Blog article
See all stories ¬Ľ

An article relating to this blog post on Finextra:

Security experts warns of man-in-the-browser threat

Security experts are reporting a surge in so-called "man-in-the-browser" attacks where hackers infect PCs with malicious code that is only triggered when a Web user visits an online bank site.


See article

Man In The Middle

Sorry to say that the only way to really get past the Man in the Middle attack is to use a second secure channel to carry out the authentication and a transaction specific authentication.  It has to be used not only for transaction auth, but also for setting up new payees, for example.

Otherwise the MiM could simply let you input the auth, then bounce you an error message - Please try again in 15 minutes - while he has full access to your account.

There are a number of MiM resistant auth. solutions out there, Authentify was given the nod by HSBC, while Masabi, the secure mobile developers, have one featuring GrIDsure technology, that still has security even if both the PC and handset are compromised!

4033

Comments: (4)

Ed Daniel
Ed Daniel - esdaniel.com - Europe 28 November, 2007, 16:46Be the first to give this comment the thumbs up 0 likes Check out Tricerion as well: http://www.tricerion.com
Nick Collin
Nick Collin - Collin Consulting Ltd - London 29 November, 2007, 08:54Be the first to give this comment the thumbs up 0 likes

You can also protect against man-in-the-middle attacks by using the Transaction Data Signing facility with Remote Chip Authentication (RCA) approaches such as MasterCard's CAP and Visa's DPA.  You insert your chip card in the handheld reader and enter the account number of the beneficiary, and the payment amount, as well as your PIN, then press the "Sign" button or its equivalent on the reader.  The chip on the card then uses all this information to generate a one-time-password which you enter into the PC, effectively signing the transaction.  Any attempt by a fraudster to change the transaction is immediately apparent.  This is the approach used by, for example, ABN AMRO and the many other banks which now routinely use RCA for secure remote banking.

In my view, using a second channel such as a phone line is expensive, inconvenient and unfamiliar compared with this "Chip & PIN at Home" approach.

 

A Finextra member
A Finextra member 29 November, 2007, 08:58Be the first to give this comment the thumbs up 0 likes I agree that a dual channel approach will give you better protection against some threats, but not in this case. The article discussed "man in the browser attacks". This is typically a Trojan horse (hostile program) that has taken control over the user's PC. If an attacker has control he does not need to open the door himself. He can calmly wait until the user has opened it for him and then put up a screen that tells him that the bank is temporally unavailable‚ĶThus, on this type of threats you can use any number of authentication methods and nothing will help. One dual channel countermeasure that helps against Trojan horses is to use the mobile as signing device. The user has to accept the transactions by using his mobile signing key/ certificate to before the bank let the transaction go through.  
A Finextra member
A Finextra member 09 February, 2009, 15:26Be the first to give this comment the thumbs up 0 likes

The second channel can be opened back to the user, from the "bank" when an action is taking place.  That would mean that the MITB would be able to see the action taking place, but authentication is carried to the bank through a second channel, opened by them, which is not visible to the MITB.

We have a demonstration version running now, but nothing production ready.

When we do, I'll tell you about it.