AccessMyLibrary provides FREE access to over 30 million articles from top publications available through your library.
Create a link to this page
Copy and paste this link tag into your Web page or blog:
Man-in-the-middle phishing attack successful against Citibank's two-factor token authentication.(Citibank N.A. (New York, New York))
On July 10, 2006, the first reports of a man-in-the-middle phishing 2.0 attack against CitiBank's CitiBusiness[SM] service were reported by The Washington Post. The phishing scam, originating in Russia, shows that cyber criminals are integrating multiple attack methods to defeat the latest security measures such as one-time password (OTP) tokens implemented by banks.
"In my testimony to Congress in 2004, I warned that, as more people become aware of current 'phishing' scams, the cyber criminals often get even more clever, and create new, more sophisticated techniques," said Howard Schmidt, former White House cybersecurity advisor and former Chief Security Officer of eBay and Microsoft.
In 2004, the first wave of "phishing 1.0" attacks tricked unsuspecting consumers into clicking on links to fake bank websites and giving up their usernames, passwords and other personal information leading to financial fraud and identity theft. Phishing 2.0 has evolved to combine traditional phishing "hooks" with a man-in-the-middle attack (in the Citibank case involving a botnet), and URL spoofing. A phishing 2.0 attack tricks the user into clicking on a link to login to their bank through the man-in-the-middle phishing proxy site. It is actually easier to launch than traditional phishing 1.0 scams because the attacker does not need to create and maintain a copy of a fake site. The phisher merely passes through the actual pages from the real website, then steals data or makes changes to transactions automatically using easy-to-write scripts.
"This is a common and predictable attack. As an industry, we need to accept that solutions not incorporating strong client and server authentication cannot survive the Internet. Ten years ago, this was evident with the advent of key SSL mechanisms. It's time to put them to work," said Eric Greenberg, Chief Master Architect for security firm KSR and former leader of Netscape's security group, which originally created SSL.
Since 2004, most banks have responded by implementing one or more security technologies designed to fight traditional phishing 1.0. In many cases, these security measures have temporarily reduced fraud rates based on their ability to prevent basic phishing 1.0 techniques. However, these security measures are vulnerable to phishing 2.0 attacks (see table on previous page).
Why Are These Security Measures Vulnerable?
These measures are vulnerable to phishing 2.0 attacks for some combination of the following reasons:
- Universal Express -USXP CEO Lobbies for Luggage Security Measures on Capitol...
- Press release article from: Business Wire October 21, 2003 700+ words
Business Editors NEW YORK--(BUSINESS WIRE)--Oct. 21, 2003 Universal Express, Inc. (OTCBB:USXP) CEO Richard Altomare is lobbying for luggage security measures on Capitol Hill today. He is personally meeting within members of the...
- Mayor Hahn, LADWP Announce Increased Security Measures For LA's Water And Power...
- Press release article from: Business Wire March 20, 2003 700+ words
...LOS ANGELES--(BUSINESS WIRE)--March 20...update the public on security measures undertaken and planned for. Additional security measures at key water and...for the increased security measures to protect Los Angeles...
- Enhanced Security Measures to Protect NYC Landmarks Ellis Island and Statue of...
- Press release article from: Business Wire May 23, 2002 700+ words
...Technology Editors NEW YORK--(BUSINESS WIRE)--May 23, 2002 Visionics Asked...surveillance system will be used to augment security measures at the Battery Park Screening Facility...is part of a series of stepped up security measures that will be visible at New York City...
- Coliseum to Increase Security Measures; Fans Encouraged to Arrive Early.
- Press release article from: Business Wire August 13, 2002 700+ words
...News Editors OAKLAND, Calif.--(BUSINESS WIRE)--Aug. 13, 2002 The Network...local law enforcement officials. Security measures will be consistently reviewed and...change as conditions warrant. All security measures will be strictly enforced at all Raiders...
- SYLVAN LEARNING SYSTEMS ANNOUNCES NEW SECURITY MEASURES FOR GRADUATE RECORD...
- Press release article from: Business Wire December 16, 1994 700+ words
COLUMBIA, Md.--(BUSINESS WIRE)--Dec. 16, 1994--Sylvan...We are confident the new security measures which will be implemented the...tests given. Although the new security measures will reduce the days the test...
- GMAT EXPANDS REACH, FURTHER STRENGTHENS TEST SECURITY MEASURES.
- News wire article from: AsiaPulse News January 5, 2006 700+ words
...below.) MCLEAN, Va., (BUSINESS WIRE) Jan. 4, 2006 - The Graduate...countries around the world. Test security measures have also been enhanced to prevent...this entire news release on Business Wire's website, please go to www...
- Board of Airport Commissioners Endorse Current Security Measures at Los Angeles...
- Press release article from: Business Wire September 25, 2001 700+ words
...Editors LOS ANGELES--(BUSINESS WIRE)--Sept. 25, 2001 The...prudent and necessary" all the security measures being taken at Los Angeles...to take whatever safety and security measures it deems necessary.
- Nortel Networks Brings Comprehensive Security to IP Telephony; Enhanced...
- Press release article from: Business Wire April 16, 2003 700+ words
...Writers SANTA CLARA, Calif.--(BUSINESS WIRE)--April 16, 2003 Nortel Networks...Telephony is designed to provide leading security measures that cross functional boundaries regardless...platforms that provide the strongest security measures available. "Security for telephony...