 |
 |
 |
 |
 |
Information about your favorite browser: news, articles and more.
Concepts against Man-in-the-Browser Attacks
Published July 4th, 2006 in All Categories, Security
A new threat is emerging that attacks browsers by means of trojan horses. The new breed of new 
trojan horses can modify the transactions on-the-fly, as they are formed in in browsers, and still display the user’s intended transaction to her. Structurally they are a man-in-the-middle attack between the the user and the security mechanisms of the browser.
Distinct from Phishing attacks which rely upon similar but fraudulent websites, these new attacks cannot be detected by the user at all, as they are use real services, the user is correctly logged-in as normal, and there is no difference to be seen.
The WYSIWYG concept of the browser is successfully broken. No advanced authentication method (PIN, TAN, iTAN, Client certificates, Secure-ID, SmartCards, Class3 Readers, OTP, …) can defend against these attacks, because the attacks are working on the transaction level, not on the authentication level. PKI and other security measures are simply bypassed, and are therefore rendered obsolete. Concepts against Man-in-the-Browser Attacks - IT Observer
