SlideShare ist ein Scribd-Unternehmen logo

How to identify and mitigate Man In The Middle (MITM) Attacks

Cognizant
Cognizant

This white paper explains the Man in the Middle (MitM) concept, highlights Man-in-the-Browser (MitB) and Man-in-the- Phone (MitP) attack techniques, and offers actionable advice to consumers and banks on ways to detect and mitigate the impact of such fraudulent intrusions.

BusinessTechnologieNews & Politik
1 von 5
Cognizant White Paper Identifying, Mitigating Man-in-the-Middle (MitM) Attacks Executive Summary A MitM attack can only succeed when the attacker can impersonate each victim to the To complete online banking transactions, satisfaction of the other. Most cryptographic consumers key-in credentials to authentic their protocols include some form of endpoint identities and gain website access to a host of authentication specifically to prevent MitM personal data and various banking applications. attacks. For example, SSL authenticates the But there is always a possibility that a criminal server using a mutually trusted certification is lurking in cyberspace or on the public phone authority. network to intercept these details using Man-in- the Middle (MitM) attack techniques. This white Typically during the attack, the attacker lures paper explains the MitM concept, highlights the end user to a fraudulent site via phishing, Man-in-the-Browser (MitB) and Man-in-the- DNS attacks, or other methods. Once there, the Phone (MitP) attack techniques, and offers attacker utilizes vulnerable authentication actionable advice to consumers and banks on methods (e.g., username/password, tokens) to ways to detect and mitigate the impact of such attack and replay the session — thus “stealing” fraudulent intrusions. the legitimate user’s ID. One way to prevent MitM attacks is to authenticate both the client Man-in-the-Middle Attack and server. The technology to implement a safe transaction utilizes x.509 certificates in a public The Man-in-the-Middle attack (often abbreviat- key infrastructure deployment. ed MitM) is a form of active eavesdropping in which the attacker makes independent connec- While MitM breaches have plagued online tions with the victims (typically end users and banking for some time, a new and more banks) and relays messages between them, insidious twist involves the Man-in-the-Browser making them believe that they are talking (MitB) and Man-in-the-phone (MitP) attacks. directly to each other over a private connection Let’s have at look at these forms of attack. when in fact the entire conversation is con- trolled by the attacker. Man-in-the-Browser To succeed, the attacker must intercept all Man-in-the-Browser (MitB) is a Trojan (e.g., non- messages transmitted between the two victims self-replicating malware) that infects a Web and substitute new ones. browser and has the ability to modify pages, white paper
How Man-in-the Middle Attacks Work End User Enterprise (Browser Based) Web Server Hacker Figure 1 modify transaction content or insert additional One of the most effective methods in combating transactions, all in a completely covert fashion a MitB attack is through an Out-of-Band (OOB) invisible to both the user and host application. A transaction verification process. This over- MitB attack can succeed irrespective of whether comes the MitB Trojan by verifying the transac- security mechanisms such as SSL/PKI and/or tion details, as received by the host (bank), to two- or three-factor authentication solutions the user (customer) over a channel other than are in place. The only way to counter a MitB the browser; typically an automated telephone attack is by utilizing transaction verification1 ,2. call. OOB transaction verification is ideal for mass market use since it leverages devices The MitB Trojan works by utilizing common already in the public domain (e.g., landline, facilities provided to enhance browser cell phone, etc.) and requires no additional capabilities such as browser helper objects etc., hardware devices, yet it enables “three-factor” and is therefore virtually undetectable to virus authentication (utilizing voice biometrics), scanning software. For example, in an Internet transaction signing and transaction verification. banking transaction such as a funds transfer, the customer will always be shown, via confirmation Here’s how a typical MitB attack works: screens, the exact payment information as keyed into the browser. When a MitB Trojan is applied to I Victim accesses the bank’s website to per- the transaction, the bank receives materially form an online banking transaction. altered instructions (i.e., a different destination I Enters Username for Identity authentication. account number and possibly amount). The use I Enters PIN details and submit request. of strong authentication tools primarily authenticates the validity of identity credentials I Typically as the page is rendered, software and creates an increased level of false now resident in the victim’s browser wakes up confidence on the part of both customer and (This malicious bit of code was installed bank that the transaction is secure. unknowingly on his machine (during the download of a screen saver or video clip). An example of a MitB threat is Silentbanker. I This software inserts few additional lines into Silentbanker is a Trojan horse that records the code — maybe five lines of JavaScript — an keystrokes, captures screen images, and steals alert box, a timer function, and maybe some confidential financial information to send to the in-page content -and sends a message to the remote attacker. hacker, far away. white paper 2
