SlideShare une entreprise Scribd logo
1  sur  5
Cognizant White Paper




Identifying, Mitigating
Man-in-the-Middle (MitM) Attacks


    Executive Summary                                   A MitM attack can only succeed when the
                                                        attacker can impersonate each victim to the
    To complete online banking transactions,            satisfaction of the other. Most cryptographic
    consumers key-in credentials to authentic their     protocols include some form of endpoint
    identities and gain website access to a host of     authentication specifically to prevent MitM
    personal data and various banking applications.     attacks. For example, SSL authenticates the
    But there is always a possibility that a criminal   server using a mutually trusted certification
    is lurking in cyberspace or on the public phone     authority.
    network to intercept these details using Man-in-
    the Middle (MitM) attack techniques. This white     Typically during the attack, the attacker lures
    paper explains the MitM concept, highlights         the end user to a fraudulent site via phishing,
    Man-in-the-Browser (MitB) and Man-in-the-           DNS attacks, or other methods. Once there, the
    Phone (MitP) attack techniques, and offers          attacker utilizes vulnerable authentication
    actionable advice to consumers and banks on         methods (e.g., username/password, tokens) to
    ways to detect and mitigate the impact of such      attack and replay the session — thus “stealing”
    fraudulent intrusions.                              the legitimate user’s ID. One way to prevent
                                                        MitM attacks is to authenticate both the client
    Man-in-the-Middle Attack                            and server. The technology to implement a safe
                                                        transaction utilizes x.509 certificates in a public
    The Man-in-the-Middle attack (often abbreviat-      key infrastructure deployment.
    ed MitM) is a form of active eavesdropping in
    which the attacker makes independent connec-        While MitM breaches have plagued online
    tions with the victims (typically end users and     banking for some time, a new and more
    banks) and relays messages between them,            insidious twist involves the Man-in-the-Browser
    making them believe that they are talking           (MitB) and Man-in-the-phone (MitP) attacks.
    directly to each other over a private connection    Let’s have at look at these forms of attack.
    when in fact the entire conversation is con-
    trolled by the attacker.                            Man-in-the-Browser
    To succeed, the attacker must intercept all         Man-in-the-Browser (MitB) is a Trojan (e.g., non-
    messages transmitted between the two victims        self-replicating malware) that infects a Web
    and substitute new ones.                            browser and has the ability to modify pages,




                                                          white paper
How Man-in-the Middle Attacks Work
                          End User                                      Enterprise
                      (Browser Based)                                   Web Server




                                                           Hacker




Figure 1




modify transaction content or insert additional        One of the most effective methods in combating
transactions, all in a completely covert fashion       a MitB attack is through an Out-of-Band (OOB)
invisible to both the user and host application. A     transaction verification process. This over-
MitB attack can succeed irrespective of whether        comes the MitB Trojan by verifying the transac-
security mechanisms such as SSL/PKI and/or             tion details, as received by the host (bank), to
two- or three-factor authentication solutions          the user (customer) over a channel other than
are in place. The only way to counter a MitB           the browser; typically an automated telephone
attack is by utilizing transaction verification1 ,2.   call. OOB transaction verification is ideal for
                                                       mass market use since it leverages devices
The MitB Trojan works by utilizing common              already in the public domain (e.g., landline,
facilities provided to enhance browser                 cell phone, etc.) and requires no additional
capabilities such as browser helper objects etc.,      hardware devices, yet it enables “three-factor”
and is therefore virtually undetectable to virus       authentication (utilizing voice biometrics),
scanning software. For example, in an Internet         transaction signing and transaction verification.
banking transaction such as a funds transfer, the
customer will always be shown, via confirmation        Here’s how a typical MitB attack works:
screens, the exact payment information as keyed
into the browser. When a MitB Trojan is applied to     I   Victim accesses the bank’s website to per-
the transaction, the bank receives materially              form an online banking transaction.
altered instructions (i.e., a different destination    I   Enters Username for Identity authentication.
account number and possibly amount). The use
                                                       I   Enters PIN details and submit request.
of strong authentication tools primarily
authenticates the validity of identity credentials     I   Typically as the page is rendered, software
and creates an increased level of false                    now resident in the victim’s browser wakes up
confidence on the part of both customer and                (This malicious bit of code was installed
bank that the transaction is secure.                       unknowingly on his machine (during the
                                                           download of a screen saver or video clip).
An example of a MitB threat is Silentbanker.           I   This software inserts few additional lines into
Silentbanker is a Trojan horse that records                the code — maybe five lines of JavaScript — an
keystrokes, captures screen images, and steals             alert box, a timer function, and maybe some
confidential financial information to send to the          in-page content -and sends a message to the
remote attacker.                                           hacker, far away.




