[Dshield] ID theft ring hits 50 banks, firm says
mj2 at percomp.de
Tue Aug 9 16:05:55 GMT 2005
At 10:58 09.08.2005 -0400, Johannes B. Ullrich wrote:
>Now the 'one time password' scheme has found its phishing match. I have
>seen a few phishing scams targeting postbank (german bank that uses
>sheets with one time passwords) where they ask for two of these
>passwords in addition to your username/login password.
it was not a few phishing attempts but a real large number of them. I
get such e-mails at dozents a day. The point with the one time PWs
was that it was the user who decided which PW from that list he used.
Any match would be sufficent. So the phishers faked the page and
asked for both a PIN and a TAN. The user striking out that TAN would
not use it again and the phisher was able to access the account.
Banks now started to "increase" security by asking for a specific TAN
(row, column). That will at least reduce the chance that the phisher
has the right TAN, but there is no real improvement.
The far safer way in Germany to do online banking is HBCI with two
public keys for encryption and signing each transaction.
Unfortunately more complicated, not available at Internet-Cafes and
needs a software on the PC.
More information about the list