I What happens next looks perfectly normal. has started an authenticated session and is Upon loading, the alert box pops up — some- ready to transact, using the credentials con- thing like the dialog box pictured below — and tained in the message. says “Server synchronization in process... I The hacker gets all the essential details and please be patient”, accompanied by an ani- can login as the victim and move funds. mated GIF in the bank’s colors. I And sometimes, the crimeware is configured I Except at that moment, as the victim watches in such a way that it allows the hacker session the seconds pass, a hacker somewhere is to kick in when the victim “logs out”. receiving a timely message that the victim Anatomy of an MitB Attack Authentic Site Man-in-the-Middle Internet Revised chart to come User Spoofed Content Real Page Contents Request to Real Site Request to Spoofed URL Figure 2 Man-in-the-Phone deception during a phone conversation to convince an individual to divulge information. Telephone banking customers and banks need to be aware of a new low-tech, Man-in-the- Here’s how a typical MitP attack works: Phone (MitP), fraud technique being employed by criminals. I In a typical MitP attack, a fraudster imperson- ates a bank representative and calls the bank- MitP scams have observed at several large retail ing customer to inform him/her that his/her banks. These scams appear to have originally savings, checking or card account may have targeted British banks but this fraud is now been breached or compromised. spreading to the U.S. and Canada. I The fraudster advises the customer that to remedy the situation he/she should remain on MitP blends new and old fraud techniques to the line and verify a few account details. trick banking customers into authorizing transactions via the phone channel. MitP builds I At the same time, the fraudster initiates a call on the successes realized from MitB attacks in to the customer's bank and connects the cus- which criminals use Trojans to infect users' tomer with a real bank representative while Internet browsers to modify transaction content the fraudster remains muted on the line. or insert additional transactions, all in a I The bank requests authentication informa- completely covert fashion invisible to both the tion, such as social security number, pass- user and host application. MitP also leverages words and other personal information, which “social engineering,” by using trickery or is then provided by the customer. 3 white paper
I Once the personal information is provided, anomaly detection technologies with better call the fraudster quickly ends the conference line center processes and training. Call center and informs the customer that the issue has employees should be trained to listen more been resolved. closely and ask who originated the call. Attacks I Meanwhile, with the personal information may be thwarted or losses minimized if bank gathered during the call, the fraudster can employees ask simple (but random instead of take over the customer's phone banking rela- static) security questions at various points in tionship and transfer money out of the cus- the phone conversation when confirming tomer's accounts. personal credentials. Fraudsters are less likely to trick customers into sharing answers to several security questions. Precautions against MitP Attacks For consumers: It is recommended that banking Conclusion customers never share account or personal information with anyone that calls and requests As consumers shift more financial transactions to ”verify” banking credentials. Customers to secure online arenas, fraudsters have should always tell such callers that they will call become more creative in utilizing traditional the bank to provide such information using the telephones. Access through mail and telephone bank’s phone number listed on the back of an transactions grew from 3% of ID theft in 2006 ATM, debit or credit card. While this sounds to around 40% in recent years, and fraudsters obvious, many consumers do not take this simple are getting creative and leveraging new precaution. techniques, so consumers need to be as diligent as ever in protecting their personal information. For banks: It is recommended that banks combine cross-channel behavior profiling and Footnotes 1 The MitB threat was demonstrated by Augusto Paes de Barros in his presentation, “O futuro dos backdoors — o pior dos mundos”, covering backdoor website intrusions in September 2005. 2 Anointed MitB by Philipp Gühring in a white paper, “Concepts against Man-in-the-Browser Attacks” , published January 27, 2007. About the Author Dhananjay Sakhalkar is a consultant within the Cognizant Business Consulting, Wholesale Banking group. His areas of expertise include Payments & Cash Management, Financial Messaging, and Business Lending. Dhananjay has more than 12 years of experience in the areas of business consulting, application development, requirements gathering, project management, and is a PMP certified professional. He can be reached at Dhananjay.sakhalkar@cognizant.com. white paper 4
About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process outsourcing services. Cognizant's single-minded passion is to dedicate our global technology and innovation know-how, our industry expertise and worldwide resources to working together with clients to make their businesses stronger. With over 50 global delivery centers and more than 68,000 employees as of September 30, 2009, we combine a unique onsite/offshore delivery model infused by a distinct culture of customer satisfaction. A member of the NASDAQ-100 Index and S&P 500 Index, Cognizant is a Forbes Global 2000 company and a member of the Fortune 1000 and is ranked among the top information tech- nology companies in BusinessWeek's Hot Growth and Top 50 Performers listings. Start Today For more information on how to drive your business results with Cognizant, contact us at inquiry@cognizant.com or visit our website at www.cognizant.com. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. Haymarket House #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA 28-29 Haymarket Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London SW1Y 4SP UK Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7321 4888 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7321 4890 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com © Copyright 2009, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

