Crypto experts and U.S. Government regulations (FFIEC) have been pushing the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" — the second factor being something the user has in their physical possession like a token — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.
According to a Washington Post Blog, 'SecurityFix,' phishers have now started [a href="http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html"]phishing for the two-factor token ID[/a] from the user as well. The most interesting part is that these tokens only give you one minute to log in to the bank until that key will expire. The phishers employ a "[a href="http://en.wikipedia.org/wiki/Man_in_the_middle_attack"]man-in-the-middle[/a]" attack against the victim and Citibank to log in using an automated web script and then immediately conduct money transfers when logged in.
