It seems that the best way to avoid phishing attacks is the called Two Factor Authentication (TFA) method, that in simple word uses two independent kind of authentication methods, one “you know”, in the most cases your password, and the other can be one “you have”, most of them are pin number generators called One Time Password Generators (smartcards, authentication tokens, SMS authentication, etc.), or even biometric data scan.

The problem now is the threat called “man in the middle attack” or real time phishing, it occurs when the victim connects to the phishing website, in real-time, the thief connects to the bank website. The credentials that the user submits to the phishing site, including one time passwords (OTPs), are stolen and used immediately by the fraudsters to initiate a fraudulent session with the bank website. That’s why TFA only serves against static phishing attempts.

Obviously, the OTP´s are the most common, because they are easy to use, cheap and it goes very good for static phishing. It´s used not only in the developed countries, in the developing nations are used too.

Well, but going to the problem, it seems that the solution is how we use this Two Factor Authentication methods, the clue is to mix technologies and use different kinds of them and/or use more. For example, the use of three separate 2FA tokens before funds can be transferred out to an external account, when you login, another when you add the payee and when you type the funds transfer. All of this combined with SMS messages of all this transactions, with that you will know is something wrong is occurring with your account.

Sounds slow? Not commercial? Maybe but it´s a way to avoid this fraud or mitigate it, and it´s not expensive to implement, thinking that even the developing countries are increasing very fast their penetrations of cellular phones.

Google Blog (2011, 2). Advanced sign-in security for your Google account. The Official Google Blog. Retrieved September 15, 2011 from

Boodaei, Mickey (2010, 10). Two-Factor authentication powerless against real time phishing attacks, Business Computing World. Retrieved September 15, 2011 from

Schouwenberg, Roel (2008, 10) Attacks on Banks, Americas Global Research and Analysis Team. Retrieved on September 15, 2011 from