Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ciso-platform-annual-summit-2013-Man in browser(veena, citi bank)


Published on

Presented by Veena Srinivasan, Business Information Security Officer, Citi Bank at CISO Platform Annual Summit, 2013. Veena is responsible for information security compliance across consumer finance business in Citi bank for India and to implement a strategy for measuring, mitigating and managing risk.

Published in: Technology, Economy & Finance
  • Be the first to comment

  • Be the first to like this

ciso-platform-annual-summit-2013-Man in browser(veena, citi bank)

  1. 1. Man in the browser (MIB) An introduction and Defending against MIB The views/opinions expressed in this presentation are solely those of the author and do not necessarily reflect the views or policies of Citibank N.A. (Citi), or its Board of Directors, or any of its associates, advisers, agents or officers or the governments they represent. Citi does not guarantee the accuracy or reliability of the data or information included in this presentation and accepts no responsibility for any consequences of their use. It is understood that the material in this paper is intended for general information only and should not be used in relation to any specific application without independent examination and verification of its applicability and suitability by professionally qualified personnel.
  2. 2. What is a Man-in-the-Browser Attack? Man in the browser is a security attack where the perpetrator installs a Trojan on a victim's computer that's capable of modifying that user's Web transactions as they occur in real time. Who is the target Financial institution
  3. 3. Inject Fake transaction Transfer $1000 to XXX Transfer $100 to John $100 transferred to John $1000 transferred to XXX Encrypted SSL channel Bank
  4. 4. Well Known Good Advice Necessary but not Sufficient • • • • • Strong password Run current antivirus software Stay up to date on patches Two factor authentication. SSL client side encryption MITB malware can intercept the password from the browser directly or wait till user is authenticated.
  5. 5. Countermeasures Out of band confirmation Ex user might receive SMS, email or phone call Modify the web page Fraud detection that monitors user behavior
  6. 6. Conclusion MIB is focused advanced attack on Banking Continuous monitoring and security awareness is required.