a couple old posts from more than a year ago mentioning that it appears vulnerable to MITM-attacks
http://www.garlic.com/~lynn/aadsm19.html#20 Citibank discloses private information to improve security
http://www.garlic.com/~lynn/aadsm19.html#21 Citibank discloses private information to improve security
and
http://www.garlic.com/~lynn/aadsm19.htm#23 Citibank discloses private information to improve security
http://www.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses private information to improve security
... for some drift
http://www.garlic.com/~lynn/aadsm19.htm#25 Digital signatures have a big problem with meaning
and some discussion of browser/ssl operation
http://www.garlic.com/~lynn/aadsm19.htm#27 Citibank discloses private information to improve security
and
http://www.garlic.com/~lynn/aadsm19.htm#28 "SSL stops credit card sniffing" is a correlation/causality myth
and even this
http://www.garlic.com/~lynn/aadsm19.htm#33 Digital signatures have a big problem with meaning
somewhat coincident ... but I had just appended some comments about multi-factor authentication
http://www.garlic.com/~lynn/aadsm24.htm#32 DDA cards may address the UK Chip&Pin woes
in this thread
https://financialcryptography.com/mt/archives/000776.html
Not to pick nits, but I thought the FFIEC made this "recommendation". (http://www.ffiec.gov/pdf/authentication_guidance.pdf)
Posted by Chris Walsh at July 10, 2006 08:13 PMBank's don't have to make the system perfect, they just have to raise the bar enough that the attackers go elsewhere.
Perhaps dynamic passwords are not enough. But, they do accomplish something. Consider:
1) Dynamic passwords take away the possibility of phishers selling authenticators. The value chain of phisher (obtains authenticators) -- middlemen -- fraudsters (uses authenticators) is broken. Also, the attacks can no longer be performed in stages -- monetization has to be in near proximity to the time of authenticator theft. Any phisher that can't monetize immediately is out of business.
2) The skills of the phisher and the fraudster now must be combined in time. Until phishers or fraudsters become cross-trained, fewer attacks will take place.
3) Automated attacks are more difficult because the steps from authentication to money transfer are different for different banks' web sites. That will create a need for attackers to apply more resources and better target their attacks. Each requirement reduces their return.