SlideShare a Scribd company logo

Man in the Browser attacks on online banking transactions

Download as PPTX, PDF
D
DaveEdwards12

The document discusses the threat of Man-in-the-Browser (MitB) attacks which combine elements of traditional man-in-the-middle attacks with malware that infects a user's browser, enabling attackers to steal sensitive information and alter transactions. It outlines the history of MitB, the dangers it poses, and various strategies for both end-users and banks to mitigate the risks, although many common protective measures are deemed ineffective against these types of attacks. The conclusion emphasizes the importance of security awareness and implementing out-of-band transaction verification to enhance user protection.

Technology
1 of 18
Downloaded 150 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
© iViZ Security Inc 0Apr 2013 Nilanjan De, CTO, iViZ Security Inc. Man in the Browser on Online Transactions & Prevention Strategies
© iViZ Security Inc 1Apr 2013 Overview • What is Man in the Browser(MITB) ? • How MITB can steal your money? • How can you be safe from MITB ? • Mitigation Strategies for Banks, Financial Institutions and other Application Owners
© iViZ Security Inc 2Apr 2013 Man in the Browser
© iViZ Security Inc 3Apr 2013 History • Initially demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds" • The name man-in-the-browser was coined by Philipp Gühring in 2007 • Study by Sharek et.al in 2008 finds that most Internet users (73%) cannot distinguish between real and fake pop up warning messages. Shows that users are soft targets • 2008 – Trojans like Clampi, Torpig, Zeus surface which have inbuilt MITB capabilities.
© iViZ Security Inc 4Apr 2013 Man in the Browser • Classic “Man in the Middle” attack – Typically in a “Man in the Middle” attack, the attacker or its agent lies between the victim client and the server. – can be defeated by encrypting traffic e.g., using SSL. • Compromised host with trojan/rootkit – Attacker typically exploits victim’s system and installs trojan to maintain full access to the OS and monitor activities of the user including logging keystrokes. – Cannot be defeated using encryption, however, it can be defeated using multi-factor authentication, eg, OTP or Biometric • Man in the browser – Deadly combination of the above two attacks – the agent/trojan installs itself as part of the victim’s client itself (ie, the browser) – Typically MITB is a Trojan or Malware in the form of BHO(Browser Helper Object)/Active- X Controls/Browser Extension/Add-on/Plugin. – Neither encryption nor OTP can defeat MITB attacks.
© iViZ Security Inc 5Apr 2013 MITB Transfer $1000 to Dad Transferred $1000 to Dad Alice Bank transfers $1000 to Dad
© iViZ Security Inc 6Apr 2013 MITB Transfer $1000 to Dad Transfer $1000000 to Hacker Alice Transferred $1000 to Dad Transferred $1000000 to Hacker Bank transfers $1000000 to HackerMITB Sends Trojan to infect Alice’s Browser
© iViZ Security Inc 7Apr 2013 Why MITB is dangerous? • It can read your identity, bank balance, banking passwords, debit/credit card numbers, session keys. • It can modify details of the transactions that you initiate • It can change your password or lock you out of your account • It bypasses all forms of multi-factor authentication or captcha or other forms of challenge response authentication
© iViZ Security Inc 8Apr 2013 As an end-user, how can I protect against MITB?
© iViZ Security Inc 9Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Use strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Basic Security Awareness, keep OS, Browser updated. Maybe Chances of getting infected by Malware is lower though still high if using vulnerable OS/Browser Using separate system for and only for Online banking Maybe Chances of getting infected by Malware is lower but it is inconvenient and requires strict discipline which is rare (even among many security experts) Use updated Anti- virus/Anti-malware Sometimes Depends on detection capability of anti- virus. Less likely to protect if the malware is new or is targeted.
© iViZ Security Inc 10Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Hardened Browser in an USB drive Moderate Malware has less chance to infect the browser though not impossible. Recently there was news of a 0-day which was used against hardened Firefox. Also this may be inconvenient for corporates as USB drives are usually disabled for security reasons. Only do online banking with those banks who are aware of this threat and have implemented counter- measures. In the worst case, do not use online banking at all High
© iViZ Security Inc 11Apr 2013 Mitigation Strategies for Banks
© iViZ Security Inc 12Apr 2013 Safeguards How? Effectiveness against MITB Why? Enforce strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Using Encryption, eg, SSL or client side encryption of password/transaction details Not effective Malware can intercept and modify the request/response Multi-factor authentication, eg, Biometric/OTP/Smart Card Not effective Malware can simply wait till the user has authenticated himself. CSRF Tokens, Frame- buster, Challenge response/captcha, etc Not effective
© iViZ Security Inc 13Apr 2013 SafeguardsHow? Effectiveness against MITB Why? Provide your customers with Hardened Browsers on USB also containing cryptographic smart tokens for authentication Moderate Smart tokens do not add to security against MITB but hardened browsers are more a more difficult target to infect. OTP token with Signature Yes User has to key in transaction details again on the OTP device which generates a signature based on the details, so it would not match if the MITB modifies the transfer request. However, it is inconvenient. OOB transaction details confirmation with OTP Yes Out of bank confirmation of the details by phone call or SMS with full details of the transaction ensures that the user can see the details of the transaction before proceeding.
© iViZ Security Inc 14Apr 2013 Passive Safeguards How? Effectiveness against MITB Why? IP Location tracking Not effective This is effective only when credentials are stolen and used from elsewhere. In case of MITB attack, the request comes from the genuine user’s browser so server cannot distinguish based on IP location of device profile. Device profiling Not effective Fraud Detection based on Transaction type and amount Sometimes Some banks have fraud detection based on transaction details. However, such detection is typically done as a batch process and not in real time and therefore any detection is normally much after the attack. Fraud Detection based on user behavior Good User profiling to create a baseline normal behavior so that abnormal behavior can be detected and user can be alerted before an actual transaction takes place.
© iViZ Security Inc 15Apr 2013 Conclusion • Man-in-the-browser attacks can be very dangerous • Security Awareness and best practices is required to protect oneself against getting infected with malware • Safeguards – Out of Band transaction verification containing transaction details along with OTP. Users need to be alert while doing transactions. – Fraud detection based on User behavior profiling.
© iViZ Security Inc 16Apr 2013 Questions?
© iViZ Security Inc 17Apr 2013 Thank You nilanjan@ivizsecurity.com http://www.ivizsecurity.com/

