A first ever case of using a “man in the middle” attack against an online bank was reported recently by Security Fix.
The attack targeted Citibank Citibusiness service and was designed to spoof the token key hardware device used by the bank’s customers. Citibusiness requires customers to use a token in addition to their user name and password. The small hardware device generates an additional password that changes every minute or so.
The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim The “man in the middle” is the phishing site, which submits data provided by the user to the actual site. If that site generates an error, so does the phishing site, thus making it look more real. Enter an invalid password, and you get an invalid logon page.
The security industry has long predicted this type of man-in-the-middle attack; it seemed only a matter of time.