July 28, 2006

Nearly three-dozen phishing Web sites have targeted Citibank (New York; more than $1 trillion in assets) business customers with a new scheme that circumvents two-factor authentication, reported Bath, England-based Netcraft in early July. The security firm says the ploy is a man-in-the-middle scam that tricks users into entering a second authenticator generated by a physical security token. Dubbed "man in the middle" because the technique passes the actual token-generated password to the real Citibank site -- leaving the phishing site between the user and the bank -- the scam effectively lets the phisher sign on on behalf of the victim, says Netcraft.

The attacks, however, were not completely successful, the bank claims. "We moved quickly to have the fraudulent site closed down, and we are not aware of any customers who were affected by this scam," says Mark Rodgers, VP of public affairs with Citigroup.

"Man-in-the-middle attacks are a serious problem because they undermine fundamental security assumptions about a site," Jon Gossels, president of SystemExperts (Sudbury, Mass.), says. "You can no longer trust authentication credentials."

Citigroup's Rodgers acknowledges that phishing is an industrywide problem, noting that when the bank issued the tokens to its commercial users, it warned them to beware of such scams. "We continued to warn them about phishing e-mails and other types of online fraud," he says. Two-factor authentication, like that provided by secondary tokens, was recommended by the Federal Financial Institutions Examination Council (FFIEC) last year.

Education still is vital to thwarting phishing attacks, says SystemExperts' Gossels. "The Citi attacks show conclusively that strong authentication technology by itself cannot solve the phishing problem or the identity theft problem," he asserts. Banks "must train their customers not to divulge sensitive information from any unsolicited e-mail message. Further, they need to implement technology -- such as displaying a customer selected picture or symbol -- that makes it easy for customers to know that they are at the legitimate site."

Acccording to SystemExperts VP Brad Johnson, "Now that a man-in-the-middle attack has been identified in this two-factor authentication bank case, we can assume there will be many other knock-off attempts."

Still, "Online banking and online transacting are, for the most part, safe, secure and convenient," Citigroup's Rodgers contends. "Continuing awareness of emerging and ongoing online scams is perhaps the best protection for consumers." **

Courtesy of TechWeb, a CMP Media property.