Free Download     |     Resource Center    |     Customer Login
1.877.No.Token (1.877.668.6536)
Live Chat

Protecting Against Man-In-The-Middle Attacks

How a Man-In-The-Middle (MiTM) Attack Works

  • Intercept messages between two victims (i.e. a user and a website) and injects new ones
  • Victims believe the communication is private, but the man-in-the-middle is in control
  • Most forms of two-factor authentication do not offer protection

With a man-in-the-middle attack, Trojans and other malware lie in wait for a user to access a targeted website, primarily banking and financial services. When the site is accessed, the man-in-the-middle inserts himself into the user’s session. The user logs in as they normally would with a username and password. If the website requires two-factor authentication during the login process, such as a security token, the user would enter the one-time password from the token completely unaware that an attack is in progress.

Once the user is authenticated, so is the man-in-the-middle. The attacker can initiate new transactions, such as creating ACH and wire transfers, and reroute the user’s valid transactions to “mule” accounts. In some cases, the attacker just takes over the user’s authenticated session and displays a message to the end user that the website is currently unavailable.

man-in-the-middle attack

How PhoneFactor’s OOB Transaction Verification Protects Against Man-In-The-Middle (MiTM)

Out-of-band authentication with transaction verification is the only way to protect against man-in-the-middle attacks. When a transaction is initiated, an automated phone call is placed to the user’s registered phone number. During the call, the user is asked to verify the specific transaction. For example, “This is Your Bank calling to verify the transfer of $50,000 to account 10015 at Bank of Nigeria.” If the transaction is valid, the user simply presses # (or a PIN) to approve the transaction. If the transaction is not valid, the user can press 911# to lock their account and notify the company that an attack is in progress.

By authenticating the specific transaction through a separate channel, even if the user’s authenticated session has been hijacked by a man-in-the-middle attack, the attacker cannot complete a transaction without the user’s explicit approval. Even is a user was required to verify a transaction using the OTP from their security token, they would have no way of knowing which transaction they were validating – their’s or the attacker’s. And once entered, the OTP could be hijacked by the attacker and used for other transactions.

For more information try the PhoneFactor Demo or Download the Free Version.

Protecting Against Man-In-The-Middle Attacks

   Legal  |  Sitemap  |  Support  |  Contact               

PhoneFactor, Inc provides secure two-factor authentication services to leading companies worldwide. PhoneFactor's multifactor out-of-band authentication software is a cost effective, user friendly alternative to security tokens, fobs, certificates, and other 2 factor authentication methods.
Secure User Authentication: SSL VPN Authentication | Citrix Authentication | Web Authentication | Terminal Services Authentication | Tivoli Authentication | Online Banking Authentication
Two-Factor Authentication for Regulatory Compliance: Payment Card Industry Data Security Standards (PCI DSS) Compliance | FFIEC Compliance | HIPAA Compliance | NIST 800-63
Compare Phone Authentication to: Security Tokens | SMS Authentication | Biometric Authentication | Soft Tokens | Smart Cards | Certificates