[Dshield] ID theft ring hits 50 banks, firm says

Matthias Jaenichen mj2 at percomp.de
Tue Aug 9 16:05:55 GMT 2005

At 10:58 09.08.2005 -0400, Johannes B. Ullrich wrote:
>Now the 'one time password' scheme has found its phishing match. I have
>seen a few phishing scams targeting postbank (german bank that uses
>sheets with one time passwords) where they ask for two of these
>passwords in addition to your username/login password.

it was not a few phishing attempts but a real large number of them. I 
get such e-mails at dozents a day. The point with the one time PWs 
was that it was the user who decided which PW from that list he used. 
Any match would be sufficent. So the phishers faked the page and 
asked for both a PIN and a TAN. The user striking out that TAN would 
not use it again and the phisher was able to access the account.

Banks now started to "increase" security by asking for a specific TAN 
(row, column). That will at least reduce the chance that the phisher 
has the right TAN, but there is no real improvement.

The far safer way in Germany to do online banking is HBCI with two 
public keys for encryption and signing each transaction. 
Unfortunately more complicated, not available at Internet-Cafes and 
needs a software on the PC.


More information about the list mailing list