22 October 2017
visit www.avoka.com

Man-in-the-middle attacks Citi authentication system

12 July 2006  |  19316 views  |  0 Citigroup

Citibank business customers have been targeted by a 'man-in-the-middle' phishing attack, in which a spoof Web address is used to circumvent the bank's two-factor authentication protection by intercepting confidential user credentials as they are passed online.

The phishing e-mail, identified in the wild by Secure Science Corp, encourages users to update their account information at a fake Citibusiness log-in site. This bogus site sits between the genuine Citi site and the customer PC and harvests the temporary one-time security passcodes which are used by the bank to authenticate their customers. These codes, along with password and user log-in details are captured by the Web proxy and automatically forwarded to the bank and used to open customer accounts.

The site, operated out of Russia and active late last week, has since been shut down.

US regulators, spooked by the rising level of online banking crime, have mandated the introduction of two-factor authentication for Internet banking by the turn of the year.

But security experts have long pointed out that the two-factor method does little to protect users from more sophisticated man-in-the-middle attacks like that perpetrated against Citibank.

Eric Greenberg, chief master architect for security firm KSR and former leader of Netscape's security group, which originally created SSL, comments: "This is a common and predictable attack. As an industry, we need to accept that solutions not incorporating strong client and server authentication cannot survive the Internet. Ten years ago, this was evident with the advent of key SSL mechanisms. It's time to put them to work."

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

EMC to acquire RSA Security for $2.1bn

EMC to acquire RSA Security for $2.1bn

30 June 2006  |  9648 views  |  0 comments
Banks report surge in security attacks

Banks report surge in security attacks

13 June 2006  |  9225 views  |  0 comments
Hack attack hits 300 banks

Hack attack hits 300 banks

02 June 2006  |  11318 views  |  0 comments
Schwab signs for VeriSign authentication technology

Schwab signs for VeriSign authentication technology

26 May 2006  |  8587 views  |  0 comments
Fraud fears scare off US Web shoppers

Fraud fears scare off US Web shoppers

23 May 2006  |  7588 views  |  0 comments
Fraud fears scaring off Canadian Web banking customers

Fraud fears scaring off Canadian Web banking customers

12 April 2006  |  7603 views  |  0 comments
Barclays live with 'hassle free' RSA authentication system

Barclays live with 'hassle free' RSA authentication system

23 March 2006  |  16462 views  |  0 comments
E*Trade signs for RSA authentication, anti-phishing technology

E*Trade signs for RSA authentication, anti-phishing technology

01 March 2006  |  8219 views  |  0 comments
US Internet users still falling for phishing scams

US Internet users still falling for phishing scams

09 December 2005  |  8546 views  |  0 comments
Phishers target Nordea's one-time password system

Phishers target Nordea's one-time password system

12 October 2005  |  37661 views  |  0 comments | 2 linkedin
BankWest introduces RSA two-factor authentication to business customers

BankWest introduces RSA two-factor authentication to business customers

22 September 2005  |  9989 views  |  0 comments
Phishers move to counteract bank security programmes

Phishers move to counteract bank security programmes

24 August 2005  |  10950 views  |  0 comments

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit www.atos.netvisit www.vasco.comvisit www.innotribe.com

Top topics

Most viewed Most shared
HSBC partners Bud for open banking trialHSBC partners Bud for open banking trial
10580 views comments | 22 tweets | 26 linkedin
Mastercard to roll out blockchain APIMastercard to roll out blockchain API
10154 views comments | 17 tweets | 24 linkedin
satelliteGates Foundation backs Ripple collaboratio...
9085 views comments | 13 tweets | 10 linkedin
IBM uses blockchain to improve cross-border payments processingIBM uses blockchain to improve cross-borde...
8148 views comments | 9 tweets | 17 linkedin
Sibos 2017: API or the highwaySibos 2017: API or the highway
7955 views comments | 10 tweets | 22 linkedin

Featured job

to £70K base, £105K ote, benefits
London, UK

Find your next job