Phishers Bypass Two-Factor Authentication
Phishing is a common form in Internet fraud, where criminals send you an email (for example) that pretends to be from a bank, PayPal, eBay, Amazon.com, or another web site. The emails often say things like, "Your password has been compromised. Please click here to login and update your password."
If you click on the link you are taken to a fake web site that looks just like the real thing. The criminals hope that you will enter your password and credit card information into their fake web site.
In a twist on the common form of phishing, a scam has been spotted where the criminal's web site asks you to type in your two-factor authentication code (example) and it automatically logs into your bank account with your credentials.
"A bogus security warning ostensibly from Citibank, and targeting customers of its Citibusiness service, urged prospective marks to visit a website and enter not only their account details and password (as with conventional phishing scams) but also the code generated by the customer's token. These authentication key codes change every minute or so.
The fraudulent site is automated so it uses this information to log onto the real Citibusiness login site, allowing fraudsters access to compromised accounts." [Source]
The above article also points to Bruce Schneier's prophetic commentary on the problems of two-factor authentication.
"- Man-in-the-Middle Attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
- Trojan attack. Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.
See how two-factor authentication doesn't solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in."
How to Protect Yourself Against Phishing
The first step is to educate yourself about phishing. When you sign up for a new online service that deals in money, for example, PayPal or a bank, carefully read their warnings and tips about how to protect yourself against phishing attacks. You can see an example of anti-phishing advice at PayPal.com.
To protect yourself against the second type of two-factor authentication attack mentioned above, a trojan, you can bypass the trojan by using a Linux live CD.