Security experts warns of man-in-the-browser threat

Security experts warns of man-in-the-browser threat

Security experts are reporting a surge in so-called "man-in-the-browser" attacks where hackers infect PCs with malicious code that is only triggered when a Web user visits an online bank site.

Helsinki-based digital security firm F-Secure is warning that this new type of malware can retrieve information - such as logins and passwords - entered on a legitimate bank site by intercepting the HTML code in the Web browser. Criminals then store the personal data on FTP sites before selling it on.

Mikko Hypponen, chief research officer at F-Secure, says: "With the enhancements that banks have deployed in terms of authentication security on their online banking sites, phishing attacks are becoming less and less effective, and attacks of the 'man in the browser' type are set to increase."

F-Secure says security products using behavioural analysis are the most effective against these attacks, as the malicious codes are designed specifically for certain banking sites. They are not distributed en masse like phishing emails.

Earlier this month Connecticut-based start-up security firm KeyID reported that it is in discussions with banks about testing its patent-pending SecureOTP technology, which uses one time passwords (OTPs) to add an extra layer of security to two factor authentication methods in order to protect against man-in-the-browser and man-in-the-middle attacks as well as phishing and pharming.

The KeyID system works at the authentication stage of a transaction, providing a separate encryption packed with the OTP meaning any hacker that tries to intercept the transmission cannot read the password information.

KeyID president and CEO, Sunil Ippagunta, told reporters that, although man-in-the-browser attacks could still occur after secure authentication is set up, the criminal wouldn't be able to read the secured credentials because they are only valid for specific sessions and channels.

The start-up is expected to begin testing technology in the first quarter of 2008, before a roll out in Q2.

Gail Kerr, executive vice president of business development for KeyID, says the company has demonstrated the technology to PayPal, Bank of America and CitiBank.

Comments: (0)