If you visit the site and enter bogus information to test whether the site is legit — a tactic used by some security-savvy people — you might be fooled. That’s because this site acts as the “man in the middle” — it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.Citibank Phish Spoofs 2-Factor Authentication, Brian Krebs, 10 July 2006
This could be because the people behind such phishing scams are often pretty tech-savvy people themselves. Funny how that happens when there’s money in it.
-jsq
http://thurston.halfcat.org/blog/2006/07/11/368/
In October 2005, the FDIC declared single-factor authentication inadequate for online banking authentication:
Single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services.
The FFIEC agencies c…