button: mobile menu
Home > Payments and Banking > The biggest cyber threat you've never heard of
button: mobile submenu

The biggest cyber threat you've never heard of

As more and more companies jump on the third-party API bandwagon in financial services, two things will increase: 1) service innovation, and 2) the attack surface for hackers. Every new app or service that provides an innovative way for consumers to access their bank accounts over the internet provides another opportunity for hackers to perpetrate MitM (man-in-the-middle) attacks.

The purpose of an MitM attack is for the hacker to secretly position himself in the middle of a digital connection between the user and the bank’s web server/API. In this scenario, the attacker hacks into code that runs outside the firewall. This allows the man-in-the-middle to steal data or gain access to the bank’s back end systems, inject malware, or commit all sorts of nefarious acts.

You may not be familiar with MitM attacks because they don’t get a lot of attention currently. There a three main reasons for this: 1) most MitM attacks appear to result in nothing more than petty theft; 2) most organizations don’t have the technology to understand if a larger attack was caused by MitM; and 3) most organizations simply aren’t paying attention to attacks that occur outside the firewall.

Assessing your vulnerability

Regardless of whether they receive the attention they deserve, MitM attacks are quite easy to perpetrate. And research shows that a significant percentage of existing HTTPS protected (also called SSL/TLS) internet connections are vulnerable to them. This gives attackers a number of options for hacking into the connection between the user and web server/API.

man-in-the-middle image 1

And as the payments & banking landscape opens up, and consumers increasingly make payments or access accounts via the web and mobile devices, this attack surface will grow. As a result, we anticipate MitM attacks will have a much more significant impact on the industry in the not too distant future.

To illustrate just how significant their impact could become, we’ve outlined the specific vulnerabilities and methods available to hackers looking to perpetrate an MitM attack.

We’ve divided the vulnerabilities and methods into two basic categories:

Purely Technical Approaches

Social Engineering Approaches

What follows is a description of the methods in each category and ultimately our advice on how to mitigate this growing threat.

Purely technical approaches

MitM attacks that rely on a purely technical approach don’t require users to make a mistake, and anyone can be vulnerable to them.

Zero Day vulnerabilities in browsers

While web browsers do adhere to certain security standards, software is complex. As a result, new exploits, known as Zero Day vulnerabilities, are continuously being found in web browsers. Zero Day means that once a hacker finds one, the vendor has zero days to fix it. In the last few years, browser vendors have definitely made their browsers more secure. But each year new vulnerabilities are found, and fixed, and then more are found again.

The problem is, the average browser is comprised of millions of lines of code. No one human can understand it all, so it’s become incredibly hard to ensure that there are no weaknesses. There are tools that try and solve this, but none of them can catch all the bugs. New approaches using machine learning (also called AI) may help, but for the foreseeable future Zero Day flaws will continue to be found in browsers at regular intervals.

Zero Days are very relevant for breaking HTTPS, as typically once a Zero Day is discovered, it will be used (often via advertising banners) to install malware on a consumer’s computer. The malware will then do a range of things including breaking HTTPS and logging keystrokes.

man-in-the-middle image 2

TLS/SSL breaks

TLS/SSL are the cryptographic foundation of security on the internet, however they are definitely not flawless. Over the last few years there have been several breaches of both the design and implementation of TLS (all with odd names), including:

Extrapolating from this would suggest we’re going to get a steady stream of similar breaches over the next few years. Once the encryption is broken, it becomes possible to MitM any client-to-server internet connection. It can be argued that TLS will get more secure over time, but so far it hasn’t.

Incorrectly issued ‘trusted’ certificate

TLS/SSL relies on certificate authorities (CA) to work. These are the companies that certify that when a user connects to ‘www.mybank.com,’ they are actually talking to their bank. Each web browser vendor (Microsoft, Apple, Google, Mozilla) has a list of approved certificate authorities they trust by default. These trusted authorities are required to issue certificates only to legitimate companies. But it doesn’t always happen that way.

The issue is in how the CA verifies the company. There have been repeated issues with legitimate certificate authorities issuing certificates (in error) to illegitimate 3rd parties who are impersonating a legitimate banking site. This can happen due to weak verification processes, or in some cases it has appeared to be deliberate. When this is spotted, the CA gets ‘told off’ by the browser vendors, but in most cases they are just made to apologize and told not to do it again.

