I told you so – two factor does nothing for phishing.
Posted by Ed in Analysis on Jul 14, 2006
Apparently, a phishing site has been found that allows phishers to take advantage of users even when two factor authentication is employed. Here’s what happens – you get an email telling you to follow a link to “your bank” (really a bogus site.) You connect to it and enter your two-factor authentication data. The site then opens a connection and uses your credentials to log in. The result: your bank account gets drained even though you used a second authentication factor. It’s a little more complicated than a regular phishing scenario, but not rocket science.
This proves the point that I’ve been trying to make for the past two years – namely, that the reason that phishing works is not because we don’t have sufficiently robust user authentication. No, the reason that phishing works is that we don’t have sufficient authentication of the server. Mark my words – you could use as many user authentication vehicles as you want and phishing is still a possibility.
Man I love being right.
-
http://www.wikidsystems.com:8080/websites/com/WiKIDBlog/two-factor-authentication-hysteria-continues wikidblog
-
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/07/nothin_doing_on.html Spire Security Viewpoint
-
http://www.securitycurve.com/blog/archives/000419.html Security Curve Weblog
