Throwing another lock on seems like the most logical way to secure an apartment—or a website. But a new attack called “Man in the Browser” allows attackers who have infected a computer with malicious software to get around the bank website security systems that demand, for example, a pin in addition to a password.
A BBC investigation uncovered the vulnerability. Once an attacker has access to the browser, they can ask a user to enter their authentication code or password into an inappropriate field as part of an effort to “train a new security system.” If the user falls for it, the attacker gets full access to the bank’s website, and can even obscure withdrawals of funds.
This points to a larger issue, says security technology OG Bruce Schneier: All security solutions that consist of adding another password or pin to the process are attempts to authenticate that a person is who they say they are, when the only real solution is to authenticate the transaction itself.
That means what all bank and other secured websites need are elaborate fraud-detection algorithms akin to those used by the financial industry to secure credit cards. Credit cards are easily forged, but it doesn’t matter, in part because banks prevent fraud by examining activity rather than trying to directly verify that a credit card is being used by its rightful owner.
Keep Reading
Most Popular
How Rust went from a side project to the world’s most-loved programming language
For decades, coders wrote critical systems in C and C++. Now they turn to Rust.
The inside story of how ChatGPT was built from the people who made it
Exclusive conversations that take us behind the scenes of a cultural phenomenon.
Design thinking was supposed to fix the world. Where did it go wrong?
An approach that promised to democratize design may have done the opposite.
Sam Altman invested $180 million into a company trying to delay death
Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.