iam mobile authentication customer experience banking cybersecurity hacking

How to prevent Man-in-the-Middle attacks

Frank Hamerlinck
May. 17, 2021

Man-in-the-Middle (MITM) attacks have become a very popular method for hackers to gain access to sensitive information, steal credentials or infect endpoints, for instance for ransomware attacks. For retail banks or other financial service companies, Man-in-the-Middle attacks are a true nightmare as ever more people are using mobile devices to perform financial transactions. TrustBuilder Mobile Authenticator brings unique Multi-Factor Authentication (MFA) features that can prevent this type of attack.



MFA is your best defense against Man-in-the-Middle attacks

A Man-in-the-Middle attack happens when a hacker intercepts communication between two parties who think they are communicating directly. This can happen, for example, when you log into a public Wi-Fi access point in a restaurant, a bar or any other public place. The access point you are using may be someone posing to be a Wi-Fi connection. At that moment, that access point becomes a Man-in-the-Middle.

Why are Man-in-the-Middle attacks dangerous?

By redirecting all your traffic through that malicious device, the Man-in-the-Middle can do a number of things:

  • Steal credit card numbers;
  • Capture and store all information that you send for later analysis;
  • Learn your credentials for login to your bank account;
  • Steal your personal information to use for identity theft;
  • Manipulate the content of what you are sending – for instance by changing the recipient’s bank account number and the amount of a transfer you are making;
  • Redirect you to malicious websites that are hosting malware, for instance to infect you with ransomware.

This type of attack does not only happen in communication between people and servers. Increasingly, MITM attacks happen in machine-to-machine (M2M) communication. The explosion in the number of Internet of Things (IoT) devices being deployed is a dream come true for hackers.

By the way, Man-in-the-Middle attacks are not always inspired by hackers for financial gain. State organizations have been found using the technique to spy on their citizens or on other state’s citizens. And in the Syrian civil war, MITM attacks have succeeded in breaking down a core part of the Syrian internet infrastructure, leaving part of the country without internet access.

How can you prevent Man-in-the-Middle attacks?

MITM attacks are an old technique. When Internet was still very expensive, companies used proxies to reduce costs. A website would be temporarily downloaded to the proxy server, and the user would access this 'local' version of the website. if a special request was done, the proxy would contact the server for the updated results. A MITM attack uses this same technique, where the hacker will store a local copy of the server on his proxy. If the victim then wants to wire an amount, the hacker can alter this information to the real’ server, without the user ever realizing he's not accessing his banking app.

Security specialists have been looking for solutions to this for the last couple of decades. Encrypting data is an obvious form of defense, but not 100% effective: a hacker may still be able to redirect you to malicious sites to infect your endpoint and gain access to your corporate network later. Other mechanisms that are often recommended include using VPNs, firewalls, antivirus and antimalware software, using password managers, etc. And, of course, it does help to raise awareness of users not to click on suspicious links and to keep all software patched and updated. However, all of these defense techniques may found to be lacking to fend off all Man-in-the-Middle attacks.

Why TrustBuilder Mobile Authenticator is your best defense against Man-in-the-Middle attacks

The PSD2 regulation imposes Strong Customer Authentication (SCA) for financial transactions, and this has certainly given a boost to the use of Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA). But as we know, Oath Authenticators (using shared secrets) are not always safe, nor are One Time Passwords (OTP) sent over SMS.

TrustBuilder Mobile Authenticator is safer than these other methods, as we use Out-of-Band: when you want to perform a transaction, you ask the application you are using to send you a push notification. This push notification is sent over a different carrier than the connection to the app. This means a Man-in-the-Middle cannot intercept, change or use this push notification. TrustBuilder Mobile Authenticator combines this with asymmetric cryptography and device binding, making security airtight.

Beside protecting against Man-in-the-Middle attacks, TrustBuilder Mobile Authenticator brings a lot of extra advantages to both consumer and financial service companies or other companies interested in combining user experience with ultimate security. Check out our TrustBuilder Mobile Authenticator for more on Multi-Factor Authentication or contact us for more information.

As co-founder of global trade management leader Porthus, customer experience platform NGDATA, and strategic consulting services company innacco, Frank embodies the entrepreneurial mindset. His 20+ years of ICT experience is complemented by his position as ‘Entrepreneur in Residence’ at iMinds and coach at Netwerk Ondernemen.

Related articles

Monizze takes part in TrustBuilder.io marketplace

Monizze joins growing TrustBuilder.io marketplace

Monizze, issuer of electronic meal, eco, gift, sport/culture and consumption vouchers, has joined the ranks of Service ...

Read more
Thanks to the partnership with TruliUs, TrustBuilder can now offer even more IdPs to its customers.

TruliUs and TrustBuilder forge partnership for business identity management

Identity and Access Management (IAM) specialist TrustBuilder and Isabel Group, issuer of the digital company passport ...

Read more
For TrustBuilder, there is no reason why MFA cannot be user-friendly..

Is MFA killing CX? Here’s why it shouldn’t!

Are you still using applications that do not require multi-factor authentication (MFA)? Probably not, as ever more sites ...

Read more

Ready for a demo?

Book a demo