Counter-measures against Man-in-the-Browser attacks: Things to keep in mind while doing Online Bank

Description Effectiveness against MITB Why? Use strong password or passphrase which is easier for you to remember but difficult for other to guess and change them at regular intervals. Not effective MITB malware can intercept the password from Browser directly or simply wait till user is authenticated. Enable and use multi-factor authentication Not effective Ensure SSL certificates are valid and trusted (Green Lock) Not effective Basic Security Awareness, Keep OS, Browser updated. Maybe Chances of getting infected by Malware by Social Engineering attacks or Client-side exploits are lower. Using separate system for and only for Online banking Maybe Chances of getting infected by Malware is lower but it is inconvenient and requires strict discipline which is rare (even among many security experts) Use updated Anti-virus/Anti-malware Sometimes Depends on detection capability of anti-virus. Less likely to protect if the malware is new or is targeted. Hardened Browser in an USB drive Moderately effective MITB Malware has less chance to infect the browser though it is still possible using 0-day exploits. Recently there was news of one such 0-day which was used against hardened Firefox. Also this may be inconvenient for corporates as USB drives are usually disabled for security reasons. Be alert while doing Online banking and always read all transaction details and/or errors that you receive though the offline verification before proceeding with any transaction. Promptly inform your Bank if you notice any discrepancies. Moderately Effective Typically Banks that are aware of MITB attacks would send you details of your transaction though an Out-of-band channel (phone/sms). You should verify the details carefully before proceeding. Recent MITB attacks have become even smarter and suggest the victims to install malicious mobile application for online banking such that the malware can intercept and even change such Out of band messages. In a nutshell, as an end-user, you have very little options to be fully secure against Man-in-the-browser attacks and so it makes sense to do online banking only with those banks that are aware of this threat and have implemented counter-measures. In the worst case, do not use online banking at all if your Bank has not implemented any safeguards against Man-in-the-browser attack. In the next part we will list some of the security strategies that Banks can implement to safeguard their Customers.

Read this interesting article that talks about some precautions that one should take while doing online banking including counter-measures against Man-in-the-Browser attacks.

Related Articles - Man in the Browser, Safe Online Banking,

Email this Article to a Friend! Receive Articles like this one direct to your email box! Subscribe for free today!