Phishers are seeking to circumvent two-factor authentication schemes using man-in-the-middle attacks. Last October, US federal regulators urged banks to adopt two-factor authentication as a means to combat the growing problem of online account fraud.

Two-factor authentication involves the use of a password-generating device along with conventional passwords. That means a thief must know more than just a password to gain access to a user's account. Although the technology helps guard against fraud, a recent attack against Citibank shows the technique is far from foolproof.

The fraudulent site is automated so it uses this information to log onto the real Citibusiness login site, allowing fraudsters access to compromised accounts. The site, based in Russia, operated last week but has since been shut down, the Washington Post reports.

The attack confirms concerns from security expert Bruce Schneier that two-factor authentication schemes have been oversold as a silver-bullet solution to online identity fraud.

Banks in the Netherlands and Scandinavia have used two-factor authentication for years, and the technology is widely credited with helping to make account fraud more difficult. But the Citibank attack shows the growing sophistication of fraudsters, and undermines any notion that this approach delivers complete protection. ®

Related stories

• WoW authenticators bypassed by middlemen hackers (2 March 2010)
• Fraudsters add IM to phishing attacks (17 September 2009)
• Code generator card fights fraud (2 December 2008)
• Updated Visa trials PIN payment card to fight online fraud (10 November 2008)
• Rogue nodes snoop on TOR traffic (23 November 2007)
• VeriSign will ship two-factor authentication for debit cards (1 May 2007)
• Phishing attack evades bank's two-factor authentication (19 April 2007)
• Man-in-the-Middle phishing kit netted (12 January 2007)
• HBOS to change website after security alert (24 October 2006)
• UK banking websites' security slammed (28 September 2006)
• A third of dodgy emails are phishing attacks (5 September 2006)
• Fear of fraud hampers UK online banking (23 January 2006)
• Phishing email poses as IRS tax refund (30 November 2005)
• Liberty Alliance pushes authentication standard (9 November 2005)
• US regulators mandate extra eBanking security (20 October 2005)
• Two-factor banking (19 October 2005)
• Lloyds TSB tests password-generators (18 October 2005)
• Phishing attack targets one-time passwords (12 October 2005)
• Banks 'wasting millions' on two-factor authentication (15 March 2005)