                                        white paper         2
I   What happens next looks perfectly normal.               has started an authenticated session and is
    Upon loading, the alert box pops up — some-             ready to transact, using the credentials con-
    thing like the dialog box pictured below — and          tained in the message.
    says “Server synchronization in process...          I   The hacker gets all the essential details and
    please be patient”, accompanied by an ani-              can login as the victim and move funds.
    mated GIF in the bank’s colors.
                                                        I   And sometimes, the crimeware is configured
I   Except at that moment, as the victim watches            in such a way that it allows the hacker session
    the seconds pass, a hacker somewhere is                 to kick in when the victim “logs out”.
    receiving a timely message that the victim




                                    Anatomy of an MitB Attack

               Authentic Site                                                  Man-in-the-Middle




                                                 Internet


           Revised chart to
           come                                      User                           Spoofed Content
                                                                                    Real Page Contents
                                                                                    Request to Real Site
                                                                                    Request to Spoofed URL



Figure 2



Man-in-the-Phone                                        deception during a phone conversation to
                                                        convince an individual to divulge information.
Telephone banking customers and banks need
to be aware of a new low-tech, Man-in-the-              Here’s how a typical MitP attack works:
Phone (MitP), fraud technique being employed
by criminals.                                           I   In a typical MitP attack, a fraudster imperson-
                                                            ates a bank representative and calls the bank-
MitP scams have observed at several large retail            ing customer to inform him/her that his/her
banks. These scams appear to have originally                savings, checking or card account may have
targeted British banks but this fraud is now                been breached or compromised.
spreading to the U.S. and Canada.                       I   The fraudster advises the customer that to
                                                            remedy the situation he/she should remain on
MitP blends new and old fraud techniques to
                                                            the line and verify a few account details.
trick banking customers into authorizing
transactions via the phone channel. MitP builds         I   At the same time, the fraudster initiates a call
on the successes realized from MitB attacks in              to the customer's bank and connects the cus-
which criminals use Trojans to infect users'                tomer with a real bank representative while
Internet browsers to modify transaction content             the fraudster remains muted on the line.
or insert additional transactions, all in a             I   The bank requests authentication informa-
completely covert fashion invisible to both the             tion, such as social security number, pass-
user and host application. MitP also leverages              words and other personal information, which
“social engineering,” by using trickery or                  is then provided by the customer.



                                                 3          white paper
I   Once the personal information is provided,        anomaly detection technologies with better call
        the fraudster quickly ends the conference line    center processes and training. Call center
        and informs the customer that the issue has       employees should be trained to listen more
        been resolved.                                    closely and ask who originated the call. Attacks
    I   Meanwhile, with the personal information          may be thwarted or losses minimized if bank
        gathered during the call, the fraudster can       employees ask simple (but random instead of
        take over the customer's phone banking rela-      static) security questions at various points in
        tionship and transfer money out of the cus-       the phone conversation when confirming
        tomer's accounts.                                 personal credentials. Fraudsters are less likely
                                                          to trick customers into sharing answers to
                                                          several security questions.
    Precautions against MitP Attacks
    For consumers: It is recommended that banking         Conclusion
    customers never share account or personal
    information with anyone that calls and requests       As consumers shift more financial transactions
    to ”verify” banking credentials. Customers            to secure online arenas, fraudsters have
    should always tell such callers that they will call   become more creative in utilizing traditional
    the bank to provide such information using the        telephones. Access through mail and telephone
    bank’s phone number listed on the back of an          transactions grew from 3% of ID theft in 2006
    ATM, debit or credit card. While this sounds          to around 40% in recent years, and fraudsters
    obvious, many consumers do not take this simple       are getting creative and leveraging new
    precaution.                                           techniques, so consumers need to be as diligent
                                                          as ever in protecting their personal information.
    For banks: It is recommended that banks
    combine cross-channel behavior profiling and


Footnotes
1       The MitB threat was demonstrated by Augusto Paes de Barros in his presentation, “O futuro dos
        backdoors — o pior dos mundos”, covering backdoor website intrusions in September 2005.
2       Anointed MitB by Philipp Gühring in a white paper, “Concepts against Man-in-the-Browser Attacks”
                                                                                                       ,
        published January 27, 2007.



