Criminals are using Phishing attacks to compromise banking sites that use two factor authentication

Netcraft have reported cases of banking sites being compromised even though they use two factor authentication. The scam is pretty straight forward as it’s low tech and relies upon mis-directing the user rather than exploiting a vulnerability on the target bank server or a flaw in the two factor authentication system.

This is a classic Phishing attack as the user is fooled into browsing to the malicious web site, they enter their credentials into what appears to them as the valid site and gain access to the real online bank system. The crux of the problem is that the user hasn’t validated the identity of the “banking site” and therefore the malicious site is able to harvest their credentials including the one time passphrase and PIN used in the two factor authentication.

Of course the way it’s designed to work is that a web server certificate is used by the real site to assert it’s identity to the browser – all being well then the padlock icon (or similar depending upon the browser) will be displayed. This all falls apart in this case though as some users don’t look for the padlock and those that do don’t check it’s properties. This is hardly surprising as the information pertaining to the validity of the web server certificate is geeky in the extreme and it’s easy to obtain a valid cert for a slightly different URL and fool many users to go there.

Internet Explorer 7’s Phishing filter is designed to alert users when they attempt to visit know malicious websites. The user experience is simple yet effective – the address bar changes colour from clear (the default) to yellow, green or red depending upon the severity of the danger posed by the site. A plain English text description accompanies the address bar to provide more information.

The image below shows the Phishing filter in action – to reproduce this for yourself simply browse to the Woodgrove bank phishing demonstration site:

Comments (1)

  1. Jeanie D says:

    That must be why BofA suddenly complicated their logon system – it took me about 15 minutes to add all the extra information they wanted so that they would know it’s me and I would know it’s them. (Would have been nice if they’d explained beyond the vague and innocuous “we care about security”…)