John's Tech Blog

Well, it was only a matter of time before this happened...quite a clever scam, as usual. (Last I'd heard, CAPTCHAs were being defeated by displaying them on download pages for other resources, and getting interested humans to enter the code, proxying the result to the original site.) Also, F-Secure has a similar story which I considered posting, but I'm going to favor ISC's piece in this case.

Recent Two factor authentication attacks, (Wed, Jul 12th): "There has been recent report of two factor authentication protected websites getting attacked by the man-in-the-middle type of setup where the victim enter information (include the token code) into a look-alike website, this look-alike website immediate uses those credential to login to the actual financial site. Obviously, upon success login by the user, the attacker can immediately execute the fraudalent transaction.

While this might sound shocking to the financial industry since we haven't seen too many of these attacks, the theory of the attack and the risk have certainly been well understood within the security community. (I have written an article on this back in April)

Overall, two factor authentication will reduce the risk of attacks by raising the effort of the attacker to compromise the accounts, but it might not have the level of security enhancement that some people believed. In the man-in-the-middle attack, the flaw happens due to the lack of verification of the bank's website by the victim, the victim are simply tricked into yielding credentials" ...

Source: SANS ISC