Threat Overview: Man-in-the-Middle Attacks

Clear communication is at the base of every human interaction.

Whether you’re speaking to a friend, partner, or co-worker, you need to make yourself understood. 

However, when you share sensitive information, clear communication is only half of the equation—it also needs to be secure.

Just as you don’t go around screaming secrets, you have to be discrete and mindful about how, where, and to whom you talk about certain things.

In today’s “all digital, all the time” world, this is especially true for banks. 

For one, customers’ personal and financial information is as sensitive as “information” can get. But also, cybercriminals can easily hide in the intricacies of the web, and intercept information without being seen or heard.

Among the many forms that cybercrime takes, man-in-the-middle (MITM) attacks are perhaps the sneakiest. Cybercriminals feed upon open communication channels, and can create mayhem by leveraging the information that they intercept—without you even noticing.

Read on to learn about what MITM attacks are, and how to prevent them.

What Is a Man-In-The-Middle Attack?

To better understand how MITM attacks work, it will be beneficial to start with a very basic, non-banking related fact pattern.

Let’s imagine you’re planning a surprise party for your friend Bob. While sitting at a coffee shop, you go over some details with Alice, who will be hosting the party.

Unbeknownst to both of you, sitting at a table behind you, Mallory—Bob’s girlfriend—is sipping a cup of tea and listening to all your plans. Mallory takes note, and steals the idea to plan the surprise party herself.

Harmless as it sounds, one week later, the day of his birthday, Bob is surprised by Mallory, and Alice’s and your plans are completely foiled.

Although a trivial example, this is similar to what a man-in-the-middle attack might look like.

In the digital world, a MITM attack is a cyberattack where cybercriminals covertly insert themselves into the communication channel established between two legitimate parties. This attacker can then intercept and/or modify the data flowing between them.

To take our example further, if Mallory were even more ill-intentioned, she could let you know that she overheard the conversation and ask for money in exchange for not revealing the surprise to Bob. Or she could spread erroneous information about the surprise party on purpose.

In other words, cybercriminals who perform MITM attacks can use the information that they secretly gather in many different ways. Once they capture sensitive data, they can use it as it is, or they can also alter the content of the communication to sow further confusion.

Whatever the nefarious actor’s plan is, a MITM breach compromises the confidentiality, integrity, and authenticity of the data, posing significant risks to banks and their customers.

In addition to the negative consequences, MITM are particularly dangerous because they can be very difficult to detect. Once a cybercriminal intercepts a seemingly “private” conversation (between individuals or an individual and a website, for example), the affected parties have no way of knowing that their communication has been compromised.

If you know how cybercriminals think and act, it becomes easier to prevent attacks like MITM.

HTTP and the Risk of “Open” Communication

Before we get into how man-in-the-middle attacks intercept private communications, we must understand how these communications work from the perspective of cybersecurity domain defense (i.e., .Bank’s wheelhouse).

The Hypertext Transfer Protocol (HTTP) is the main player in this process. Think of it as the language that browsers and servers (which host domains) use to communicate between each other. 

When you type a website (i.e., domain) address into your browser, it sends an HTTP request to the server that hosts that website. The server processes that request, and sends back an HTTP response that includes all the content for that website.

HTTP was developed around 1990, when banking cybersecurity concerns were far less than they are today. And while HTTP continues to be useful for online communications, it has a major security flaw: it doesn’t encrypt the information that it transfers between servers and browsers.

In other words, it leaves an “open” communication, much like speaking in plain English with someone at a coffee shop, where anyone can hear your conversations. This means that anyone could eavesdrop on the communication and steal sensitive data.

To protect online communications, many websites now use HTTP Secure (HTTPS) instead, which incorporates Transport Layer Security (TLS)—a protocol that encrypts the data that transfers between a browser and a website.

Maybe you’ve also heard of Secure Sockets Layer (SSL), which is a previous iteration of TLS. While SSL has become outdated and insecure, early versions of TLS are also considered insecure. In fact, big companies like Microsoft and Google have already disallowed TLS 1.0 and 1.1. Currently, .Bank is at TLS 1.2 or greater—it’s increasingly common to see TLS 1.3.

For banking cybersecurity, pay close attention to what TLS version your bank interacts with, and how HTTPS is implemented. 

A domain provider may claim to be secure because they offer HTTPS for your domain, but that’s not the whole picture—it can give you a false sense of security. You must make sure that the encryption that they work with is strong enough to meet industry standards.  

Man-In-The-Middle: A Domain Perspective

Man-in-the-middle attacks can manifest in various ways, which, as we previously mentioned, often appear innocuous, sometimes even to the trained eye. These attacks can start as an unsecured wifi connection, phishing emails, malicious downloads…and the list goes on.

Wherever someone is interacting over the internet, or via a mobile device, a MITM attack is a real threat.

At .Bank, we work to keep bank domains secure—period. 

As such, let’s take a look at the most common MITM methods that cybercriminals use to try and eavesdrop on people who interact with a website (or domain). 

1. Intercepting DNS Requests

When you type a website address in your browser, the Domain Name System (DNS) translates the name into an IP address, so that the internet knows where to take you.

In this process, you “send” a DNS request for this translation to happen. During a MITM attack, a hacker looks to intercept this request, and sends you back an incorrect IP address—instead of directing you to the website that you want to visit, you land on a website the hacker controls.

This fake website might look identical to the real one, enticing you to enter your login credentials or financial information. Except, that information doesn’t stay between you and the fake bank website—the hacker who controls the website now has your information.

2. Hijacking the TLS Handshake 

As we covered above, people and servers interact with each other via a set of operations that make up the HTTP protocol.

