Open Close

Counter-measures against Man-in-the-Browser attacks – Part 2

FacebookGoogle+LinkedInDiggEmailRedditStumbleUponPinterestDeliciousShare/Save

In the last blog, we discussed some counter-measures against Man-in-the-Browser attacks for end-users. However, we saw that most counter-measures at the client-side do not protect completely against such attacks. The best counter-measures against man-in-the-browser attacks need to be implemented by the Bank or the application developer. Here we will discuss some such counter-measures which Banks or Application Developers can take to secure their Banking applications against Man-in-the-browser attacks.

(Read More:  Infographics- SAST vs DAST: What should you choose?)

Man-in-the-Browser attack measures:

Counter-measure Effectiveness against MITB Why?

Enforce strong password.Use Encryption,ex: SSL or client-side encryption,Multi-factor Authentication,CSRF Tokens, Challenge response, CAPTCHA, etc…


Not Effective

Malware can intercept the password or simply wait till the user is authenticated and then modify the requests.

IP location tracking, Device/browser profiling

 Not effective

This is effective only when credentials are stolen and used from elsewhere. In case of MITB attack, the request comes from the genuine user’s browser so server cannot distinguish based on IP location of device profile.

Provide your customers with Hardened Browsers on USB also containing cryptographic smart tokens for authentication


    Moderately effective

Smart tokens do not add to security against MITB but hardened browsers are more a more difficult target to infect.

 

OTP token with Signature

 

Effective, but inconvenient for users.

User has to key in transaction details again on the OTP device which generates a signature based on the details, so it would not match if the MITB modifies the transfer request.

 

Out Of Band(OOB) transaction details confirmation with OTP

 

 

 Effective

Out of band confirmation of the details by phone call or SMS with full details of the transaction ensures that the user can see the details of the transaction before proceeding.

Fraud Detection based on Transaction type and amount

 

Moderately effective, however, it is typically not real-time and hence a reactive protection rather than a proactive one.

Some banks have fraud detection based on transaction details. However, such detection is typically done as a batch process and not in real time and therefore any detection is normally much after the attack.

Fraud Detection based on user behavior

Usually effective and is difficult to defeat if implemented correctly.

User profiling to create a baseline normal behavior so that abnormal behavior can be detected and user can be alerted before an actual transaction takes place.

(Read More:  9 Questions to ask your Application Security Testing Vendor!)

Man-in-the-Browser

1 comment

  1. katy says:

    Very good info. Lucky me I ran across your blog by chance (stumbleupon).
    I’ve bookmarked it for later!

Leave a comment

All fields marked (*) are required