentication bank case, we can assume there will be many other knock-off attempts."

Still, "Online banking and online transacting are, for the most part, safe, secure and convenient," Citigroup's Rodgers contends. "Continuing awareness of emerging and ongoing online scams is perhaps the best protection for consumers." **

Courtesy of TechWeb, a CMP Media property.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.