Here is a report of a successful, real-time, man-in-the-middle attack against a two-factor authentication system used at a Dutch bank. Apparently, Trojan software installed when users clicked on a fake email message allowed the fraudsters to record the one-time password and then use it to conduct their own transactions. This is taking phishing to a new level.
Phishing attack evades ABN Amro’s two-factor authentication
Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.
As soon as the hackers received these details they were able to log into a customer’s account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer’s money.