Empfohlen

Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacksMário Almeida
 
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition EngineeredCognizant
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
 

Empfohlen

Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacksMário Almeida
 
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition EngineeredCognizant
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityCognizant
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersCognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueCognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the FutureCognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformCognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
 
The Timeline of Next
The Timeline of NextThe Timeline of Next
The Timeline of NextCognizant
 
Realising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value ChainRealising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value ChainCognizant
 
The Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional ChessboardThe Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional ChessboardCognizant
 
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw NearUse AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw NearCognizant
 
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...Cognizant
 
The Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital SupremacyThe Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital SupremacyCognizant
 
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of CareThe Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of CareCognizant
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGpr788182
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel
 

Weitere ähnliche Inhalte

Mehr von Cognizant

The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityCognizant
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersCognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueCognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the FutureCognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformCognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
 
The Timeline of Next
The Timeline of NextThe Timeline of Next
The Timeline of NextCognizant
 
Realising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value ChainRealising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value ChainCognizant
 
The Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional ChessboardThe Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional ChessboardCognizant
 
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw NearUse AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw NearCognizant
 
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...Cognizant
 
The Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital SupremacyThe Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital SupremacyCognizant
 
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of CareThe Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of CareCognizant
 

Mehr von Cognizant (20)

The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for Sustainability
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for Insurers
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to Value
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First Approach
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the Cloud
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the Future
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data Platform
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
 
The Timeline of Next
The Timeline of NextThe Timeline of Next
The Timeline of Next
 
Realising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value ChainRealising Digital’s Full Potential in the Value Chain
Realising Digital’s Full Potential in the Value Chain
 
The Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional ChessboardThe Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
The Work Ahead in M&E: Scaling a Three-Dimensional Chessboard
 
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw NearUse AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
 
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
The Work Ahead in Banking & Financial Services: The Digital Road to Financial...
 
The Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital SupremacyThe Work Ahead in Insurance: Vying for Digital Supremacy
The Work Ahead in Insurance: Vying for Digital Supremacy
 
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of CareThe Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
 

Kürzlich hochgeladen

Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGpr788182
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel
 
Rice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna ExportsRice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna ExportsShree Krishna Exports
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdflaloo_007
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentationuneakwhite
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxRoofing Contractor
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...NadhimTaha
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...ssuserf63bd7
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsIndeedSEO
 
Buy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified Binance Account
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperityhemanthkumar470700
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...meghakumariji156
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptxnandhinijagan9867
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingNauman Safdar
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Omaninstagramfab782445
 

Kürzlich hochgeladen (20)

Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Rice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna ExportsRice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna Exports
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Buy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From Seosmmearth
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 

