Throwing another lock on seems like the most logical way to secure an apartment—or a website. But a new attack called “Man in the Browser” allows attackers who have infected a computer with malicious software to get around the bank website security systems that demand, for example, a pin in addition to a password.
A BBC investigation uncovered the vulnerability. Once an attacker has access to the browser, they can ask a user to enter their authentication code or password into an inappropriate field as part of an effort to “train a new security system.” If the user falls for it, the attacker gets full access to the bank’s website, and can even obscure withdrawals of funds.
This points to a larger issue, says security technology OG Bruce Schneier: All security solutions that consist of adding another password or pin to the process are attempts to authenticate that a person is who they say they are, when the only real solution is to authenticate the transaction itself.
That means what all bank and other secured websites need are elaborate fraud-detection algorithms akin to those used by the financial industry to secure credit cards. Credit cards are easily forged, but it doesn’t matter, in part because banks prevent fraud by examining activity rather than trying to directly verify that a credit card is being used by its rightful owner.
Keep Reading
Most Popular
DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.
“This is a profound moment in the history of technology,” says Mustafa Suleyman.
What to know about this autumn’s covid vaccines
New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.
Human-plus-AI solutions mitigate security threats
With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure
Next slide, please: A brief history of the corporate presentation
From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.