The first ever case of using a man-in-the-middle attack against an online bank was reported by Brian Krebs of Security Fix on Tuesday.
The security industry has long predicted this type of man-in-the-middle attack; it was only a matter of time. The attack targeted Citibank's Citibusiness service and was designed to spoof the token key hardware device used by the bank's customers. The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim. Enter an invalid password, and you got an invalid logon page. A man-in-the-middle attack checks everything done at the phishing site against the original, so everything should look and feel more genuine.
Exactly the same kind of attacks can be used to target other types of two-factor authentication, including one-time password sheets.
This is one of several references to this new type of attack that I've seen this morning, and I thought it was important enough to let y'all know.
F-Secure : News from the Lab