The problem appears to stem from the evolution of phishing into something that Mickey Boodaei, the firm's CEO, calls real-time phishing.
The security issue was identified thanks to the anonymous monitoring of the millions of users of Trusteer's Rapport security software, which is offered as a free download by several banks in the UK and around the world.
Most phishing attacks seen to date, says the company, have been completely static. In traditional phishing attacks the victim reaches a phishing website, submits login credentials, and these credentials are stored for later use by e-criminals.
2FA technology has been viewed by many as a means of beating static phishing attacks, but Trusteer says the online criminals have developed a way around the security mechanism.
Recently, says Boodaei, his research team noticed an increase, on three different continents, of a type of attack called man-in-the-middle phishing or real-time phishing.
"This tactic allows fraudsters to completely bypass two-factor authentication. The concept is not a new one and is well known in the security world; however, up until now, we haven't seen too many attacks like this. The recent escalation of websites now experiencing this type of attack is a cause for immediate concern", he said.
According to Boodaei, in a man-in-the-middle attack, the phishing website is connected, in real-time, to the bank website. The credentials that the user submits to the phishing site, including one time passwords (OTPs), are stolen and used immediately by the fraudsters to initiate a fraudulent session with the bank website.
It doesn't matter, he claims, if the website is using a dedicated OTP token, SMS authentication, card and reader, or any other type of two-factor authentication.
At first glance, Trusteer says that real-time phishing seems just like any other phishing attack. On closer examination of the malicious website, however, you can determine that it is, in fact, connected in real-time to the bank. This enables any information submitted to the fake web page to be immediately posted to the bank website.
"With real-time phishing, OTPs are becoming useless. There is no update or improvement to OTP that can defeat real time phishing", said Boodaei.
"The best form of defence is to implement dynamic layers of security, including browsing security, that can adapt to and block new threats", he added.