More Related Content

PPTX
McDonalds Case Study Presentation
NEETHU S JAYAN
 
PPTX
Pizza hut
Raghu Veer
 
KEY
McDonald's Strategy Presentation
Niklas Reinhold
 
PPTX
Presentation On Apple Inc
Sanaullah Mallick
 
PDF
Domino's pizza MIS SWOT HISTORY
Marwari college ranchi
 
ZIP
Introduction To Google By Butler, Turner And Lang Without Coverpage
turner098
 
PPTX
Tim Cook Apple inc. Leadership Concept
Ai Lun Wu
 
PPTX
Samsung, an introduction
nupsiii
 
McDonalds Case Study Presentation
NEETHU S JAYAN
 
Pizza hut
Raghu Veer
 
McDonald's Strategy Presentation
Niklas Reinhold
 
Presentation On Apple Inc
Sanaullah Mallick
 
Domino's pizza MIS SWOT HISTORY
Marwari college ranchi
 
Introduction To Google By Butler, Turner And Lang Without Coverpage
turner098
 
Tim Cook Apple inc. Leadership Concept
Ai Lun Wu
 
Samsung, an introduction
nupsiii
 

What's hot (20)

PPTX
Apple History
Pradeep Srinivas
 
PPTX
Mc Donald's Global Standardization Adaptation
AUEB MBA full-time alumni
 
PPTX
Strategic Management_Samsung
Holly Nmn
 
PPTX
Google Products Innovation
Institute of Management Studies UOP
 
PDF
Market Research on Apple
Zo Cayetano
 
PPTX
Presentation About Google
Rabbani Golam
 
PPTX
Google glass - New marketing trends
Lindsey Julienne
 
PPTX
Comprehensive analysis of marketing strategies of domino's
Sahiba Khurana
 
PPTX
Mc donalds india
Vaishnavi Meghe
 
PPTX
SAMSUNG ANYLYTICS PPT
11PriyanshuVerma
 
PDF
Rslinx classic portugues
John de Carvalho
 
PDF
Apple Marketing Analysis
Merveille Kazimoto
 
PPT
Ppt on dominos
Farhaad Khan
 
PDF
Marketing Management Short Notes
Rachit Sachdeva
 
DOC
Case Study Google
Christina Cecil
 
PPTX
Dell presentation
'Shantunu Ghosh'
 
