Man in the browser
Posted by Jonas Elfström Mon, 26 Nov 2007 20:40:00 GMT
There's some buzz about a new trojan technique called "Man in the browser". The trojan plugs itself into the users browser and then it intercepts the HTML. This have all sorts of implications, for instance the SSL certificate will seem to be valid.
Even if your virus protection does not detect the "Man in the browser" there are still ways to be quite safe. If your bank uses a security token which you not only logs in with but also use to sign your transactions, the attack will most likely fail. One problem is that it is up to you, the user, to actually verify that you are signing the expected amount to the expected accounts. To get protection against someone who has complete control over your computer the security protocol must "communicate" with the security token both ways.
It is not enough to only let the user enter the total value of the transactions because the tokens answer to such a simple value could be reused (during a short period of time) also the attack could be crafted to create the correct amount but to other accounts. By asking the user to also sign every new account the attacker will not be able to hide a transaction to his account.
The challenge is to make the security protocol clear and simple enough so that the user can understand what he would expect the bank to respond and expect from him.
It's the usual three: have a firewall, an updated virus protection and a secure bank with a digital security token were you sign your transactions and maybe you can sleep a little better.