Man-In-The-Middle

In a man-in-the-middle attack, the fraudster sits between the consumer and the website and can read, insert, and modify at will, traffic that passes between the two.

Man-in-the-middle attacks have emerged after some websites started using one-time-password mechanisms to authenticate consumers. With one-time-passwords the consumer has a software or hardware device that generates a new password or access code on each login attempt. A one-time-password mechanism makes it harder to execute a phishing or a pharming attack as the fraudster has a limited timeframe in which the stolen sign-in credentials can be used. This forces fraudsters to move faster and sign into the consumer’s account immediately as they grab the credentials.

To fight these “just-in-time” phishing and pharming attacks some websites are requesting to enter a new one-time-password each time the consumer is about to perform a sensitive operation on the website. As the fraudster does not have the ability to generate additional one-time-passwords, the attack will fail.

However, fraudsters have found several ways around this scenario. Man-in-the-middle is one of them. In a man-in-the-middle attack the consumer is directed to a proxy server controlled by the fraudster. The proxy server acts as a relay station between the consumer and the attacked website and passes requests and responses back and forth. The fraudster can read all traffic, modify traffic, and even inject traffic on behalf of the consumer or the website. For example, the fraudster can wait until the consumer generates a money transfer transaction. When such a transaction occurs, the fraudster can change the transaction’s destination account to the fraudster’s own account. If the website requests another one-time-password to approve the transaction, the fraudster forwards the request to the consumer and then forwards the consumer’s response to the website. The fraudster can even hide any information regarding the real transaction that is about to be executed from the consumer.

Sample Attacks:

• ABN Amro compensates victims of 'man-in-the-middle' attack
• Great Strides in Phishing
• Man-in-the-Middle phishing kit netted
• Man-in-the-middle attacks Citi authentication system
• A Deceit-Augmented Man In The Middle Attack Against Bank of America's SiteKey ® Service

Rapport protects against man-in-the-middle attacks using its delivery confirmation layer. When the user accesses a Rapport protected website Rapport strongly authenticates the website and makes sure that the connection between the browser and the website is direct and does not pass through the attacker. When a man-in-the-middle scenario is detected, Rapport transparently terminates the connection to the proxy server and diverts traffic directly to the real website.

Other approaches to man-in-the-middle protection are based on out-of-band transaction confirmation. For example, for each operation the consumer performs, the website can send an e-mail or SMS containing a confirmation code that the consumer needs to copy into the website.

There are many problems with out-of-band confirmation. First, both e-mail and SMS messages are unreliable and slow. The consumer may wait minutes and sometimes forever for the confirmation to arrive. This is a major issue when time is of the essence (e.g.,. stock-related operations). The entire process is cumbersome and if consumers are required to go through it each time they perform an operation then it also creates a serious usability problem. From a security perspective, these out of band channels can be easily bypassed using a combination of man-in-the-middle and highly effective social engineering attacks.