PDF
Rise Fall Rise of Nokia Company
Prasidha Karki
 
PPTX
Touchless touch screen
Lovely Professional University
 
PPT
Work Culture at McDonalds
Gaurav Taranekar
 
PPTX
The Essential Drucker by Peter Drucker - Book Review
Almog Ramrajkar
 
Apple History
Pradeep Srinivas
 
Mc Donald's Global Standardization Adaptation
AUEB MBA full-time alumni
 
Strategic Management_Samsung
Holly Nmn
 
Google Products Innovation
Institute of Management Studies UOP
 
Market Research on Apple
Zo Cayetano
 
Presentation About Google
Rabbani Golam
 
Google glass - New marketing trends
Lindsey Julienne
 
Comprehensive analysis of marketing strategies of domino's
Sahiba Khurana
 
Mc donalds india
Vaishnavi Meghe
 
SAMSUNG ANYLYTICS PPT
11PriyanshuVerma
 
Rslinx classic portugues
John de Carvalho
 
Apple Marketing Analysis
Merveille Kazimoto
 
Ppt on dominos
Farhaad Khan
 
Marketing Management Short Notes
Rachit Sachdeva
 
Case Study Google
Christina Cecil
 
Dell presentation
'Shantunu Ghosh'
 
Rise Fall Rise of Nokia Company
Prasidha Karki
 
Touchless touch screen
Lovely Professional University
 
Work Culture at McDonalds
Gaurav Taranekar
 
The Essential Drucker by Peter Drucker - Book Review
Almog Ramrajkar
 
Ad

Viewers also liked (10)

PPT
CSI2008 Gunter Ollmann Man-in-the-browser
guestb1956e
 
PDF
Man In The Browser
Save Manos
 
PDF
How to Stop Man in the Browser Attacks
Imperva
 
PDF
Defeating Man-in-the-Browser Malware
Entrust Datacard
 
PPTX
Onlinetransaction
arikazukito
 
PPTX
Online transaction security (an undergraduate independent study)
Amila Gamanayake
 
PDF
No Free Lunch: Transactions in Online Games
James Gwertzman
 
PPTX
Online transaction
gouravharvande
 
PPT
Online Payment Transactions
pcomo2009
 
PPTX
Internet Banking
snehateddy
 
CSI2008 Gunter Ollmann Man-in-the-browser
guestb1956e
 
Man In The Browser
Save Manos
 
How to Stop Man in the Browser Attacks
Imperva
 
Defeating Man-in-the-Browser Malware
Entrust Datacard
 
Onlinetransaction
arikazukito
 
Online transaction security (an undergraduate independent study)
Amila Gamanayake
 
No Free Lunch: Transactions in Online Games
James Gwertzman
 
Online transaction
gouravharvande
 
Online Payment Transactions
pcomo2009
 
Internet Banking
snehateddy
 
Ad

Similar to Man in the Browser attacks on online banking transactions (20)

PDF
Man in-the-browser tectia-whitepaper
Hai Nguyen
 
PDF
Man-In-The-Browser attacks
Mário Almeida
 
PDF
Ijaci vol4 no1-maninbrowser
Hai Nguyen
 
PPT
Internet Banking Attacks (Karel Miko)
DCIT, a.s.
 
PDF
New Malicious Attacks on Mobile Banking Applications
DR.P.S.JAGADEESH KUMAR
 
PDF
9 3
Hai Nguyen
 
PPT
webbrowrtretretretretretertsersecurity.ppt
mark625251
 
PDF
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security
 
PPTX
Cybersecurity _ Man in the Middle (MITM) Attack.pptx
Rejwana1
 
PPTX
Cybersecurity _ Man in the Middle (MITM) Attack.pptx
GulsanaBegumChowdhur
 
PPT
Cybercrime
deepika28g
 
PDF
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
Aditya K Sood
 
PPTX
Man in the middle attack (mitm)
Hemal Joshi
 
PPTX
E banking & security concern
Syed Akhtar-Uz-Zaman
 
PPTX
Electronic Banking
Gaurav Kanodia
 
PDF
Zsun
Hai Nguyen
 
PPTX
E banking security
Iman Rahmanian
 
PPT
ISS SA le presenta IdentityGuard Mobile de Entrust
Information Security Services SA
 
PPTX
Mobile banking priya (Om's Project).pptx
priyakariya2005
 
PDF
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
IOSR Journals
 
Man in-the-browser tectia-whitepaper
Hai Nguyen
 
Man-In-The-Browser attacks
Mário Almeida
 
Ijaci vol4 no1-maninbrowser
Hai Nguyen
 
Internet Banking Attacks (Karel Miko)
DCIT, a.s.
 