    About the Author
    Dhananjay Sakhalkar is a consultant within the Cognizant Business Consulting, Wholesale Banking
    group. His areas of expertise include Payments & Cash Management, Financial Messaging, and
    Business Lending. Dhananjay has more than 12 years of experience in the areas of business consulting,
    application development, requirements gathering, project management, and is a PMP certified
    professional. He can be reached at Dhananjay.sakhalkar@cognizant.com.




                                      white paper         4
About Cognizant
            Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business
            process outsourcing services. Cognizant's single-minded passion is to dedicate our global technology and
            innovation know-how, our industry expertise and worldwide resources to working together with clients to
            make their businesses stronger. With over 50 global delivery centers and more than 68,000 employees as
            of September 30, 2009, we combine a unique onsite/offshore delivery model infused by a distinct culture
            of customer satisfaction. A member of the NASDAQ-100 Index and S&P 500 Index, Cognizant is a Forbes
            Global 2000 company and a member of the Fortune 1000 and is ranked among the top information tech-
            nology companies in BusinessWeek's Hot Growth and Top 50 Performers listings.

            Start Today
            For more information on how to drive your business results with Cognizant, contact us at
            inquiry@cognizant.com or visit our website at www.cognizant.com.


                                                                                             World Headquarters                       European Headquarters                     India Operations Headquarters
                                                                                             500 Frank W. Burr Blvd.                  Haymarket House                           #5/535, Old Mahabalipuram Road
                                                                                             Teaneck, NJ 07666 USA                    28-29 Haymarket                           Okkiyam Pettai, Thoraipakkam
                                                                                             Phone: +1 201 801 0233                   London SW1Y 4SP UK                        Chennai, 600 096 India
                                                                                             Fax: +1 201 801 0243                     Phone: +44 (0) 20 7321 4888               Phone: +91 (0) 44 4209 6000
                                                                                             Toll Free: +1 888 937 3277               Fax: +44 (0) 20 7321 4890                 Fax: +91 (0) 44 4209 6060
                                                                                             Email: inquiry@cognizant.com             Email: infouk@cognizant.com               Email: inquiryindia@cognizant.com


© Copyright 2009, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

Contenu connexe

Plus de Cognizant

The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityCognizant
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersCognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueCognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the FutureCognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformCognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
 
The Timeline of Next
The Timeline of NextThe Timeline of Next
The Timeline of NextCognizant
 
Realising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value ChainRealising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value ChainCognizant
 
The Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional ChessboardThe Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional ChessboardCognizant
 
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw NearUse AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw NearCognizant
 
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...Cognizant
 
The Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital SupremacyThe Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital SupremacyCognizant
 
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of CareThe Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of CareCognizant
 

Plus de Cognizant (20)

The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for Sustainability
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for Insurers
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to Value
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First Approach
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the Cloud
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the Future
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data Platform
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
 
The Timeline of Next
The Timeline of NextThe Timeline of Next
The Timeline of Next
 
Realising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value ChainRealising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value Chain
 
The Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional ChessboardThe Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
 
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw NearUse AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
 
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
 
The Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital SupremacyThe Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital Supremacy
 
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of CareThe Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
 

Dernier

7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfJohnCarloValencia4
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...IMARC Group
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Onlinelng ths
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024Stephan Koning
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsWristbands Ireland
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examplesamberjiles31
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessAPCO
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toumarfarooquejamali32
 

Dernier (20)

7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Online
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and Festivals
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examples
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb to
 
WAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdfWAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdf
 
Investment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV IndustriesInvestment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV Industries
 

