Once established, the man-in-the-middle has complete control. He can modify instructions, for example transferring funds to a different account to that specified by the user. Most simply, he can simply cut the user off and submit whatever instructions he desires directly to the bank.
To combat this threat, it is necessary to move away from session-based security (based on a secure log-in), to message-based security (based on explicit authentication of individual transactions). Indeed, the APACS/MasterCard scheme permits the authentication of individual transactions. However, the man-in-the-middle is still able to substitute false transactions for authorisation, unbeknownst to the user, since the authorisation process is typically based on a'challenge' derived from the transaction and not the explicit transaction details themselves. Whilst offering a very useful interim defence against current attacks, in the longer term an alternative approach will be required.
Several vendors already offer the option of one-time-password distribution via SMS as a cost-effective alternative topassword-generating tokens. Whilst it is neither authenticated nor encrypted, it is in practice infeasible for an attacker to compromise both the SSL/TLS channel and the SMS channel to a particular user simultaneously. This independent channel also offers a way around the man-in-the-middle.
In this scenario, the user would log on using his username and password, exactly as he does today. For each transaction entered, a summary would be returned to the user together with a one-time-password, in the form of an SMS. For example, 'Pay £50 to British Gas a/c 12345? Confirm: ADJPEQ'. Any tampering with the transaction details would be evident at this point. Assuming all is correct, the user enters the one-time-password into his PC to confirm the transaction.
As well as thwarting man-in-the-middle attacks, this approach defends against another significant emerging threat, namely malicious 'Trojans' on the user's PC. Apart from being used in direct attacks, a user may claim infection in an attempt to repudiate a legitimate transaction. The mobile phone is a separate user interface, independent of the (possibly infected) PC, thereby effectively closing this vulnerability.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.