Throwing another lock on seems like the most logical way to secure an apartment—or a website. But a new attack called “Man in the Browser” allows attackers who have infected a computer with malicious software to get around the bank website security systems that demand, for example, a pin in addition to a password.
A BBC investigation uncovered the vulnerability. Once an attacker has access to the browser, they can ask a user to enter their authentication code or password into an inappropriate field as part of an effort to “train a new security system.” If the user falls for it, the attacker gets full access to the bank’s website, and can even obscure withdrawals of funds.
This points to a larger issue, says security technology OG Bruce Schneier: All security solutions that consist of adding another password or pin to the process are attempts to authenticate that a person is who they say they are, when the only real solution is to authenticate the transaction itself.
That means what all bank and other secured websites need are elaborate fraud-detection algorithms akin to those used by the financial industry to secure credit cards. Credit cards are easily forged, but it doesn’t matter, in part because banks prevent fraud by examining activity rather than trying to directly verify that a credit card is being used by its rightful owner.
Here’s how a Twitter engineer says it will break in the coming weeks
One insider says the company’s current staffing isn’t able to sustain the platform.
Technology that lets us “speak” to our dead relatives has arrived. Are we ready?
Digital clones of the people we love could forever change how we grieve.
How to befriend a crow
I watched a bunch of crows on TikTok and now I'm trying to connect with some local birds.
Starlink signals can be reverse-engineered to work like GPS—whether SpaceX likes it or not
Elon said no thanks to using his mega-constellation for navigation. Researchers went ahead anyway.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.