How Banks Can Combat Man in the Middle Attacks

David Vergara, August 26, 2020
How Banks Can Combat Man in the Middle Attacks

Digital banking has soared in popularity over the last few years, and it is showing no signs of slowing down. A report looking at the UK finance landscape in 2020 found that only 7.7% of UK banking customers prefer in-branch visits, with the vast majority preferring to use online or mobile channels. As a result, bank branches across the UK have been closing down, with Which? estimating that the UK’s bank branch network has shrunk by a third in the past five years. This year alone 247 branch closures are due in the UK.

This trend towards digital has been fueled by the customer-centric digital only challenger banks, such as Monzo, Revolut and Starling, who claim close to 20 million customers between them. In recent months, the global coronavirus pandemic has also forced many consumers to adopt digital banking platforms if they weren’t using them before as stay-at-home measures have prevented easy access to bank branches.

While digital banking has increased the overall customer experience, it’s also widened the target of attack for cybercriminals, with threats such as man-in-the-browser or man-in-the-middle attacks becoming more common and having serious consequences for customers. Fortunately, there are a range of technologies banks can implement to help defend against such threats without compromising the user experience of digital banking.

Man in the Middle Attacks

These attacks occur when a cyber-criminal is able to intercept communications between a customer’s device and the banking server. The criminal is then able to alter the details of the transaction, such as the amount and intended bank account, without the customer noticing. As a result, a standard £100 transaction could turn into a £10,000 transaction that’s wired directly into the criminals’ bank account.

There are several ways criminals can intercept communications, but one common example is when a customer is using a public WiFi hotspot. These are often insecure, and are easy for cybercriminals to infiltrate. So when a customer makes a transaction using a public WiFi network, they may be unknowingly sharing sensitive financial transaction data through a network controlled by a cybercriminal.

Combatting Man in the Middle Attacks through Regulation

In Europe, the Revised Payment Services Directive (PSD2) has pushed banks and financial institutions to evolve their online and mobile banking offerings, introducing a range of security requirements designed to counter man in the middle attacks.

For example, PSD2 has set out requirements for Strong Customer Authentication (SCA) in addition to dynamic linking, which is also known as transaction data signing. The dynamic linking requirement protects a transaction in three parts.

First, it requires that the payer authenticate the transaction data they’ve inputted such as the amount and the payee and confirm that it’s correct. An authentication code is then generated that links to the transaction data, so that any change in transaction details would invalidate the code.

Second, the confidentiality and integrity of the transaction data needs to be protected throughout the authentication process, so a bad actor cannot intercept and alter the details. This ensures the authentication code is generated based on authentic transaction details.

Finally, the customer needs to be aware of the transaction data they are asked to authenticate. This means that the transaction data needs to be presented to the customer at the time of authorization.

Combatting Man in the Middle Attacks through Technology

Cronto technology is one way banks can verifying transactions and protect customers against man in the middle attacks. Cronto is available through a mobile app and secures the communication channel between the customer and the bank to protect the transaction data from being altered. The data is then presented in plain-text so the user can confirm it corresponds with their intended transaction before generating an authentication code based on the transaction’s details.

Only the bank is able to generate this code and it can only be decrypted by the user’s mobile device. This unique approach to transaction verification simplifies the experience because it reduces the user interaction required to authenticate a transaction – customers simply point their phone at the screen to scan the image – essentially a color QR-like image – and enter a response code into the browser. This allows all of the encrypted transaction details to be communicated between the bank and customer without the risk of interception or tampering by hackers.

As a result, banks can offer a quick, user-friendly security solution that protects customers, ensures compliance and ultimately improves the user experience.

Raiffeisen Transforming the Customer Experience through Security
Case Study

Raiffeisen Transforming the Customer Experience through Security

Raiffeisen Italy Implements Mobile Authentication & Mobile App Shielding for PSD2 Compliance and Ease of Use.

Read more

This article, authored by David Vergara, Senior Director of Product Marketing, first appeared August 20, 2020 on FinanceDerivative.com

David Vergara is Director of Security Product Marketing at OneSpan and has over 10 years of experience in the software security space. Prior to OneSpan, he was VP Marketing for Accertify leading go-to-market strategy for their online fraud detection solution.