The European Banking Authority warns against Man-in-the-Middle attacks

As discussed in a previous blog, the European Banking Authority (EBA) has released the final draft of its technical guidance for PSD2. Articles 4 and 25 of said guidance include mandates for the security of the customer authentication process.

One of the key elements of the authentication mandate is the requirement to use advanced security technology to safeguard all client-to-server communications against interception. In other words, to protect against MitM (Man-in-the-Middle) attacks.

Here’s the exact verbiage of Article 4, section 3c:

the communication sessions are protected against the capture of authentication data transmitted during the authentication and against manipulation by unauthorised parties in accordance with the requirements in Chapter 5;…

And from Chapter 5, Article 25, section 2:

2. Payment service providers shall ensure that the risks against misdirection of communication to unauthorised parties in mobile applications and other payment services users’ interfaces offering electronic payment services are effectively mitigated.

There’s a chance you’ve never heard of MitM, but research (documented in The Security Impact of HTTPS Interception paper) shows that 4 -10.9% of TLS-encrypted internet connections are vulnerable to interception. And 10-40% of those can be easily decrypted by an MitM attacker. The researchers observed nearly 8 billion connections across numerous hubs of internet activity. Doing some quick math, that’s around an average of 140,000,000 vulnerable connections, right now. And as a result of PSD2’s final guidance, that number will undoubtedly skyrocket.

Client-to-server internet connections are the new black

The number of client-to-server internet communications is going to explode as a result of PSD2. With the push for innovation and the allowance of TPPs (third-party providers) into the market, new web and mobile applications are springing up like weeds. Even without PSD2, leading technology and social media companies have jumped into online payments with services such as Facebook payments, Google Home and Apple Pay.

All of this innovation and openness will dramatically increase the opportunities for hackers to perpetrate MitM. An MitM attack occurs when a hacker secretly inserts himself into the connection between your client ‘s user interface and your web API/server. Using this technique, they can steal the information going back and forth, or insert malicious code into the connection.

For more information about how MitM is perpetrated, click here. But for the purposes of this blog, suffice it to say that the perimeter security you’ve been using to this point will not protect your customer’s data or your back end systems against MitM.

The best way to protect against this type of attack is to harden the JavaScript that runs on the client-side. By hardening the JavaScript you protect not only the code, but the API that carries the data from the application to the server. Using the latest encryption technologies (i.e. Cloakware from Irdeto) you can ensure that not only is it extremely difficult for hackers to view your code, but that even if they do, they won’t be able to pull off an MitM attack.