Two-factor authentication, where banks add one-time passwords and payment confirmation codes to the usual password-based security measures, could still be overcome by phishing scams, a security vendor at Infosec 2006 has warned.

F-Secure said that advanced phishing techniques could be used to breach the system by setting up a fake banking site, contacting the real site and waiting for the password, then getting the user to type in the one-time password that is supposed to protect them. 

"The next logical step for phishing sites is to ask people to authenticate themselves, then keep them waiting while the data is entered into the real site, " said Mikko Hyppönen, chief research officer at F-Secure. "This is seen by internet criminals as just another hurdle to overcome." 

• VIDEO: Mikko Hyppönen discusses the latest security threats

F-Secure also pointed to a breakdown in the two-factor system because vulnerable users could be persuaded to divulge their passwords.

"There's a fishing scam already that asks you for your next five passwords and this is an example of where two points of authentication is not going to help," said Richard Hales, F-Secure's country manager for UK and Ireland.

"The intermediary device collects all the authentication information and passes it through to the bank so you [log in as normal and] don't notice that you've been scammed. But it has caught all five keys and your log-in details."

Hales explained that the scam works because people actually log on to the real site and carry out their business as normal, without being alerted to the scam.

"How many people log on to their bank more than every couple of days? Because you log on, it all works, it's familiar and you log off again. You don't notice that anything has happened," he said.

"In a week's time you go back on again and wonder why there's no money in your bank account."

F-Secure also pointed out that in many cases phishing sites display images from the real banking website, and that banks should make every effort to detect that the images are being downloaded for use elsewhere.