How to identify and mitigate Man In The Middle (MITM) Attacks

  • 1. Cognizant White Paper Identifying, Mitigating Man-in-the-Middle (MitM) Attacks Executive Summary A MitM attack can only succeed when the attacker can impersonate each victim to the To complete online banking transactions, satisfaction of the other. Most cryptographic consumers key-in credentials to authentic their protocols include some form of endpoint identities and gain website access to a host of authentication specifically to prevent MitM personal data and various banking applications. attacks. For example, SSL authenticates the But there is always a possibility that a criminal server using a mutually trusted certification is lurking in cyberspace or on the public phone authority. network to intercept these details using Man-in- the Middle (MitM) attack techniques. This white Typically during the attack, the attacker lures paper explains the MitM concept, highlights the end user to a fraudulent site via phishing, Man-in-the-Browser (MitB) and Man-in-the- DNS attacks, or other methods. Once there, the Phone (MitP) attack techniques, and offers attacker utilizes vulnerable authentication actionable advice to consumers and banks on methods (e.g., username/password, tokens) to ways to detect and mitigate the impact of such attack and replay the session — thus “stealing” fraudulent intrusions. the legitimate user’s ID. One way to prevent MitM attacks is to authenticate both the client Man-in-the-Middle Attack and server. The technology to implement a safe transaction utilizes x.509 certificates in a public The Man-in-the-Middle attack (often abbreviat- key infrastructure deployment. ed MitM) is a form of active eavesdropping in which the attacker makes independent connec- While MitM breaches have plagued online tions with the victims (typically end users and banking for some time, a new and more banks) and relays messages between them, insidious twist involves the Man-in-the-Browser making them believe that they are talking (MitB) and Man-in-the-phone (MitP) attacks. directly to each other over a private connection Let’s have at look at these forms of attack. when in fact the entire conversation is con- trolled by the attacker. Man-in-the-Browser To succeed, the attacker must intercept all Man-in-the-Browser (MitB) is a Trojan (e.g., non- messages transmitted between the two victims self-replicating malware) that infects a Web and substitute new ones. browser and has the ability to modify pages, white paper
  • 2. How Man-in-the Middle Attacks Work End User Enterprise (Browser Based) Web Server Hacker Figure 1 modify transaction content or insert additional One of the most effective methods in combating transactions, all in a completely covert fashion a MitB attack is through an Out-of-Band (OOB) invisible to both the user and host application. A transaction verification process. This over- MitB attack can succeed irrespective of whether comes the MitB Trojan by verifying the transac- security mechanisms such as SSL/PKI and/or tion details, as received by the host (bank), to two- or three-factor authentication solutions the user (customer) over a channel other than are in place. The only way to counter a MitB the browser; typically an automated telephone attack is by utilizing transaction verification1 ,2. call. OOB transaction verification is ideal for mass market use since it leverages devices The MitB Trojan works by utilizing common already in the public domain (e.g., landline, facilities provided to enhance browser cell phone, etc.) and requires no additional capabilities such as browser helper objects etc., hardware devices, yet it enables “three-factor” and is therefore virtually undetectable to virus authentication (utilizing voice biometrics), scanning software. For example, in an Internet transaction signing and transaction verification. banking transaction such as a funds transfer, the customer will always be shown, via confirmation Here’s how a typical MitB attack works: screens, the exact payment information as keyed into the browser. When a MitB Trojan is applied to I Victim accesses the bank’s website to per- the transaction, the bank receives materially form an online banking transaction. altered instructions (i.e., a different destination I Enters Username for Identity authentication. account number and possibly amount). The use I Enters PIN details and submit request. of strong authentication tools primarily authenticates the validity of identity credentials I Typically as the page is rendered, software and creates an increased level of false now resident in the victim’s browser wakes up confidence on the part of both customer and (This malicious bit of code was installed bank that the transaction is secure. unknowingly on his machine (during the download of a screen saver or video clip). An example of a MitB threat is Silentbanker. I This software inserts few additional lines into Silentbanker is a Trojan horse that records the code — maybe five lines of JavaScript — an keystrokes, captures screen images, and steals alert box, a timer function, and maybe some confidential financial information to send to the in-page content -and sends a message to the remote attacker. hacker, far away. white paper 2
