Last post, ITSC introduced the Man In The Middle (MITM) attack. This time around ITSC is going to introduce another threat to the IT security which works quite similar to MITM. The name of this threat is called Man In The Browser (often abbreviated MITB). MITB in fact operate more or less like MITM. It is just that MITB is a little more threatening because this attack actually penetrate the security of your computer by injecting a Trojan Horse. This Trojan Horse will infect your internet browser to manipulate your transactions, modify your pages, modify transaction content or even add an additional content to your transaction. Of all the mentioned actions, they will be totally INVISIBLE to both the client and the host.
MITB’s Trojan had been identified as Zeus, Zbot, URLZone, or Spyeye but how does MITB actually works? MITB works successfully in just two phases if both phases are successfully executed. First phase of MITB is Infection. Before manipulating any of your data, the attacker have to first place a Trojan into your computer. It can be in any form such as Browser Helper Objects (BHO), extensions and even browser scripting. The attacker can use methods like tricking the victim to some URL, opening certain PDF or running any execution files. Once phase 1 is successfully executed, the attacker can continue with the second phase.
In the second phase, the attacker will start to collect data. This MITB trojan can so smart that it usually stays inactive until the user browse certain online banking website, then it will silently activated. The attacker can just harvest information and keep waiting until the user start making a transaction request. From this critical point, the attacker will then alter all the necessary information to some personal account and provide those information to the host server. Since the host server has no idea on the existence of any attack, the host will just proceed the transaction as usual.
In today’s IT security technology, typical two factor authentications such as One Time Password (OTP), Public Key Infrastructure (PKI) or even three factor such as Biometric authentication is completely useless against MITB. You can say it is just an added layer of security on top of static password authentication, but will not help in defending against MITB.
What are MITB defenses?
- Antivirus – Using antivirus will just increase a little help in defending against MITB as Trojans/Viruses nowadays are rapidly changed until the latest Antivirus definition would not able to recognize.
- Computer just for online banking – Having a computer that does nothing else, not even web browsing, downloading or data transfer but only for online banking can prevent it from being infected.
- Hardening Web Browser in a USB Device – It is quite hard for Malware to infect this browser but it is pretty inconvenient when certain organizations does not allow USB device to simply plug in.
- OTP Token/EMV-CAP OTP with Signature – OTP that has keypad which can electronically sign transaction details with certain algorithm.
- Out of Band (OOB) Transaction – OOB transaction can said to be the most convenient and efficient way to fight against MITB. OOB works in the way that the host will use another channel (such as mobile phone) to communicate with the banking user and provide the user with the transaction details. The user will have to confirm this transaction details via the same channel to complete the transaction. This method can be further secured by adding an OTP in confirming the transaction details.
As we are reaching the end of this topic, ITSC would like to conclude that the MITB attacks are very powerful and normal two factor authentication these days are no longer effective. MITB is also moving to the mobile platform where smart phones are heavily used for banking. ITSC will cover some of the mobile platform attack in the future post. Last sentence for users who frequently make large transaction, it is advisable not to have the online banking feature account if the defenses mentioned are not practiced.