2. Eliminating Man-in-the-Browser Threats in Internet Banking 2 www.tectia.com
WHY YOU SHOULD BE CONCERNED?
The increase in the popularity of Internet banking has
seen a corresponding rise in methods for stealing
personal and banking data. The cyber criminals have
refined their techniques to match the growing
sophistication of modern security solutions.
One of the first methods of cyber crime was to use
software for logging the keystrokes made by the user.
This was followed by more elegant mechanisms, such
as phishing and pharming where users are directed to a
false web site to obtain their secure information as they
unsuspectingly provide it.
The latest critical threat is known as Man-in-the-Browser,
a completely invisible and hard to detect attack that
allows cyber criminals to hijack web browser
connections and gather and alter users’ secure
information and transaction details.
As banks have enhanced their authentication systems,
phishing attacks have become less and less effective.
Conversely Man-in-the-Browser attacks are set to
increase, heavily affecting consumers, businesses, and
financial institutions, and resulting in large financial
losses and litigation.
A recent FBI study highlighted that potential losses from
Trojans and other attacks against financial institutions
have already exceeded $ 100 million [1]. The Anti-
Phishing Working Group (APWG) recently reported more
than 56,000 unique phishing sites in August 2009 alone,
along with extremely rapid growth in malware variants
[2].
WHAT IS A MAN-IN-THE-BROWSER
ATTACK?
The “Man-in-the-Browser” is a Trojan horse that infects
the user’s web browser and has the ability to modify
pages, modify transaction content or insert additional
transactions, all in a completely covert fashion invisible
to both the user and host application.
Since the Man-in-the-Browser attack happens at the
application layer, the attack will be successful regardless
of whether security mechanisms such as SSL/PKI and/or
two or three factor authentication solutions are in place.
For example, as described in Figure 1, in online banking
transactions the customer is shown, via confirmation
screens, the correct payment information as entered into
the browser. The bank, however, will receive a
transaction with altered instructions, a different
destination account number and possibly a different
amount. The use of strong authentication or transaction
authentication numbers through the web-browser
interface simply creates a false sense of security for both
the customer and the bank that the transaction is secure.
3. Eliminating Man-in-the-Browser Threats in Internet Banking 3 www.tectia.com
Because of its silent and invisible nature, most traditional
defenses are rendered completely ineffective. It operates
between the web-browser security protocols and the
input of the user which makes it very difficult to detect
through traditional virus-scanning methods. Examples of
well-known man-in-the-browser attacks include Zeus
and Silentbanker Trojans, each of which have been
successfully installed on millions of PCs around the
world, and which have a proven record of successful
fraud. One example is an uncovered Zeus 3-driven
attack that defrauded customers of a major UK bank of
more than £ 600,000. [3]
HOW TO ELIMINATE THE THREAT?
What to do if the traditional virus scanners and tools, or
even the strongest authentication methods cannot be
effectively used to eliminate this threat?
USER-BEHAVIOR-BASED FRAUD DETECTION
One approach to solving this problem is to monitor and
analyze real-time user behavior on the application
interface. These kinds of fraud detection tools analyze all
user activity, how the pages are accessed, whether or
not the user is navigating too quickly or if there are any
suspicious page navigation patterns.
Passive safeguards are attractive because they are
invisible to end users and do not require any changes in
the end user systems or user experience. However,
these solutions may not necessarily scale to large
environments because of the amount of data that must
be analyzed. In addition, they may cause false alerts and
interruptions or even worse, may not prevent fraud
attempts.
Figure 1: Man-in-the-Browser attack changing the web-site content
4. Eliminating Man-in-the-Browser Threats in Internet Banking 4 www.tectia.com
ISOLATING THE WEB BROWSER OR SYSTEM
One way to ensure that your web browser cannot be
infected is to install the browser executable on a USB
stick and set the stick to read-only mode. This may
protect the web browser from infection, but what
happens if the USB stick browser is run on an already
infected system? Advanced Trojans and worms may hi-
jack the web connection even if the browser itself is
stored on a read-only USB stick. Furthermore, applying
this model to a large environment may become a
nightmare of USB stick management and browser
upgrades. Finally, many organizations have disabled
USB ports, making the deployment of this method even
more challenging.