How to identify and mitigate Man In The Middle (MITM) Attacks

  • 1. Cognizant White Paper Identifying, Mitigating Man-in-the-Middle (MitM) Attacks Executive Summary A MitM attack can only succeed when the attacker can impersonate each victim to the To complete online banking transactions, satisfaction of the other. Most cryptographic consumers key-in credentials to authentic their protocols include some form of endpoint identities and gain website access to a host of authentication specifically to prevent MitM personal data and various banking applications. attacks. For example, SSL authenticates the But there is always a possibility that a criminal server using a mutually trusted certification is lurking in cyberspace or on the public phone authority. network to intercept these details using Man-in- the Middle (MitM) attack techniques. This white Typically during the attack, the attacker lures paper explains the MitM concept, highlights the end user to a fraudulent site via phishing, Man-in-the-Browser (MitB) and Man-in-the- DNS attacks, or other methods. Once there, the Phone (MitP) attack techniques, and offers attacker utilizes vulnerable authentication actionable advice to consumers and banks on methods (e.g., username/password, tokens) to ways to detect and mitigate the impact of such attack and replay the session — thus “stealing” fraudulent intrusions. the legitimate user’s ID. One way to prevent MitM attacks is to authenticate both the client Man-in-the-Middle Attack and server. The technology to implement a safe transaction utilizes x.509 certificates in a public The Man-in-the-Middle attack (often abbreviat- key infrastructure deployment. ed MitM) is a form of active eavesdropping in which the attacker makes independent connec- While MitM breaches have plagued online tions with the victims (typically end users and banking for some time, a new and more banks) and relays messages between them, insidious twist involves the Man-in-the-Browser making them believe that they are talking (MitB) and Man-in-the-phone (MitP) attacks. directly to each other over a private connection Let’s have at look at these forms of attack. when in fact the entire conversation is con- trolled by the attacker. Man-in-the-Browser To succeed, the attacker must intercept all Man-in-the-Browser (MitB) is a Trojan (e.g., non- messages transmitted between the two victims self-replicating malware) that infects a Web and substitute new ones. browser and has the ability to modify pages, white paper
  • 2. How Man-in-the Middle Attacks Work End User Enterprise (Browser Based) Web Server Hacker Figure 1 modify transaction content or insert additional One of the most effective methods in combating transactions, all in a completely covert fashion a MitB attack is through an Out-of-Band (OOB) invisible to both the user and host application. A transaction verification process. This over- MitB attack can succeed irrespective of whether comes the MitB Trojan by verifying the transac- security mechanisms such as SSL/PKI and/or tion details, as received by the host (bank), to two- or three-factor authentication solutions the user (customer) over a channel other than are in place. The only way to counter a MitB the browser; typically an automated telephone attack is by utilizing transaction verification1 ,2. call. OOB transaction verification is ideal for mass market use since it leverages devices The MitB Trojan works by utilizing common already in the public domain (e.g., landline, facilities provided to enhance browser cell phone, etc.) and requires no additional capabilities such as browser helper objects etc., hardware devices, yet it enables “three-factor” and is therefore virtually undetectable to virus authentication (utilizing voice biometrics), scanning software. For example, in an Internet transaction signing and transaction verification. banking transaction such as a funds transfer, the customer will always be shown, via confirmation Here’s how a typical MitB attack works: screens, the exact payment information as keyed into the browser. When a MitB Trojan is applied to I Victim accesses the bank’s website to per- the transaction, the bank receives materially form an online banking transaction. altered instructions (i.e., a different destination I Enters Username for Identity authentication. account number and possibly amount). The use I Enters PIN details and submit request. of strong authentication tools primarily authenticates the validity of identity credentials I Typically as the page is rendered, software and creates an increased level of false now resident in the victim’s browser wakes up confidence on the part of both customer and (This malicious bit of code was installed bank that the transaction is secure. unknowingly on his machine (during the download of a screen saver or video clip). An example of a MitB threat is Silentbanker. I This software inserts few additional lines into Silentbanker is a Trojan horse that records the code — maybe five lines of JavaScript — an keystrokes, captures screen images, and steals alert box, a timer function, and maybe some confidential financial information to send to the in-page content -and sends a message to the remote attacker. hacker, far away. white paper 2
