Citibank Phish Spoofs 2-Factor Authentication

By | December 11, 2006

Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called two-factor authentication — the second factor being something the user has in their physical possession like an access card — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.

These methods work, however, only so long as the bad guys don´t fake those as well. Take this latest phish, spotted by the people over at Secure Science Corp. It uses an impressively crafted Web-based e-mail that targets users of Citibank´s Citibusiness service, which — as its name suggests — caters to businesses. Citibusiness also requires customers who want to log into their accounts online to use a supplied token in addition to their user name and password. The small device generates an additional password that changes every minute or so.

The scam e-mail says someone (a nice touch added here — the IP address of the imaginary suspect) has tried to to log in to your account and that you need to “confirm” your account info. Not a whole lot that´s revolutionary there, but when you click on the link, you get a very convincing site that looks identical to the Citibusiness login page, complete with a longish Web address that at first glance appears to end in “,” but in fact ends at a Web site in Russia called “”Read Full Story

Leave a Reply