SIGNATURE-BASED TRANSACTION VERIFICATION
Another option is to use a one-time password (OTP)
device that can electronically sign transaction details.
When the transaction takes place, the user is prompted
to enter the transaction details and the signature code is
calculated by the device. In this model a special
hardware unit must be provided to every user. This may
be very challenging for large Internet banking
environments and the operating costs of managing,
distributing, and supporting this hardware are very high.
OUT-OF-BAND TRANSACTION VERIFICATION
One of the most effective methods in defeating a Man-in-
the-Browser attack is through an out-of-band (OOB)
transaction verification process. Out-of-band verification
overcomes the Man-in-the-Browser Trojan by verifying
the transaction details, as received by the host (bank), to
the user (customer) over a channel other than the web
browser, typically an automated telephone call, SMS text
message or a mobile application.
In the transaction verification process, the user is not
only sent a confirmation code or one-time password, but
also a summary of the transaction: ”Money transfer
€1,087.00 from account 12345678 to 87654321.
Confirmation code 193713”. In this way the user can
check the transaction details and continue only if the
information is correct.
To further enhance the security of this approach, out-of-
band transaction verification can also be used to accept
confirmation codes only through the out-of-band
channel, for example by replying to the SMS text
message, making any kind of transaction modification
virtually impossible.
Figure 2: Out-of-band transaction verification
Out-of-band transaction verification is ideal for large
deployments since it leverages devices already in the
public domain (e.g. landline, mobile phone, etc) and
requires no additional hardware devices.
Some out-of-band transaction verification solutions can
also be used to provide strong two- or three-factor user
authentication and transaction signing capabilities. This
also makes them ideal for combating other Internet
banking threats such as phishing, pharming or other
types of account misuse and connection hijacking
attempts.
5. Eliminating Man-in-the-Browser Threats in Internet Banking 5 www.tectia.com
HOW CAN TECTIA HELP?
Tectia Security Solutions provide the fastest track to
real-time information security. We help our customers
secure, automate, manage, and share real-time
information in large enterprise environments, both in the
intranet and extranet, with little or no modification to their
existing infrastructure and no disruption to business.
PREVENTING MAN-IN-THE-BROWSER AND OTHER
INTERNET BANKING THREATS
Tectia MobileID, a key product of Tectia Share
Solutions, is a strong two-factor authentication and
transaction verification solution that utilizes a wide
variety of easy and fast to deploy out-of-band
mechanisms such as SMS text messaging, mobile
phone applications and e-mail. A typical deployment of
Tectia MobileID in a banking environment is described in
the diagram below:
1. The user connects to the online banking service
using a web browser and logs in using his
credentials. The user checks his bank account
details and makes an online payment; €50 to
account 234567 of an electricity company.
The banking service sends the transaction details
to the user via the web browser.
2. Before executing the payment, the online banking
service also sends a transaction summary to
Tectia MobileID Server.
3. Tectia MobileID Server sends an SMS text
message containing the transaction summary to
the user over the mobile phone network.
4. The user receives the transaction summary on his
mobile device, checks that the summary matches
the transaction he made (€50 to account 234567)
and confirms the transaction either using the
mobile device or the web browser (using the
confirmation code given in the SMS message).
