Tools against man-in-the-middle attacks

Tools against Man-in-the-Middle attacks

As the techniques of online fraud continually morph and evolve, banks are coming to realize that fraud is not a problem that can easily be contained; it’s an ongoing threat that requires strong and constant surveillance. Fraudsters are relentlessly inventing and reinventing tools to conduct sophisticated real-time attacks, such as man-in-the-middle, man-in-the-browser, and Rock Phish attacks. These kinds of attacks are becoming more frequent in the online banking arena, resulting in a crisis of customer confidence and significant financial losses reaching into the millions. 

Man-in-the-middle attacks prey on the difficulty of verifying both the authenticity of a transaction as well as the authenticity of the customer who initiates it. VASCO addresses this security gap with its e-signature solution, which conveniently operates on the same back-end platform as other VASCO strong authentication solutions and products.


A man-in-the-middle attack is an insidious form of eavesdropping in which the attacker is able to read, insert and modify messages between two parties at will, without either party becoming aware that the link between them has been compromised. With a man-in-the-middle attack, user authentication alone is not enough to verify transaction authenticity, since all communications would be conducted via a spoofed website managed by the hacker (the "man-in-the-middle").


VASCO’s unique visual transaction signing and e-signature solutions are designed specifically to help financial institutions combat man-in-the-middle attacks and secure financial transactions. VASCO makes this possible by using data such as account numbers, transaction amounts and timestamps in order to generate an Electronic Signature unique to each particular transaction.


Best Practices recommended by VASCO in order to combat man-in-the-middle attacks:

  • Use of one-time passwords for user authentication
  • Use of electronic signatures for transaction authentication
  • Use of host authentication
  • Use of multiple channels (and avoid SMS since it isn’t secure)
  • User education

Webinar – How to offer users a secure and convenient mobile banking experience Video – Visual transaction signing (CrontoSign)

What is an e-signature?
VASCO’s e-signature is a short piece of information used to authenticate a message and is based on a MAC (Message Authentication Code) algorithm.

The benefits include:

  • Eliminate Phishing, Man-in-the-Middle & social engineering threat
    Establish a secure communication channel with each individual user
  • Transaction Validation
    VASCO’s e-signature solution creates an Electronic Signature unique to each particular transaction. Should any elements of a transaction be changed or tampered with after it has been signed (as they are with man-in-the-middle attacks), the Electronic Signature becomes invalid.
  • Non-Repudiation
    VASCO’s e-signature solution is capable of providing complete non-repudiation of a transaction, verifying that a specific user was present and initiated the transaction.
  • Single Back-end Platform
    Because they operate on the same back-end platform, the e-signature solution can be combined with any other VASCO Strong Authentication solution such as one-time passwords and host authentication. Banks can simply leverage their existing investment since no infrastructure changes are required.
  • Software and Hardware Platforms
    VASCO’s e-signature solution can be implemented in software-only form or as a combination of hardware and software factors, depending on the end-user’s needs and risk profiles.
Share | |