  • 3. I What happens next looks perfectly normal. has started an authenticated session and is Upon loading, the alert box pops up — some- ready to transact, using the credentials con- thing like the dialog box pictured below — and tained in the message. says “Server synchronization in process... I The hacker gets all the essential details and please be patient”, accompanied by an ani- can login as the victim and move funds. mated GIF in the bank’s colors. I And sometimes, the crimeware is configured I Except at that moment, as the victim watches in such a way that it allows the hacker session the seconds pass, a hacker somewhere is to kick in when the victim “logs out”. receiving a timely message that the victim Anatomy of an MitB Attack Authentic Site Man-in-the-Middle Internet Revised chart to come User Spoofed Content Real Page Contents Request to Real Site Request to Spoofed URL Figure 2 Man-in-the-Phone deception during a phone conversation to convince an individual to divulge information. Telephone banking customers and banks need to be aware of a new low-tech, Man-in-the- Here’s how a typical MitP attack works: Phone (MitP), fraud technique being employed by criminals. I In a typical MitP attack, a fraudster imperson- ates a bank representative and calls the bank- MitP scams have observed at several large retail ing customer to inform him/her that his/her banks. These scams appear to have originally savings, checking or card account may have targeted British banks but this fraud is now been breached or compromised. spreading to the U.S. and Canada. I The fraudster advises the customer that to remedy the situation he/she should remain on MitP blends new and old fraud techniques to the line and verify a few account details. trick banking customers into authorizing transactions via the phone channel. MitP builds I At the same time, the fraudster initiates a call on the successes realized from MitB attacks in to the customer's bank and connects the cus- which criminals use Trojans to infect users' tomer with a real bank representative while Internet browsers to modify transaction content the fraudster remains muted on the line. or insert additional transactions, all in a I The bank requests authentication informa- completely covert fashion invisible to both the tion, such as social security number, pass- user and host application. MitP also leverages words and other personal information, which “social engineering,” by using trickery or is then provided by the customer. 3 white paper
  • 4. I Once the personal information is provided, anomaly detection technologies with better call the fraudster quickly ends the conference line center processes and training. Call center and informs the customer that the issue has employees should be trained to listen more been resolved. closely and ask who originated the call. Attacks I Meanwhile, with the personal information may be thwarted or losses minimized if bank gathered during the call, the fraudster can employees ask simple (but random instead of take over the customer's phone banking rela- static) security questions at various points in tionship and transfer money out of the cus- the phone conversation when confirming tomer's accounts. personal credentials. Fraudsters are less likely to trick customers into sharing answers to several security questions. Precautions against MitP Attacks For consumers: It is recommended that banking Conclusion customers never share account or personal information with anyone that calls and requests As consumers shift more financial transactions to ”verify” banking credentials. Customers to secure online arenas, fraudsters have should always tell such callers that they will call become more creative in utilizing traditional the bank to provide such information using the telephones. Access through mail and telephone bank’s phone number listed on the back of an transactions grew from 3% of ID theft in 2006 ATM, debit or credit card. While this sounds to around 40% in recent years, and fraudsters obvious, many consumers do not take this simple are getting creative and leveraging new precaution. techniques, so consumers need to be as diligent as ever in protecting their personal information. For banks: It is recommended that banks combine cross-channel behavior profiling and Footnotes 1 The MitB threat was demonstrated by Augusto Paes de Barros in his presentation, “O futuro dos backdoors — o pior dos mundos”, covering backdoor website intrusions in September 2005. 2 Anointed MitB by Philipp Gühring in a white paper, “Concepts against Man-in-the-Browser Attacks” , published January 27, 2007. About the Author Dhananjay Sakhalkar is a consultant within the Cognizant Business Consulting, Wholesale Banking group. His areas of expertise include Payments & Cash Management, Financial Messaging, and Business Lending. Dhananjay has more than 12 years of experience in the areas of business consulting, application development, requirements gathering, project management, and is a PMP certified professional. He can be reached at Dhananjay.sakhalkar@cognizant.com. white paper 4
  • 5. About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process outsourcing services. Cognizant's single-minded passion is to dedicate our global technology and innovation know-how, our industry expertise and worldwide resources to working together with clients to make their businesses stronger. With over 50 global delivery centers and more than 68,000 employees as of September 30, 2009, we combine a unique onsite/offshore delivery model infused by a distinct culture of customer satisfaction. A member of the NASDAQ-100 Index and S&P 500 Index, Cognizant is a Forbes Global 2000 company and a member of the Fortune 1000 and is ranked among the top information tech- nology companies in BusinessWeek's Hot Growth and Top 50 Performers listings. Start Today For more information on how to drive your business results with Cognizant, contact us at inquiry@cognizant.com or visit our website at www.cognizant.com. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. Haymarket House #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA 28-29 Haymarket Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London SW1Y 4SP UK Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7321 4888 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7321 4890 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com © Copyright 2009, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.