A two-factor authentication system operated by Dutch bank ABN Amro has been compromised and money stolen from four customers who fell victim to a phishing scam.
The man-in-the-middle attack occurred after the customers opened an e-mail with an attachment purporting to be from the bank, downloading malware onto their machines. When they next tried to visit the bank's Web site, their browser was redirected to a fake site, allowing the attackers to overcome ABN Amro's two-factor authentication system by piggy-backing on a legitimate log-in.
Two-factor authentication systems normally use passwords as well as tokens, which provide pseudo-randomly generated numbers. Use of both is supposed to make online banking identity verification more robust.
But security experts have warned that two-factor authentication is ineffectual against man-in-the-middle attacks.
Speaking at the E-Crime Congress in London in March, Cambridge University professor Ross Anderson spoke of the limitations of two-factor authentication. "There are a whole bunch of things that can go wrong with two-factor authentication," said Anderson. "Banks are resisting because their technical staff know that it will be expensive to introduce and will not be effective. Some banks will introduce it, it will be quickly broken and then quickly forgotten," Anderson added, according to Out-Law.com.
The four ABN Amro customers have been compensated by the bank for the money taken from their accounts.
Barclays bank on Wednesday said it would send 500,000 chip and PIN devices to its customers to secure online banking.