New Malicious Attacks on Mobile Banking Applications
DR.P.S.JAGADEESH KUMAR
 
9 3
Hai Nguyen
 
webbrowrtretretretretretertsersecurity.ppt
mark625251
 
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security
 
Cybersecurity _ Man in the Middle (MITM) Attack.pptx
Rejwana1
 
Cybersecurity _ Man in the Middle (MITM) Attack.pptx
GulsanaBegumChowdhur
 
Cybercrime
deepika28g
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
Aditya K Sood
 
Man in the middle attack (mitm)
Hemal Joshi
 
E banking & security concern
Syed Akhtar-Uz-Zaman
 
Electronic Banking
Gaurav Kanodia
 
Zsun
Hai Nguyen
 
E banking security
Iman Rahmanian
 
ISS SA le presenta IdentityGuard Mobile de Entrust
Information Security Services SA
 
Mobile banking priya (Om's Project).pptx
priyakariya2005
 
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
IOSR Journals
 

More from DaveEdwards12 (11)

PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
PDF
A Journey to Protect Points of Sale (POS)
DaveEdwards12
 
PDF
New realities in aviation security remotely gaining control of aircraft systems
DaveEdwards12
 
PDF
New realities in aviation security remotely gaining control of aircraft systems
DaveEdwards12
 
PPT
Insecurity in security products 2013
DaveEdwards12
 
PPT
Why current security solutions fail
DaveEdwards12
 
PPTX
Anatomy of business logic vulnerabilities
DaveEdwards12
 
PPTX
Using 80 20 rule in application security management
DaveEdwards12
 
PPTX
Top Application Security Trends of 2012
DaveEdwards12
 
PPTX
Vulnerability in Security Products
DaveEdwards12
 
PPTX
Insecurity in security products v1.5
DaveEdwards12
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
A Journey to Protect Points of Sale (POS)
DaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
DaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
DaveEdwards12
 
Insecurity in security products 2013
DaveEdwards12
 
Why current security solutions fail
DaveEdwards12
 
Anatomy of business logic vulnerabilities
DaveEdwards12
 
Using 80 20 rule in application security management
DaveEdwards12
 
Top Application Security Trends of 2012
DaveEdwards12
 
Vulnerability in Security Products
DaveEdwards12
 
Insecurity in security products v1.5
DaveEdwards12
 

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Approach and Philosophy of On baking technology
30anthuong17
 
Cloud computing and distributed systems.
kkkkkhan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 

