Citibank business customers have been targeted by a 'man-in-the-middle' phishing attack, in which a spoof Web address is used to circumvent the bank's two-factor authentication protection by intercepting confidential user credentials as they are passed online.
The phishing e-mail, identified in the wild by Secure Science Corp, encourages users to update their account information at a fake Citibusiness log-in site. This bogus site sits between the genuine Citi site and the customer PC and harvests the temporary one-time security passcodes which are used by the bank to authenticate their customers. These codes, along with password and user log-in details are captured by the Web proxy and automatically forwarded to the bank and used to open customer accounts.
The site, operated out of Russia and active late last week, has since been shut down.
US regulators, spooked by the rising level of online banking crime, have mandated the introduction of two-factor authentication for Internet banking by the turn of the year.
But security experts have long pointed out that the two-factor method does little to protect users from more sophisticated man-in-the-middle attacks like that perpetrated against Citibank.
Eric Greenberg, chief master architect for security firm KSR and former leader of Netscape's security group, which originally created SSL, comments: "This is a common and predictable attack. As an industry, we need to accept that solutions not incorporating strong client and server authentication cannot survive the Internet. Ten years ago, this was evident with the advent of key SSL mechanisms. It's time to put them to work."