Figure 3: Deployment of Tectia MobileID
6. Eliminating Man-in-the-Browser Threats in Internet Banking 6 www.tectia.com
But what if the user’s web browser is infected and Man-
in-the-Browser Trojan is active? A simplified example of
a Man-in-the-Browser attack and how it can be detected
and eliminated using Tectia MobileID is described below:
1. The user connects to the online banking service
using a web browser and logs in using his
credentials.
a. Because a Man-in-the-Browser Trojan has
taken over the web browser, all the
information the user types, username,
password and strong authentication
credentials, passes through the Trojan and is
completely invisible to the user or the online
banking service.
b. Because there is no indication of anything
strange, the user checks his bank account
details and makes the online payment; €50 to
account 234567 of an electricity company.
c. Before the information is submitted to the
banking service, the Man-in-the-Browser
Trojan changes the amount and bank
account, and submits the modified form; €150
to account 176671.
d. The banking service sends the transaction
details to the user via the web browser (€150
to account 176671).
e. Again, the Man-in-the-Browser Trojan
modifies the information so that it matches
the information the user entered (€50 to
account 234567). Without out-of-band
verification the user is completely unaware
that the actual transaction the bank will
execute is something completely different
from what he intended.
2. Because the bank has out-of-band transaction
verification in use, the transaction summary is also
sent to the Tectia MobileID Server.
3. Tectia MobileID Server sends an SMS text
message containing the transaction summary to
the user over the mobile phone network.
4. Before confirming the transaction the user double
checks the summary and notices the difference
Figure 4: Tectia MobileID prevents a man-in-the-browser attack
7. Eliminating Man-in-the-Browser Threats in Internet Banking 7 www.tectia.com
between what he entered (€50 to account 234567)
and what is displayed on the mobile phone (€150
to account 176671).
The user realizes something is wrong and cancels
the transaction.
5. The bank is informed of the Man-in-the-Browser
attempt, either by the user calling customer service
or responding to the text message summary.
By using Tectia MobileID and out-of-band transaction
verification, Man-in-the-Browser attacks can be
recognized and eliminated, and customer transactions
safeguarded.
Furthermore, the same solution can be used to provide
strong two-factor authentication to minimize phishing
attempts, Man-in-the-Middle attacks and account
misuse.
CUT COSTS AND ACTIVATE NEW USERS QUICKLY
AND EFFORTLESSLY
The Tectia solution uses the most readily available and
easy to use authentication device, the end user’s
existing mobile phone. Since there is no need for any
additional hardware, the costs related to distribution,
maintaining, and replacing security tokens or other
devices are completely eliminated. Tectia MobileID is a
tokenless solution offering the easiest and fastest route
to secure two-factor authentication and transaction
verification.
TECTIA MOBILEID FITS ALL CORPORATE NEEDS
The capabilities of Tectia MobileID and the Tectia
Solution are not limited to securing Internet banking
applications. Tectia MobileID can be used to secure all
corporate services where strong authentication is
needed, such as VPN access, partner portals, remote
system administration or web mail access.
ABOUT TECTIA
Tectia is a modern, sales-driven, customer-oriented
organization. Our core focus is on understanding
customer problems and on proposing relevant solutions
to address their information security challenges while
meeting business targets.
We help customers choose the right solutions to address
their organizational information security needs across a
variety of complex environments, in the public and
private sectors in multiple industries worldwide.
Our suite of information security solutions address four
main areas of business and are named accordingly:
Secure, Automate, Manage, and Share.
Our customers can be confident that our solutions
provide:
• Fast, flexible and secure real-time information
exchange and communication
• Visibility and control of vital data exchanges
• Confidence in meeting and maintaining audit
requirements and beyond
• Reduced cost and risk
• Solid customer loyalty and brand integrity
Tectia solutions ensure that our customers can create a
Circle of Trust in which all of their stakeholders can
share information and conduct business confidently and
securely. As we say: Your People. Your Secrets.
Protected.
REFERENCES
[1] Compromise of User's Online Banking Credentials Targets
Commercial Bank Accounts, Internet Crime Complaint Center
Nov 3, 2009.
[2] Phishing Activity Trends Report, Anti-Phishing Working
Group, Q3 2009.
[3] Major UK bank's online customers hit by £600 000-plus by
Zeus 3 fraud