  • 3. I What happens next looks perfectly normal. has started an authenticated session and is Upon loading, the alert box pops up — some- ready to transact, using the credentials con- thing like the dialog box pictured below — and tained in the message. says “Server synchronization in process... I The hacker gets all the essential details and please be patient”, accompanied by an ani- can login as the victim and move funds. mated GIF in the bank’s colors. I And sometimes, the crimeware is configured I Except at that moment, as the victim watches in such a way that it allows the hacker session the seconds pass, a hacker somewhere is to kick in when the victim “logs out”. receiving a timely message that the victim Anatomy of an MitB Attack Authentic Site Man-in-the-Middle Internet Revised chart to come User Spoofed Content Real Page Contents Request to Real Site Request to Spoofed URL Figure 2 Man-in-the-Phone deception during a phone conversation to convince an individual to divulge information. Telephone banking customers and banks need to be aware of a new low-tech, Man-in-the- Here’s how a typical MitP attack works: Phone (MitP), fraud technique being employed by criminals. I In a typical MitP attack, a fraudster imperson- ates a bank representative and calls the bank- MitP scams have observed at several large retail ing customer to inform him/her that his/her banks. These scams appear to have originally savings, checking or card account may have targeted British banks but this fraud is now been breached or compromised. spreading to the U.S. and Canada. I The fraudster advises the customer that to remedy the situation he/she should remain on MitP blends new and old fraud techniques to the line and verify a few account details. trick banking customers into authorizing transactions via the phone channel. MitP builds I At the same time, the fraudster initiates a call on the successes realized from MitB attacks in to the customer's bank and connects the cus- which criminals use Trojans to infect users' tomer with a real bank representative while Internet browsers to modify transaction content the fraudster remains muted on the line. or insert additional transactions, all in a I The bank requests authentication informa- completely covert fashion invisible to both the tion, such as social security number, pass- user and host application. MitP also leverages words and other personal information, which “social engineering,” by using trickery or is then provided by the customer. 3 white paper
  • 4. I Once the personal information is provided, anomaly detection technologies with better call the fraudster quickly ends the conference line center processes and training. Call center and informs the customer that the issue has employees should be trained to listen more been resolved. closely and ask who originated the call. Attacks I Meanwhile, with the personal information may be thwarted or losses minimized if bank gathered during the call, the fraudster can employees ask simple (but random instead of take over the customer's phone banking rela- static) security questions at various points in tionship and transfer money out of the cus- the phone conversation when confirming tomer's accounts. personal credentials. Fraudsters are less likely to trick customers into sharing answers to several security questions. Precautions against MitP Attacks For consumers: It is recommended that banking Conclusion customers never share account or personal information with anyone that calls and requests As consumers shift more financial transactions to ”verify” banking credentials. Customers to secure online arenas, fraudsters have should always tell such callers that they will call become more creative in utilizing traditional the bank to provide such information using the telephones. Access through mail and telephone bank’s phone number listed on the back of an transactions grew from 3% of ID theft in 2006 ATM, debit or credit card. While this sounds to around 40% in recent years, and fraudsters obvious, many consumers do not take this simple are getting creative and leveraging new precaution. techniques, so consumers need to be as diligent as ever in protecting their personal information. For banks: It is recommended that banks combine cross-channel behavior profiling and Footnotes 1 The MitB threat was demonstrated by Augusto Paes de Barros in his presentation, “O futuro dos backdoors — o pior dos mundos”, covering backdoor website intrusions in September 2005. 2 Anointed MitB by Philipp Gühring in a white paper, “Concepts against Man-in-the-Browser Attacks” , published January 27, 2007. About the Author Dhananjay Sakhalkar is a consultant within the Cognizant Business Consulting, Wholesale Banking group. His areas of expertise include Payments & Cash Management, Financial Messaging, and Business Lending. Dhananjay has more than 12 years of experience in the areas of business consulting, application development, requirements gathering, project management, and is a PMP certified professional. He can be reached at Dhananjay.sakhalkar@cognizant.com. white paper 4
  • 5. About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process outsourcing services. Cognizant's single-minded passion is to dedicate our global technology and innovation know-how, our industry expertise and worldwide resources to working together with clients to make their businesses stronger. With over 50 global delivery centers and more than 68,000 employees as of September 30, 2009, we combine a unique onsite/offshore delivery model infused by a distinct culture of customer satisfaction. A member of the NASDAQ-100 Index and S&P 500 Index, Cognizant is a Forbes Global 2000 company and a member of the Fortune 1000 and is ranked among the top information tech- nology companies in BusinessWeek's Hot Growth and Top 50 Performers listings. Start Today For more information on how to drive your business results with Cognizant, contact us at inquiry@cognizant.com or visit our website at www.cognizant.com. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. Haymarket House #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA 28-29 Haymarket Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London SW1Y 4SP UK Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7321 4888 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7321 4890 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com © Copyright 2009, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.