Man in the Browser—A Threat to Online Banking

The popularity of online banking has been on the rise. In 2005, Bob Sullivan of MSNBC quoted research figures from the Pew Internet and American Life Project, which showed that 53 million US citizens were banking online in 2004, and that online banking was the fastest growing Internet activity.¹ Now about eight years later, the customers subscribing to online banking services have increased worldwide—accompanied by threats and vulnerabilities. Hackers, fraudsters and other individuals with malicious intentions present numerous threats to online banking. These adversaries have led banks to adopt security countermeasures. Countermeasures adopted include (but are not limited to): ensuring that customers use strong passwords, providing virtual keyboards for entering login passwords, Secure Sockets Layer (SSL) encryption, sending customers information on how to avoid falling prey to malicious attackers and implementing two-factor authentication. One method adopted by adversaries to counter banks’ security measures for online banking is man-in-the-browser (MITB) attacks, which can grant success to an attacker despite the aforementioned countermeasures, especially two-factor authentication.

Two-factor Authentication

Many individuals have come to view two-factor authentication—the use of tokens and one-time passwords (OTPs)—as the ultimate solution in online banking security measures, a sort of holy grail for online banking security. Why is that so?

Fraud figures decreased significantly with the advent of two-factor authentication.² A hacker, for example, might be able to crack a customer’s login password, regardless of its strength, using commonly available tools, or could obtain login credentials through spear phishing, but if a token is required to effect a transaction, hackers would be unable to proceed unless they are in possession of the token. In the case of OTPs being received as a text message (via SMS) on a customer’s mobile phone, the hacker would have to have access to the mobile phone as well. (A hacker could also hack into the mobile phone; however, the probability is low that this type of attack would be used.) Hence, two-factor authentication has resulted in a significant reduction in the possibility of fraud being successful—providing a feeling of security for both the bank and the customer.

Then, MITB attacks came along.

Man-in-The-Browser Attacks

An MITB attack is essentially a man-in-the-middle (MITM) attack, but unlike typical MITM attacks, which usually occur at the protocol layer, MITB attacks are introduced between the user and browser.³ Malware, especially Trojans, is used to infect the browser. The malware is normally installed when a user clicks on an applet on a web site that he/she is duped into clicking because it claims that an update or other similar action is needed.⁴

MITB malware is mostly undetectable by current antivirus software, although it may be detected if protection levels are set very high, which would also inhibit many innocuous programs. MITB modifies a user’s content when an online banking site is visited by adding extra fields to the page in order to compromise second authentication mechanisms.⁵ In an MITB attack, the customer initiates a transaction, the attacker modifies the transaction using compromised credentials, the extra fields added by the malware alert the attacker and give the hacker control of the online banking interface, consequently manipulating the statement and account balance to reflect the customer’s intended transaction. Once the user uses a token to generate an OTP or receives it in a text message, the user enters the code and unknowingly authorizes the manipulated transaction thinking it was the correct one.

An illustration⁶ of this scenario is the fictional Mr. Ojo who, with a balance of US $2,500 in his account, logs into his bank’s online banking site to make a transfer of US $500 to his wife, who holds account number 12345. An MITB attacker intercepts the transaction and transfers US $2,000 to an accomplice, who has account number 54321. Data are manipulated to show the customer that he is transferring US $500 to account 12345 and the balance left in his account is US $2,000. To complete the transaction, Ojo needs to enter the OTP sent to his mobile phone; when completed, his online banking dashboard shows that he has successfully transferred US $500 to account 12345 and his balance is US $2,000. He receives an SMS alert to that effect, and his month-end statement says the same. Unfortunately, in reality, Ojo authorized a transfer of US $2,000 to account 54321 and his available balance is US $500.

MITB attacks are expensive to carry out; therefore, they are usually performed by well-funded and organized criminals.⁷ These criminals mostly target corporate account holders with high-volume transactions.⁸

MITB Mitigants

There are various methods for combating MITB attacks. The most effective weapons against MITB attacks are education and awareness. For example, MITB malware often requests logon credentials and a second-factor authentication mechanism to “train a new security feature” in order to compromise an account.⁹ Banks should inform their customers not to pay heed to such requests or seek further clarification from the bank before clicking on such a pop-up request. Customers should also generally avoid clicking update requests for any software without confirming the genuineness of such prompts. Some telltale signs of an MITB attack in progress include transactions taking longer than usual, a system slowing down and logon credentials being requested where they were not before.¹⁰

Another preventive measure for online banking interfaces is the bank sending a confirmation message (e.g., an SMS, email, call) to the customer describing the transaction to be consummated and requiring a confirmation within the next few minutes to accept it. It may be that the confirmation message comes with the OTP and entering the OTP is the way to confirm that the transaction is good. In the case of customer Ojo, he would receive an SMS with the OTP stating that he is about to transfer the sum of US $2,000 to (the hacker’s accomplice’s) account 54321. This would alert Ojo of the fact that something is wrong, and he can then stop the transaction and report it to his bank. However, this measure would be at risk if the attacker also compromises the customer’s mobile phone and modifies the confirmation message that would enable the customer to complete the transaction. Additionally, the attacker may also modify the confirmation message by means of the malware, as he did the statement and balance on the account.

