Neilsplace
 
A post relating to this item from Finextra:
Security experts warns of man-in-the-browser threat
Security experts are reporting a surge in so-called "man-in-the-browser" attacks where hackers infect PCs with malicious code that is only triggered when a Web user visits an online bank site.

Man In The Middle

28/11/2007 15:50:05

Sorry to say that the only way to really get past the Man in the Middle attack is to use a second secure channel to carry out the authentication and a transaction specific authentication.  It has to be used not only for transaction auth, but also for setting up new payees, for example.

Otherwise the MiM could simply let you input the auth, then bounce you an error message - Please try again in 15 minutes - while he has full access to your account.

There are a number of MiM resistant auth. solutions out there, Authentify was given the nod by HSBC, while Masabi, the secure mobile developers, have one featuring GrIDsure technology, that still has security even if both the PC and handset are compromised!


Related Finextra story: Security experts warns of man-in-the-browser threat
 
Comments
 
28/11/2007 16:46:16 Ed Daniel, ecxo - Paris added:
Check out Tricerion as well: http://www.tricerion.com
 
29/11/2007 08:54:37 Nick Collin, Collin Consulting Ltd - London added:

You can also protect against man-in-the-middle attacks by using the Transaction Data Signing facility with Remote Chip Authentication (RCA) approaches such as MasterCard's CAP and Visa's DPA.  You insert your chip card in the handheld reader and enter the account number of the beneficiary, and the payment amount, as well as your PIN, then press the "Sign" button or its equivalent on the reader.  The chip on the card then uses all this information to generate a one-time-password which you enter into the PC, effectively signing the transaction.  Any attempt by a fraudster to change the transaction is immediately apparent.  This is the approach used by, for example, ABN AMRO and the many other banks which now routinely use RCA for secure remote banking.

In my view, using a second channel such as a phone line is expensive, inconvenient and unfamiliar compared with this "Chip & PIN at Home" approach.

 

 
29/11/2007 08:58:25 Bjorn Soland, BBS AS - Banking and Business Solutions - Oslo added:
I agree that a dual channel approach will give you better protection against some threats, but not in this case. The article discussed "man in the browser attacks". This is typically a Trojan horse (hostile program) that has taken control over the user's PC. If an attacker has control he does not need to open the door himself. He can calmly wait until the user has opened it for him and then put up a screen that tells him that the bank is temporally unavailable…Thus, on this type of threats you can use any number of authentication methods and nothing will help. One dual channel countermeasure that helps against Trojan horses is to use the mobile as signing device. The user has to accept the transactions by using his mobile signing key/ certificate to before the bank let the transaction go through.  
 
09/02/2009 15:26:18 Neil Smith, GrIDsure - Cambridge added:

The second channel can be opened back to the user, from the "bank" when an action is taking place.  That would mean that the MITB would be able to see the action taking place, but authentication is carried to the bank through a second channel, opened by them, which is not visible to the MITB.

We have a demonstration version running now, but nothing production ready.

When we do, I'll tell you about it.

 

Add comment | Report abuse | Recommend this
Digg | del.icio.us | Facebook
 		 
RSS Neil Smith

Networking
Archive
Groups I joined