Man-in-the-middle Attacks
Traditional hardware tokens, SMS, and telephone-based methods are vulnerable to a type of attack known as the man-in-the-middle, or MITM attack (see above). In such an attack the fraudster impersonates the bank to the customer and vice versa, prompting the victim to divulge to them the value generated by their token. This means they do not need to be in physical possession of the hardware token or telephone device to compromise the victim's account, but only have to pass the disclosed value on to the genuine website within the time limit. Citibank made headline news in 2006 when its hardware token-equipped business customers were targeted by just such an attack from fraudsters based in the Ukraine. Such an attack may be used to gain information about the victim’s accounts, or to get them to authorise a transfer of a different sum to a different recipient than intended. Virtual token MFA and other solutions which authenticate directly connected devices are not vulnerable to man-in-the-middle attacks.
Read more about this topic: Two-factor Authentication
Famous quotes containing the word attacks:
“Literature is a defense against the attacks of life. It says to life: “You can’t deceive me. I know your habits, foresee and enjoy watching all your reactions, and steal your secret by involving you in cunning obstructions that halt your normal flow.””
—Cesare Pavese (1908–1950)