Behavioral pattern monitoring can also provide an adequate deterrent to the success of MITB attacks. This involves server-side monitoring of customers’ transactions. Changes in the normal pattern of transacting, location within a session (e.g., change in IP address) or having multiple sessions within a very short time frame are possible indications of a criminal action, at which time the bank would hold the transaction and alert the customer of the possible compromise.¹¹ Criminals and other malicious individuals are always developing means to ensure that they are at least one step ahead of their targets; therefore, there is a need for constant monitoring and testing to avoid having that gap in any transaction.

Conclusion

A combination of customer education and awareness, use of confirmation alerts, and behavioral monitoring can provide an effective protection from MITB attacks and provide some margin of safety for online banking. These suggested measures of facing MITB are, by no means, exhaustive or infallible; other viable solutions are available.

Further research can be performed by banks and information security experts to solve the problem and ensure better protection against MITB attacks. The first line of defense remains awareness: banks educating their customers to avoid clicking on unusual requests claiming to be required for some form of update or the other. Customers should always seek clarification from their banks when they observe something different from what they are used to in their online banking interface. They should also raise alarms if their online banking transactions appear to be taking longer than usual to consummate, as this could be an indication that an MITB attack is in progress.

For their part, banks should also be more observant of customer transactions by closely monitoring behavioral patterns of customer transactions. This would enable them to track down any anomalies. Summarily, extra vigilance by both customers and banks can go a long way in mitigating against MITB attacks on online banking transactions.

References

• EMC Corporation, “RSA Offers Advanced Solutions to Help Combat Man-In-The-Browser Attacks,” USA, 2010, www.rsa.com/press_release.aspx?id=10943
• Beaver, K.; J. Shaw; Multifactor Authentication for Dummies, Quest Software Edition, Wiley Publishing Inc., USA, 2011
• Chickowski, Ericka; “Man in the Mobile Attacks Highlight Weaknesses in Out-of-band Authentication,” 2010, www.darkreading.com/authentication/167901072/security/application-security/227700141/man-in-the-mobile-attacks-highlight-weaknesses-in-out-of-band-authentication.html
• PR Newswire, “Winning the Fight Against Man-in-the-Browser—Entrust IndentityGuard Mobile Now Available,” 2012, www.prnewswire.com/news-releases/winning-the-fight-against-man-in-the-browser---entrust-identityguard-mobile-now-available-100753374.html
• HSBC India, “Online Security,” 2012, www.hsbc.co.in/1/2/personal/internet-and-self-service-banking/online-security
• Informa PLC, “HSBC’s New OTP Device for Online Banking Customers,” Banking Technology, 2011, www.bankingtech.com/bankingtech/article.do?articleid=20000201121
• Moskalyuk, A.; “Online Banking Usage Highest Among 18-24 year olds,” 2012, www.zdnet.com/blog/itfacts/online-banking-usage-highest-among-18-24-year-olds/8606
• Owen, Nick; “Does Two-factor Authentication Need Fixing?,” 2012
• Sengupta, Somini; “Computer Scientists Break Security Token in Record Time,” 2012, http://bits.blogs.nytimes.com/2012/06/25/computer-scientists-break-security-token-key-in-record-time/
• Sharp, John C.; “Man in the Browser Attacks—Worse Than Viruses?,” 2008, http://authentium.blogspot.com/2008/06/man-in-browser-attacks-worse-than.html

Endnotes

¹ Sullivan, Robert; “Click! Online Banking Usage Soars,” MSNBC.com, 2005, www.msnbc.msn.com/id/6936297/ns/business-online_banking/t/click-online-banking-usage-soars/#.T_f1KbXZCV8
² Kelly, Spencer; “Hackers Outwit Online Banking Security Systems,” BBC.com, 2012, www.bbc.com/news/technology-16812064
³ TriCipher Inc, “Threats: Man in the Browser,” 2009, www.tricipher.com/threats/man_in_the_browser.html
⁴ Sharp, John. C.; “Man in the Browser Attacks—Worse Than Viruses?,”2008, http://authentium.blogspot.com/2008/06/man-in-browser-attacks-worse-than.html
⁵ Prince, B.; “Understanding Man-in-the-Browser Attacks Targeting Online Banks,” 2010, http://securitywatch.eweek.com/exploits_and_attacks/understanding_man-in-the-browser_attacks.html
⁶ The illustration is entirely fictitious; names and figures used do not refer to any existing people.
⁷ Rouse, Margaret; glossary, SearchSecurity.com, 2006, http://searchsecurity.techtarget.com/definition/man-in-the-browser
⁸ Entrust Inc., “Defeating Man-in-the-Browser: How to Prevent the Latest Malware Attacks Against Consumer and Corporate Banking,” 2010, http://docs.bankinfosecurity.com/files/whitepapers/pdf/315_WP_MITB_March2010.pdf
⁹ Tarantola, Andrew; “New ‘Man in the Browser’ Attack Bypasses Banks’ Two-factor Authentication Systems,” 2012, http://gizmodo.com/5882888/new-man-in-the-browser-attack-bypasses-banks-two+factor-authentication-systems
¹⁰ Op cit, Kelly
¹¹ Op cit, Entrust Inc.

Dauda Sule, CISA, is the marketing manager at Audit Associates Ltd., a consultancy firm that specializes in designing and organizing training programs pertaining to auditing, fraud detection and prevention, information security and assurance, and anti-money laundering. Sule has five years of experience in the Nigerian banking industry and as a systems security and assurance supervisor at Gtech Computers.