Man-in-the-Middle Attack Prevention Strategies for Financial Institutions
A man-in-the-middle (MITM) attack happens when a bad actor intercepts traffic as it’s transmitted from point to point. The cybercriminal may be simply listening to network traffic, or they may also engage in active eavesdropping on communication and data transfer. They can then modify the traffic for malicious purposes, without either party (usually a service/system and a user) becoming aware that the link between them has been compromised.
Cybercriminals launch MITM attacks to steal personal information, including credit card details, account numbers, and other credentials. Financial institutions are usually primary targets because of the sensitive data they handle. Information stolen during an attack can serve many purposes, including an unauthorized password change, fund transfers, or even identity theft. Furthermore, the information stolen can help the bad actor gain a major foothold during the infiltration phase of an advanced persistent threat (APT) assault.
How Man-in-the-Middle Attacks Work
Stage 1: Interception
An attacker first intercepts traffic sent through the network before it reaches its intended destination. The simplest way for someone to intercept data is by eavesdropping on a user who logs onto an unencrypted Wi-Fi connection. These hotspots offer no guarantee of security and aren't password-protected, displaying a name relevant to their approximate location and inviting anyone to connect. Once someone does, the attacker can monitor the ongoing data exchanges.
Cybercriminals seeking more targeted data might launch an active attack through various ways:
- Internet Protocol (IP) spoofing occurs when an attacker alters an IP address' packet headers to disguise themselves as another computer system—a trusted source. Consequently, users trying to access a valid URL end up on the attacker's website instead.
- Address Resolution Protocol (ARP) spoofing occurs when an attacker sends falsified ARP responses for a given IP address. This way, the victim machine will populate its ARP cache with the MAC address of the attacker’s machine, and not that of the local router’s MAC address. The machine will thus send all of its network traffic to the attacker instead of through the real network gateway.
- Domain Name System (DNS) spoofing involves impersonating legitimate server destinations to redirect a domain’s traffic to a malicious website by infiltrating a DNS server. As a result, users attempting to browse a certain website are sent to the attacker's website instead.
Stage 2: Decryption
After an attacker intercepts data, they must decrypt it without alerting the service or user. There are several ways to accomplish this:
- SSL BEAST, a browser exploit against SSL/TLS, targets a version 1.0 vulnerability. The victim's computer becomes infected through malicious JavaScript intercepting cookies in this method. Then, the app’s cipher block chaining (CBC) is compromised, allowing the attacker to decrypt the stolen cookies and generate authentication tokens.
- SSL hijacking involves an attacker using forged authentication keys to both the user and service during the TCP handshake. The connection appears secure, even though a man in the middle controls the entire session.
- SSL stripping intercepts TLS authentication sent to a user, reducing HTTPS connections to HTTP. The user receives an unencrypted version of the application, while the attacker maintains the secure session. As long as the connection is active, the bad actor can see the user's entire session.
- HTTPS spoofing generates a fake certificate once the initial connection request to a secure website has been made. The certificate holds a valid digital thumbprint connected to the application, and the browser verifies this during its trust check. Afterward, the attacker can access any data the victim enters before the application receives any of it.
Significant MITM Attacks in the Financial Services Sector
In the financial services sector, notable examples of MITM attacks include:
- European Corporate Bank Account Thefts: In 2015, 49 suspects were arrested for an attack on European bank accounts using man-in-the-middle attack techniques. The group stole more than €6 million from European companies after monitoring communications and rerouting financial transactions.
- Mobile Banking Apps' Fake Certificate: In 2017, researchers discovered a significant certificate technology flaw that many major banks used, including HSBC, Co-op, Allied Irish Bank, and NatWest. The flaw allowed attackers on the same network to steal login credentials to view and collect information.
- Equifax Domain Security Failure: In 2017, one of the biggest American credit reporting agencies became victim to an MITM attack using unsecured domain connections. Consequently, over 100 million customers' personally identifiable information was stolen. Equifax neglected to patch a vulnerability in their cybersecurity, allowing bad actors to put code into HTTP requests.
How to Protect against MITM Attacks
One of the most disconcerting aspects of an MITM attack is that it can be challenging for any security team to detect for a long time. Therefore, it's essential to take the necessary steps to prevent an attack rather than try to remediate an existing problem. To protect their people and processes, financial organizations should adopt methods designed to prevent attacks from occurring in the first place.
1. Ensure Continuous Employee Awareness Training
If employees don't follow the rules, even the most comprehensive security policies will fail to prevent unauthorized access. Cyber awareness training helps fill in the gaps to give employees a complete view of possible threats, what to look out for, and what to do or what not to do.
Cybersecurity training is not a one-time thing; all employees, experienced or new, from junior teams to management, should undergo regular training to stay up-to-date on the latest security protocols. Some aspects to cover in this training include:
- Policy for company passwords
- Policy when working on free or public wireless networks
- Differentiating between phishing emails and legitimate emails
- The importance of always logging out of accounts and locking a device when not using it
- Reporting unusual activity to the appropriate parties
- The latest trends in security and cyberattacks
- Only using HTTPS sites
A company's security is only as strong as the weakest link. Therefore, training sessions should be mandatory and include exercises to test employees' knowledge; an in-house security team or third-party experts can lead the training.
2. Implement a Zero Trust Architecture
Adopting a zero trust architecture further enables financial organizations to defend against the growing threat of man-in-the-middle attacks. Zero trust means trusting no device or user—inside or outside an organization’s perimeters—without verification. Because it relies on continuous verification across every device, user, and application, this architecture makes it more difficult for cybercriminals to pretend to be someone else because they will need to prove their identity to access the network in the first place.
3. Invest in Machine-intelligent Email Security
Machine intelligence should also be an essential part of any company's cybersecurity strategy. Recent machine-intelligence advances have allowed organizations access to a new line of defense against even the most sophisticated cyberattacks. These systems scan all messages sent on a company's network and compare them with standard behavior patterns. By documenting every interaction that employees share, they understand which lines of communication are typical and under what circumstances. Should a message fall outside the normal behavior parameters, these systems will flag it as an anomaly and possible threat. This ongoing monitoring can help organizations identify suspicious behavior and emerging threats that human eyes wouldn't see.
To find out more about how you can protect your organization against man-in-the-middle attacks, download for free The Clear & Complete Guide to Smarter Email Security: