Attackers have successfully invaded the accounts of several customers of Dutch bank ABN Amro, despite the bank's use of two-factor authentication.
The bank has compensated four users for funds stolen from their accounts in the attack, the bank said. It said it is pursuing the thieves, and said the robbery was due in part to unsafe PC usage.
ABN Amro is one of the more progressive banks where it comes to adopting new security technologies, and has recently rolled out a biometric identification system for authenticating the voices of telephone banking customers.
Banks argue that two-factor authentication, which combines the use of a token with normal passwords, is necessary for more secure banking. But security experts have long pointed out that such systems are still vulnerable to attack.
The ABN Amro system uses a token that provides a constantly changing numeric code which authenticates the user in conjunction with a password.
The attackers sent emails claiming to be from the bank, which installed a Trojan horse and lured users to a replica of the bank's site. Once users entered the number provided by the token, the hackers were able to use it to log into the account before the number expired, according to a report from law firm Pinsent Masons.
Such "man-in-the-middle" attacks have risen to prominence in recent months as banks have implemented two-factor authentication systems. Last summer security researchers counted 35 websites that had been set up to execute man-in-the-middle attacks against such targets as Citibank.
"It is not just an isolated incident of somebody coming up with a proof of concept or an exploit that's unique to them," said Rich Miller, an analyst with Internet research company Netcraft, at the time.
Although these new phishing techniques show that no system is impervious to attack, token-based two-factor authentication remains a useful tool against malicious software such as Trojan horse programs, said Johannes Ullrich, chief research officer at the SANS Institute.
Ullrich also noted that these attacks rely on victims who will enter sensitive information into an untrusted Web site, a type of victim that is becoming harder to find as users clue into the phishing phenomenon.
"The real problem is not the phishing sites; it's the Trojans and keyloggers," he said, adding that "they'll have a harder time working around the two-factor authentication".
Robert McMillan of IDG News Service contributed to this report.