Man in the Browser attacks on online banking transactions

  • 1. © iViZ Security Inc 0Apr 2013 Nilanjan De, CTO, iViZ Security Inc. Man in the Browser on Online Transactions & Prevention Strategies
  • 2. © iViZ Security Inc 1Apr 2013 Overview • What is Man in the Browser(MITB) ? • How MITB can steal your money? • How can you be safe from MITB ? • Mitigation Strategies for Banks, Financial Institutions and other Application Owners
  • 3. © iViZ Security Inc 2Apr 2013 Man in the Browser
  • 4. © iViZ Security Inc 3Apr 2013 History • Initially demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds" • The name man-in-the-browser was coined by Philipp Gühring in 2007 • Study by Sharek et.al in 2008 finds that most Internet users (73%) cannot distinguish between real and fake pop up warning messages. Shows that users are soft targets • 2008 – Trojans like Clampi, Torpig, Zeus surface which have inbuilt MITB capabilities.
  • 5. © iViZ Security Inc 4Apr 2013 Man in the Browser • Classic “Man in the Middle” attack – Typically in a “Man in the Middle” attack, the attacker or its agent lies between the victim client and the server. – can be defeated by encrypting traffic e.g., using SSL. • Compromised host with trojan/rootkit – Attacker typically exploits victim’s system and installs trojan to maintain full access to the OS and monitor activities of the user including logging keystrokes. – Cannot be defeated using encryption, however, it can be defeated using multi-factor authentication, eg, OTP or Biometric • Man in the browser – Deadly combination of the above two attacks – the agent/trojan installs itself as part of the victim’s client itself (ie, the browser) – Typically MITB is a Trojan or Malware in the form of BHO(Browser Helper Object)/Active- X Controls/Browser Extension/Add-on/Plugin. – Neither encryption nor OTP can defeat MITB attacks.
  • 6. © iViZ Security Inc 5Apr 2013 MITB Transfer $1000 to Dad Transferred $1000 to Dad Alice Bank transfers $1000 to Dad
  • 7. © iViZ Security Inc 6Apr 2013 MITB Transfer $1000 to Dad Transfer $1000000 to Hacker Alice Transferred $1000 to Dad Transferred $1000000 to Hacker Bank transfers $1000000 to HackerMITB Sends Trojan to infect Alice’s Browser
  • 8. © iViZ Security Inc 7Apr 2013 Why MITB is dangerous? • It can read your identity, bank balance, banking passwords, debit/credit card numbers, session keys. • It can modify details of the transactions that you initiate • It can change your password or lock you out of your account • It bypasses all forms of multi-factor authentication or captcha or other forms of challenge response authentication
  • 9. © iViZ Security Inc 8Apr 2013 As an end-user, how can I protect against MITB?
  • 10. © iViZ Security Inc 9Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Use strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Basic Security Awareness, keep OS, Browser updated. Maybe Chances of getting infected by Malware is lower though still high if using vulnerable OS/Browser Using separate system for and only for Online banking Maybe Chances of getting infected by Malware is lower but it is inconvenient and requires strict discipline which is rare (even among many security experts) Use updated Anti- virus/Anti-malware Sometimes Depends on detection capability of anti- virus. Less likely to protect if the malware is new or is targeted.
  • 11. © iViZ Security Inc 10Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Hardened Browser in an USB drive Moderate Malware has less chance to infect the browser though not impossible. Recently there was news of a 0-day which was used against hardened Firefox. Also this may be inconvenient for corporates as USB drives are usually disabled for security reasons. Only do online banking with those banks who are aware of this threat and have implemented counter- measures. In the worst case, do not use online banking at all High
  • 12. © iViZ Security Inc 11Apr 2013 Mitigation Strategies for Banks
  • 13. © iViZ Security Inc 12Apr 2013 Safeguards How? Effectiveness against MITB Why? Enforce strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Using Encryption, eg, SSL or client side encryption of password/transaction details Not effective Malware can intercept and modify the request/response Multi-factor authentication, eg, Biometric/OTP/Smart Card Not effective Malware can simply wait till the user has authenticated himself. CSRF Tokens, Frame- buster, Challenge response/captcha, etc Not effective
  • 14. © iViZ Security Inc 13Apr 2013 SafeguardsHow? Effectiveness against MITB Why? Provide your customers with Hardened Browsers on USB also containing cryptographic smart tokens for authentication Moderate Smart tokens do not add to security against MITB but hardened browsers are more a more difficult target to infect. OTP token with Signature Yes User has to key in transaction details again on the OTP device which generates a signature based on the details, so it would not match if the MITB modifies the transfer request. However, it is inconvenient. OOB transaction details confirmation with OTP Yes Out of bank confirmation of the details by phone call or SMS with full details of the transaction ensures that the user can see the details of the transaction before proceeding.
  • 15. © iViZ Security Inc 14Apr 2013 Passive Safeguards How? Effectiveness against MITB Why? IP Location tracking Not effective This is effective only when credentials are stolen and used from elsewhere. In case of MITB attack, the request comes from the genuine user’s browser so server cannot distinguish based on IP location of device profile. Device profiling Not effective Fraud Detection based on Transaction type and amount Sometimes Some banks have fraud detection based on transaction details. However, such detection is typically done as a batch process and not in real time and therefore any detection is normally much after the attack. Fraud Detection based on user behavior Good User profiling to create a baseline normal behavior so that abnormal behavior can be detected and user can be alerted before an actual transaction takes place.
  • 16. © iViZ Security Inc 15Apr 2013 Conclusion • Man-in-the-browser attacks can be very dangerous • Security Awareness and best practices is required to protect oneself against getting infected with malware • Safeguards – Out of Band transaction verification containing transaction details along with OTP. Users need to be alert while doing transactions. – Fraud detection based on User behavior profiling.
  • 17. © iViZ Security Inc 16Apr 2013 Questions?
  • 18. © iViZ Security Inc 17Apr 2013 Thank You nilanjan@ivizsecurity.com http://www.ivizsecurity.com/