Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" -- the second factor being something the user has in their physical possession like an access card -- as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.


These methods work, however, only so long as the bad guys don't fake those as well. Take this latest phish, spotted by the people over at Secure Science Corp. It uses an impressively crafted Web-based e-mail that targets users of Citibank's Citibusiness service, which -- as its name suggests -- caters to businesses. Citibusiness also requires customers who want to log into their accounts online to use a supplied token in addition to their user name and password. The small device generates an additional password that changes every minute or so.


The scam e-mail says someone (a nice touch added here -- the IP address of the imaginary suspect) has tried to to log in to your account and that you need to "confirm" your account info. Not a whole lot that's revolutionary there, but when you click on the link, you get a very convincing site that looks identical to the Citibusiness login page, complete with a longish Web address that at first glance appears to end in "Citibank.com," but in fact ends at a Web site in Russia called "Tufel-Club.ru."


http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html

Interesting... I remember seeing a phishing scam directed at Wells Fargo customers... They were really clever in that the url for the scam site was something like VVellsFargo.com (two Vs in the place of the W)--almost not noticeable unless you were looking for it.

Bank of America has that sitekey thing on their online banking now. You choose the image when you set up your sitekey--if that image and your chosen "description" for it don't appear when you're logging in, then you're not on the Bank of America website. I don't see how phishing scams could navigate around that security feature... Do you? (Don't give them any ideas!)

Redjack's rule # 74 : given enough time and enough will, criminals will circumvent any and all security measures.



I'm not familiar with the sitekey system on BankofAmerica, but i would assume that the images used are pulled from a pool of existing images, say 100 or so images.. Assuming that the site wouldn't lock an account out after a specific number of incorrect login attempts, simply trying each and every image in turn would eventually give a hit granting access. I'm sure BOA has taken stronger measures than that, but its the best i can do on short notice ;)

I wish i did have an answer to the security question, cause then i'd be rich :D and we'd have a Rudiebus and JanisIan Island to vacation on.

I wish i did have an answer to the security question, cause then i'd be rich :D and we'd have a Rudiebus and JanisIan Island to vacation on.
Could we make a Janis Ian archipelago (Jarchipelago?) in the shape of the Rude Girl logo like the Palm Islands (http://en.wikipedia.org/wiki/Palm_Islands) or "The World" (http://en.wikipedia.org/wiki/The_World_%28archipelago%29) off the coast of Dubai? I call the "M" in "TM". I've always wanted my own M-shaped island.