Community

Join the Community

23,385
Expert opinions
42,358
Total members
307
New members (last 30 days)
186
New opinions (last 30 days)
29,106
Total comments
Join Sign in

Man In The Middle

  0 2 comments
Retired member
Unfollow

Sorry to say that the only way to really get past the Man in the Middle attack is to use a second secure channel to carry out the authentication and a transaction specific authentication.  It has to be used not only for transaction auth, but also for setting up new payees, for example.

Otherwise the MiM could simply let you input the auth, then bounce you an error message - Please try again in 15 minutes - while he has full access to your account.

There are a number of MiM resistant auth. solutions out there, Authentify was given the nod by HSBC, while Masabi, the secure mobile developers, have one featuring GrIDsure technology, that still has security even if both the PC and handset are compromised!

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

4541
 

Share

 
 
 
 
 

Comments: (4)

Ed Daniel

Ed Daniel Senior Consultant, getting old you know ;-) at esdaniel.com

Check out Tricerion as well: http://www.tricerion.com

Nick Collin

Nick Collin Director at Collin Consulting Ltd

You can also protect against man-in-the-middle attacks by using the Transaction Data Signing facility with Remote Chip Authentication (RCA) approaches such as MasterCard's CAP and Visa's DPA.  You insert your chip card in the handheld reader and enter the account number of the beneficiary, and the payment amount, as well as your PIN, then press the "Sign" button or its equivalent on the reader.  The chip on the card then uses all this information to generate a one-time-password which you enter into the PC, effectively signing the transaction.  Any attempt by a fraudster to change the transaction is immediately apparent.  This is the approach used by, for example, ABN AMRO and the many other banks which now routinely use RCA for secure remote banking.

In my view, using a second channel such as a phone line is expensive, inconvenient and unfamiliar compared with this "Chip & PIN at Home" approach.

 

A Finextra member 

I agree that a dual channel approach will give you better protection against some threats, but not in this case. The article discussed "man in the browser attacks". This is typically a Trojan horse (hostile program) that has taken control over the user's PC. If an attacker has control he does not need to open the door himself. He can calmly wait until the user has opened it for him and then put up a screen that tells him that the bank is temporally unavailable…Thus, on this type of threats you can use any number of authentication methods and nothing will help. One dual channel countermeasure that helps against Trojan horses is to use the mobile as signing device. The user has to accept the transactions by using his mobile signing key/ certificate to before the bank let the transaction go through.  

A Finextra member 

The second channel can be opened back to the user, from the "bank" when an action is taking place.  That would mean that the MITB would be able to see the action taking place, but authentication is carried to the bank through a second channel, opened by them, which is not visible to the MITB.

We have a demonstration version running now, but nothing production ready.

When we do, I'll tell you about it.

 

More expert opinions

Frank Moreno

Frank Moreno CMO at Entersekt

Trusted devices and silent signals could help FIs improve fraud protection

Pete McIntyre

Pete McIntyre Financial Services Director at Planixs

From Regulation to Resilience: Why the ECB’s Intraday Liquidity Guidelines Signal a Strategic Shift

Siobhan Byron

Siobhan Byron EVP, Universal Banking at Finastra

Banking ecosystems (part 2): Cultivating people power through strong leadership and partnerships

Paul Quickenden

Paul Quickenden Chief Commercial Officer at Easy Crypto

Stablecoins, smart contracts and the rise of more intelligent cash

1

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

23,385
Expert opinions
42,358
Total members
307
New members (last 30 days)
186
New opinions (last 30 days)
29,106
Total comments
Join Sign in

Trending

Carlo R.W. De Meijer

Carlo R.W. De Meijer Owner and Economist at MIFSA

Banks and Stablecoins: a first step towards bridging traditional finance and the crypto world

Steve Wilcockson

Steve Wilcockson Technical Product Marketing at Quantexa

Agentic AI Beyond the Buzzwords

Dmytro Spilka

Dmytro Spilka Director and Founder at Solvid, Coinprompter

5 Ways Artificial Intelligence Can Support SMB Growth at a Time of Economic Uncertainty

Eli Talmor

Eli Talmor CEO at ID-Bound

Pay with TRIO: The E-Commerce Breakthrough with Stablecoins.

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept