Phishing 2.0

Phishing is a deceptive practice, where a criminal spoofs an electronic correspondence (usually email) purporting to be from a legitimate business entity, usually a bank or other financial institution and sends the message to unsuspecting individuals. Commonly, within the correspondence the thief makes claims that the individual’s account is in some mortal danger unless they act immediately. A link to a fraudulent web site is conveniently embedded in the correspondence. The poor panicked individual clicks on the link and is redirected to the fraudulent web site that requests authentication, in a similar manner to the legitimate site. If the individual enters their credentials they are usually either redirected to the actual real site (man-in-the-middle) or presented with a thank you page.

At that point the thief has won. The individual’s credentials are then used on the real web site to redirect funds out of their account and act in a generally fraudulent manner.

Security measureHow it worksVulnerability
One Time Password Tokens (Including Hardware, Software, and Scratch Cards)Users receive a hardware device, paper scratch card or grid card that changes their passcode for every login in some cases every 30-60 secondsThe one time password is passed through by the attacker's man-in-the-middle proxy and used to login within milliseconds, making even the 30-60 second time period for time synchronous tokens irrelevant
Virtual KeyboardTheuser inputs their passcode through a web-based graphical keyboardThe user's passcode is stolen after it is entered through the man-in-the-middle proxy which displays the web-based virtual keyboard
Vulnerable to Phishing 1.0
Knowledge-Based AuthenticationThe user answers a series of personal questionsThe attacker's man-in-the-middle proxy automatically passes the questions to the user and returns the user's answers to the web site (after capturing the answers)
Vulnerable to Phishing 1.0
Recognition based authenticationThe user needs to recognize shapes, faces, symbols, patterns, picturesThe attackers man-in-the-middle proxy automatically passes the shapes, faces, symbols, patterns, pictures to the user and returns the user's selections (after capturing the answers) 
Vulnerable to Phishing 1.0
IP GeolocationThe website associates the user's account with the geographic location of the IP addressThe man-in-the-middle proxy server captures the IP address and is routed through a local botnet computer located in the same geographic region or ISP as the real user
Vulnerable to Phishing 1.0
Device FingerprintingThe website attempts to create a profile of the device based on information provided by the web browserThe browser information is passed through unchanged from the original user's computer. This can also be easily spoofed by the phisher
Vulnerable to Phishing 1.0
Browser cookieThe website places a browser cookie on the user's computer after answering secret questionsDue to frequent cookie deletion, users get accustomed to answering secret questions. The man-in-the-middle proxy can trick the user into answering the secret questions at the phisher site and then use those questions to log into the real site.
Picture or Text on Website(such as Passmarks and Arcot)The user selects a personal picture or text phrase that always appears on the login website to assure the customer that they aren't being phishedAfterstealing the secret questions and resetting the cookie as described above, the attacker now has the password. The attacker could care less about the picture, they are not worried about being phished, at this point they have access.
Phone or Email Out-of-Band Authentication The user enters a code sent to them over the phone or through emailBecause the user is online performing transactions, when the phone rings with the passcode, the user answers and enters the code into the website. The attacker's proxy site passes the code through, and a script changes the transaction that the code is verifying without the user knowing.