As convenient as the protocol is, it shows data as plain text, as opposed to encrypted. The TLS handshake is a complex process through which TLS certificates make HTTP communications secure by encrypting certain elements, turning them into HTTPS connections.

When a cybercriminal hijacks a TLS handshake, they either:

• Downgrade the connection from HTTPS to HTTP, which gives the hacker access to unencrypted information in plain text.
• Place a fake certificate instead of the authentic TLS certificate, which makes the victim think that the attacker’s website is the original one they were trying to connect with.

Ultimately, the attacker has full access to whatever information the victim types in.

3. Exploiting Public Key Infrastructure

Public key infrastructure (PKI) refers to the set of tools and processes that work to make data transfers over the internet more secure.

Briefly, here’s how PKI works:

1. A trusted entity called a Certificate Authority (CA) issues a digital certificate (such as a TLS certificate) for a domain. Among other things, this certificate contains information like the domain name, and public keys that are used to encrypt and decrypt information.
2. When you visit a domain via HTTPS, your browser verifies the domain’s certificate, to ensure that it’s legitimate and comes from a trusted CAs.
3. Once verification is successful, a secure connection is established using encryption. This means that your browser and the domain exchange data in a way that is unreadable to anyone attempting to intercept the communication.

Hackers can attack this process in a number of ways, all of which are considered man-in-the-middle attacks, as they follow the same principle of intercepting communication between your browser and a domain.

These criminals could steal (or phish for) CA private keys, so they can create fake certificates, which appear legitimate to your browser during verification. This way, they can make a malicious website seem authentic and steal any data that you share on the website.

They could also bribe questionable CAs into issuing certificates for their malicious websites. Or, they could create their own certificates for fake websites—some browsers warn you about untrusted certificates, but not all of them.

Potential Consequences of a Man-in-the-Middle Attack

Due to the critical nature and the severe consequences of a successful MITM attack, many companies tend to keep real-life cases confidential.

Some cases do make the news, like this hacker group that Europol (the law enforcement agency of the European Union) thwarted. The criminals’ take was over $6 million via man-in-the-middle attacks.

When a MITM attack is successful, banks can suffer in a number of ways:

• Financial loss: hackers can intercept transactions, and redirect fund transfers to their own accounts. They could also capture login credentials, and make unauthorized transactions.
• Data breach: attackers can steal personal information, which can be used for identity theft, further financial fraud, or sold on the dark web. Or, sneakier still, they could intercept sensitive corporate information, and use it to undermine a bank’s business operations.
• Loss of trust: if customers find out that their data or money was compromised due to an attack, their trust in the bank will significantly erode.
• Reputation damage: news of a successful attack can damage a bank’s reputation, impacting its relationships with investors and partners, leading to the bank’s stock price and market value to decrease.
• Operational disruption: in the aftermath of an attack, a bank may need to take critical systems offline to perform forensic analysis and ensure no additional compromises. This can disrupt regular banking operations, affecting everything from customer transactions to internal processes.

There is much to lose if man-in-the-middle attacks aren’t taken seriously. They are a real, inconspicuous threat, and we must work to eradicate options for cybercriminals. 

Best Practices to Prevent Man-in-the-Middle Attacks

There’s little doubt that MITM attacks pose a significant threat to banking cybersecurity.

Damaging and inconspicuous, the banking community must stay vigilant and work hard to improve their cybersecurity defense posture and prevent MITM attacks. Some more elaborate than others, here are the main measures that your bank can implement to reduce risk:

• Secure Wi-Fi: prioritize secure Wi-Fi connections in your bank’s branches and internal networks. This includes strong encryption (WPA2 or WPA3) and user authentication to prevent unauthorized access.
• Network segmentation: segment your bank’s network, isolating critical systems that contain sensitive customer data, from publicly accessible areas. This limits the potential damage if a breach occurs.
• Intrusion detection and prevention systems (IDS/IPS): these systems monitor network traffic for suspicious activity that might indicate a MITM attack, allowing for quick response and mitigation.
• Multi-factor authentication (MFA): even if attackers steal login credentials, MFA adds an extra layer of security by requiring other verification factors (such as a code sent to the user) to access accounts. .Bank requires MFA to be implemented for all our clients.
• Employee training: deliver awareness programs to recognize and avoid attacks. This includes phishing training, secure browsing practices, and reporting suspicious activities.
• HTTPS encryption: as discussed earlier, banks must work with HTTPS, and not HTTP. At .Bank we advocate for the use of TLS 1.3—below TLS 1.2 is plain insecure.
• HSTS: .Bank also works with HTTP Strict Transport Security (HSTS) to enforce the use of HTTPS for all connections. With this measure, browsers can’t load websites through insecure HTTP.

Of course, the more security measures and best practices your bank adheres to, the safer your operations will be from potential MITM attacks. 

If you would like to know more about any of these, or other best practices to protect your organization against man-in-the-middle attacks and other threats, reach out to us—we would love to chat!

Protect Your Good Name With .Bank

Eavesdropping is never a good thing.

While it’s merely frowned upon if someone listens in on a private conversation to which they aren’t invited, it can become a huge problem for banks when it comes to cybercriminals. 

The most worrying issue with man-in-the-middle attacks is that most times, you aren’t even aware that a bad actor is spying on you. And rather than “taking things offline” to prevent unwanted listeners, you can take real action to defend your bank’s integrity—without losing out on convenience.

At .Bank, we strive to keep your bank’s domain safe—and your bank’s name strong. Schedule a meeting to learn how we help banks of all shapes and sizes build a secure online environment.