Geek Answers Handbook

How can you prevent Man in browser attacks?

I read about MitB attacks, and some things bothered me about it.

From WIKI :

Using strong authentication tools simply creates an increased level of inappropriate confidence on the part of both the client and the bank that the transaction is secure. One of the most effective methods to combat the MitB attack is the process of checking transactions out of range (OOB). This overcomes MitB Trojan by checking the details of the transaction received by the host (bank) to the user (client) through a channel other than the browser

Therefore, if I get it directly, the only real safe method is the browserless confirmation method. (for example, a phone call or some other external tool)

Will an email be considered an OOB transaction? Or can MitB send a fake email address?

Is there a way to prevent MitB with just code?

EDIT: I ask about this because our local banking system uses a physical key system, for which you need to click to get a number and then enter that number in the field in the transaction form.

I have no idea if this is considered safe, since it looks like the MitB attack just makes it look like everything you did is safe and correct, but in fact it happened that the form data was changed in submit and now transferred to another bank account. Thus, he will have access to this key number.

+7
security browser trojan
source share
5 answers

Generally speaking, if your machine is infected, you are vulnerable no matter what.

A physical token or “out of range” token is designed to solve the problem of “identity” and gives the bank a higher confidence that the person who enters the system is what they call themselves. Such a mechanism usually involves the use of the “one time code” method, so even if someone records a conversation with a bank, the token cannot be reused. However, if malware intercepts in real time, then they can maliciously manage the account after you have successfully logged in, but often banks require a new “code” every time you try to do something like transferring money from account. Thus, malware will have to wait until you do it legitimately, and then modify the request. However, most malware is not real-time and sends data to a third party for collection and subsequent use. Using these “one-time token” methods would successfully protect against this subsequent processing of login data, since the recorded data cannot be used later for logging in.

To answer your question, there is no way to protect yourself from this only in code. Everything you do can be specifically handled by malware.

+1
source share

Will an email be considered an OOB transaction?

Given the prevalence of email services such as GMail, I would say that even if the target of such an attack does not use webmail, an attacker who has control over the target browser can hide the fake email address, just as you think.

+2
source share

In the article which is the subject (and mentioned) of this Wikipedia article , step 1 in the “Attack Method” as:

  • The Trojan infects computer software, either the OS or the application.

So the answer to your question is “no”: after an O / S infection, malware can (theoretically, at least) intercept your email.

On the sidelines, some client platforms (for example, even mobile phones, not to mention dedicated points of sale for terminals) are less susceptible to infection than others.

+1
source share

I suppose you could use critical pieces of transaction information as part of the secondary or tertiary stage of transaction verification. That is, if I thought that I told bank account No. 12345, and he heard # 54321, because the data was falsified by this type of attack, a second check will not allow you to check the encryption. It would also be possible for the bank to respond to something that was more difficult to change, for example, an image containing relevant information.

The point in these types of discussions is that it can always get complicated. Email is not valid out of range because I have to imagine that I have a rootkit ... if I stop it, I have to imagine that my OS is a guest OS running on an evil virtual machine ... if I stop that, I I think I should imagine a matrix, and I can’t trust everything that is needed to protect my visa card with an affordable loan of $ 200. :)

+1
source share

This is my point of view for a person in a browser. The person in the browser looks like this:

  • The victim gets up, leaves his computer and moves his back to his computer, so he cannot touch the keyboard, move the mouse or even see the screen.
  • A hacker is sitting at a victim computer.
  • If the victim wants to work with his computer, he must ask the hacker to do it for him. If he wants to see any result, he must ask the hacker to read the data on the monitor.
  • The hacker makes every effort to convince the user that he is doing what he asks, and repeats what he sees. But try to make this situation without mercy!

Man in the browser

As a simple case:

  • A victim may ask a hacker to fill out the details of the transaction form as a transfer of $ 500 to his mother.
  • Instead, the hacker can print the transfer of 10000USD to Jack. (Tamper form data before submitting)
  • The system can display, I transferred 10000USD to Jack, but the hacker says that 500USD went to Jack. (Tamper HTML Result)
  • The victim asks to see the balance of his account to make sure that the transfer is completed.
  • A hacker can say that the account balance is correct (this can be done, for example, by deleting the last row of the balance table and changing the balance amount in HTML).

How to email:

  • You wait for an email message and ask the hacker if I have an email confirmation from the bank.
  • As you do not see the monitor, he says yes. (Technically, it can generate fake emails easily). (even if you are sitting on another clean computer, a fake email may be sent to you again)

Image generation cannot prevent an attack.

  • You ask a hacker, my bank should show me an image that should display information about the transfer, you could see it, what it says.
  • Hacker answer : Yes, I see this, he says: “You transfer $ 500 to mom” (the image can be easily created by JavaScript or the hacker can specify the URL of the image to the server, which generates a dynamic image with the corresponding data to deceive the user).

A very dangerous situation can happen, as a person in the browser changes the flow of the site. In this case, even an OTP or kegen system cannot prevent an attack. For example:

  • You ask a hacker if you want to see your balance.
  • The hacker goes to the account transition page and fills out the account form for transferring 10000USD to the slot (but you don’t know what he is doing at all, you just wait) he comes to the page that asks for his key. This is the key you must give it.
  • Now the hacker says : Well, the bank asks me if you want to see your balance, you must enter the key.
  • You think that the key to balance seems strange, but any way to give this key, I trust this guy!
  • The hacker will switch back to the transfer form and use the key to transfer.

So, you can see that on the user side there is no server solution in the browser:

  • Use an out-of-band solution to inform the user of important information. (It’s like taking a mobile phone in your hand, and although your back is still on your computer, confidential information is being sent to your TRUSTED device and you can see important information).
  • Use a hardened browser to make sure no one can change its behavior. (Sit on your computer :))

Good examples of what can be done with MITB can be found at: http://www.tidos-group.com/blog/2010/12/09/man-in-the-browser-the-power-of- javascript-at-the-example-of-carberp /

+1
source share

More articles:


All Articles