The end result is that hackers have managed to get certificates that let them MitM legitimate websites and use them for profit. There are a number of upcoming web standards designed to make this more difficult to do (e.g. HSTS), but many sites are not using them yet as they’re hard to configure reliably.

man-in-the-middle image 3

Acquisition of vendor-issued ‘trusted’ certificate

A variant of getting a CA to issue a certificate is to find the private key for a certificate that has been trusted by the user. Most users are not aware of this, but many computers have extra certificates installed and trusted by their IT department or 3rd party software. For example, if an organization uses Microsoft Active Directory, there is a good chance someone has installed a certificate authority for that and their local intranet. Another example is Dell, who for several years had such a certificate installed on some of their computers.

This matters because if that certificate’s private key is not protected (and unfortunately it often isn’t), and a hacker gets it, they can intercept all of the user’s HTTPS traffic.

Social engineering approaches

Social engineering approaches combine technical ‘tricks’ with getting the computer user to do something that makes hacking them much easier. It’s surprisingly easy to convince people to do things that allow their computer to be hacked.

Convince user to install MitM certificate

Many legitimate wifi hotspots require users to install either software or a certificate to access them. This is especially common in emerging markets (but relatively rare in Europe/North America). The purpose of this is to allow the wifi hotspot owner to inspect all secure traffic, e.g. to prevent misuse. However, the same certificate also allows the hotspot owner to MitM all of the user’s connections, view any data they see and potentially trigger sites to perform actions as the user.

With a ‘legitimate’ wifi hotspot this probably won’t happen. However there is a device known as a Wifi Pineapple available for $99 that can be used as either a security testing tool, or more nefariously, to mimic a legitimate wifi network. The hacker simply has to install the Wifi Pineapple on their computer via its easy-to-use GUI, and then set up shop in a public area that offers free wifi. A user will see the hacker network as a choice in their wifi settings, and if they select it, they will be asked to install an MitM certificate from it. The hacker can then intercept and modify anything the user sees.

man-in-the-middle image 4

Keep in mind, the user has had to do something ‘silly’ for this to happen—namely install the MitM SSL certificate (a simple double click). But it’s generally quite easy to convince people that a certificate is legitimate. Relying on a consumer’s IT knowledge to keep them safe from hackers is a strategy based on hope, which is as good as having no strategy at all.

Convince user to install software

Asking a user to install an MitM certificate is not the only way to ‘break’ HTTPS. Another way to achieve this is to ask them to install some software. Typically this software takes the form of a Trojan Horse. For example, some wifi hotspots ask the user to download a ‘security’ or ‘connection manager’ program. These can be harmless, or, they could install the tools required to intercept the user’s HTTPS communications.

Malicious browser extensions

Browser extensions enhance browsers with additional features, enabling users to modify web pages and integrate their browser with other services they use. Users typically install them from extension stores. Once installed, they can often see all the pages viewed by the user. This allows the hacker to bypass the protections of HTTPS and collect all the data served on the page.

The main protection against this is the browser vendors themselves, who police the extension stores for malicious extensions. However, their policing is far from perfect. Some malicious extensions do sneak through and they can generally acquire data from consumers for some time before being noticed.

A variant of this attack is when a user ‘buys’ (usually for a very small sum) an existing popular extension from a developer. The developer then issues an ‘upgrade’ with malicious code. This allows attackers to quickly distribute their code to many browsers.

Addressing the challenge

Should we just give up and go back to pen and paper as the Dutch government has decided to do for their upcoming elections?

Probably not.

Securing computers from attackers was described by the comedian John Oliver as “dancing on the edge of a volcano trying desperately not to fall in,” and to some degree this is true. Computer systems are now sufficiently complicated to ensure that there will probably never be a useful and totally secure system again.

However, we don’t need total security. This concept doesn’t exist in the physical world and we get by just fine. What we need is an assessment of the risks, alongside mitigations and active responses that limit the damage an attacker can do. Techniques are starting to appear that reduce the risks (Cloaked.JS from Irdeto) and make it significantly less lucrative for hackers to do damage. This combined with a ‘defense in depth’ approach, can get us to the point where we control the risks and losses to an acceptable level.