How to counter man-in-the-middle attacks

In the anxious years after the English Civil War, paranoia reigned.

As part of Oliver Cromwell’s strategy to protect his power, he encouraged his agents to intercept letters and packages. After they had gleaned the secrets within, they would send the mail on its way to the original recipient.

Technology has changed in the years since Cromwell’s espionage team carried out their dark arts. But the fundamentals of man-in-the-middle attacks remain the same today. The main difference is that these days it isn’t only governments that have the ability to steal secrets. And the pool of potential victims has become a lot larger.

In the first in a series of articles about specific threats to your security, we’re taking a closer look at man-in-the-middle attacks.

So, read on to find out how they work, what bad actors are trying to achieve, and how you can counter them.

What are man-in-the-middle attacks?

As was the case in the time of the Tudors and the Stuarts, man-in-the-middle attacks today are all about intercepting a line of communication. A bad actor could decide to just read the information, or they could change it first and then send it on. But either way, the final recipient would be none the wiser.

Some of the most common man-in-the-middle attacks are those that take place over public wifi networks. That’s because intercepting this line of communication is relatively easy. After all, neither the router nor your connected device has to verify its identity. This is more of an issue now that remote working is more common.

For this kind of attack, the bad actor would have to also be on the network, or be nearby. But for many man-in-the-middle attacks, proximity isn’t necessary.

Another defining feature is the bad actor using their own server to communicate with an application.

Let’s use the example of a banking app. When a customer uses that app, they’re communicating with the bank’s server. But bad actors use various techniques to make the app think it should communicate with their server instead of the bank’s IP address.

If the app in question doesn’t have any countermeasures against faking a server certificate, it could be in danger. Because once the app is connected to the bad actor’s server, then that server can send data as a proxy to the bank’s server. And it can even change information such as account numbers.

So, the bad actor’s server pretends to be the bank’s server. Then it sends data back to the legitimate one. These messages are often signed with crypto keys, but it’s still easy to intercept credentials and sensitive data.

It's also worth adding here that man-in-the-middle attacks are sometimes used in tandem with phishing scams.

Going back to the banking app example, a bad actor could set up a server and make that banking app think it’s the real one. And instead of redirecting traffic to the real server, they would direct traffic to some separate pages. Once there, bad actors would ask for the customer’s personal information.

One way to glean this information would be to tell the customer that they need to confirm they are who they say they are.

Who’s at risk from man-in-the-middle attacks?

In the example above, we spoke about banks and banking apps. They’re an obvious target of man-in-the-middle attacks because the motivation for bad actors is often financial.

As we’ve said, if a hacker is able to hijack a communication channel, they can intercept important personal information. Then they can make changes to account information. And they can profit illegally from transactions customers make.

But banks and their customers aren’t the only ones at risk.

As industries evolve, physical conversations become digital ones. Doctors and patients can now communicate via an app, for example. When they do, they share sensitive information with one another.

A bad actor might try to intercept this modern communication channel. If successful, they could do a lot of damage to the reputation of the individual or the health center in question.

IoT is also a common target of man-in-the-middle attacks. Cybercriminals are constantly probing for weaknesses in large networks of connected devices. All it takes is for a door to be left ajar somewhere for them to find a way in.

For businesses with IoT systems, this is a real threat that has to be taken seriously. After all, successful attacks can cause a serious amount of downtime as well as the loss of proprietary information.

How to defend against man-in-the-middle attacks

So, businesses and individuals have a lot to lose from man-in-the-middle attacks. How can they protect themselves and avoid the risks?

Google’s Certificate Transparency project is helping to counter them. It fixes some of the structural flaws in the SSL certificate system - the main cryptographic system that underpins every HTTPS connection. And strengthening this helps to prevent interceptions by bad actors. Certificate Transparency also helps to detect SSL certificates that have been issued maliciously.

Some mobile banks we work with use Certificate Transparency to sure up their defence against man-in-the-middle attacks.

But they use it together with other layers of protection.

One crucial weapon against man-in-the-middle attacks is reinforced public key pinning implementation. This is important because it secures the SSL certificate pin. And that’s often the starting point for hackers looking to intercept your communication channels.

General vigilance is important, too. It’s a good idea to be transparent with your customers about how you’ll communicate with them. That way they have a better chance of spotting suspicious emails or SMS messages from bad actors that ask them to share their information on a separate web page.

All these actions combined can help you to counter man-in-the-middle attacks. By doing so you secure your customers’ data and your reputation at the same time.