How Man-in-the-Middle Attacks Can Be Thwarted with Behavioral Biometrics

September 20, 2022

How certain are you that what you type on your computer is only seen by the person you send it to? When talking to a friend or a colleague, it is easy to make sure that no one else in the room can overhear your conversation. Can the same be said about digital communication? Unfortunately, the answer to this question is “no”. One of the most common forms of digital eavesdropping is the man-in-the-middle attack (MITM).

MITM attacks are far from being a new threat, however, they manage to stay relevant due to constantly evolving techniques. They are now nearly undetectable as they have evolved enough to bypass such security measures as multi-factor authentication (MFA). The man-in-the-middle cyberattacks often employ social engineering tactics like phishing or smishing, and malware. What makes these attacks so successful is that they remain completely invisible to the victim until the damage is done and it’s too late to do anything about it.

Phishing, so often used in the MITM attacks, has remained one of the top action varieties in security breaches for the last two years, rising by 25% from 2020 to 2021 according to Verizon’s 2021 Data Breach Investigations Report. Credentials and personal information are the most sought-after theft targets, being used in financial and other types of fraud, and have a high resale value. In 2021, fraud losses caused by criminals illegally using victims’ information to steal money increased by 79% from the previous year.

How It Works

So, what is a man-in-the-middle attack? MITM attack involves three parties:

  • The victim
  • The entity with which the victim is trying to communicate
  • The “man in the middle” intercepting this communication

In a usual scenario of the attack, the victims receive an email message containing a link. Clicking on the link takes the victims to a legitimate-looking website, such as a bank login page, where the victims are prompted to enter their credentials. What the victims don’t know is that the threat actor has already intercepted the communication between them and the website and can now control it by modifying the information each party receives or simply copy all the data in that communication.

If you’re using an unprotected Wi-Fi hotspot or a poorly secured internet router, it could also serve as a way in for the attackers. Using these vulnerabilities allows criminals to intercept your communication with other people or web applications. In some cases, the criminals only collect sensitive information, either to sell it on the dark web or to use it in a later attack. In other cases, they can modify the data you send or receive. For example, your friend owes you money and asks for your account number in order to pay you back. The man-in-the-middle intercepts your communication and switches out your account number with their own. As a result, you don’t get your money back and your friend sends the money to the fraudster.

A third way in which the attacker may get to your data is called a man-in-the-browser (MITB) attack. This method uses a phishing email as well. However, the link in the email leads to downloading malware instead of a spoofed page. The social engineering tactics create a sense of urgency in the victims to trick them into following the link or opening the malicious attachment. Once the user’s device is infected with the malware, it installs itself in the browser and records the data that is sent between the victim and certain websites, such as those of financial institutions. This data is then sent to the criminal actor.

Whether the goal is espionage, financial gain, or simply a desire to be disruptive, the MITM attacks can cause a lot of damage not only to individuals but to organizations as well. One criminal group operating in Europe managed to steal €6m in fraud money by intercepting company emails containing payment requests and tricking the recipients into sending money to the bank accounts controlled by the criminal organization.

How Behavioral Biometrics Halts the MITM Attacks

As mentioned earlier, MITM and MITB attacks are notoriously difficult to detect. Because the authorization process is done by the genuine user on their usual device, traditional security measures can be completely bypassed. Through continuous authentication, it is possible to confirm the user’s identity throughout the whole session from start to finish, not just on login. Constantly evaluating the incoming data and matching it against the data on file allows to immediately spot differences in the user’s behavior.

Instead of depending on static information, one-time security, and easily spoofed signals, behavioral biometrics observes and analyzes all activity throughout a user session – detecting both negative and positive behavior. As MITB and MITM attacks often rely on automation tools such as malware or credential harvesting tools, they are easily identified by behavioral biometrics. The patterns of human behavior are very different from the robotic patterns that automation tools leave behind. The way behavioral biometrics detects MITM and MITB attacks is similar to the way it detects banking trojans, which we will talk about in our next blog.

Imagine a scenario where the fraudster is monitoring the victim’s banking sessions. This fraudster does not interfere until the victim is attempting a money transfer, so the login data looks normal. Once the victim is trying to make a transfer, the fraudster steps in and changes the destination account number or the amount. Attacks like that can be on a much bigger scale when not just individuals, but whole organizations are involved. By intercepting business communications and modifying responses, threat actors manage to rob companies of enormous sums of money leading to devastating consequences for the businesses. Behavior-based security measures can detect the third party’s interference and prevent the money from ever leaving the victim’s account.

When criminals use stolen credentials to access victims’ accounts, behavioral biometrics can detect the wrong person logging in. However, as you can see from the examples above, simply making sure that the correct user logs in is not enough to guarantee risk-free transactions. Behavioral biometrics makes sure the wrong person is not allowed to proceed with fraudulent transactions and cause any damage by providing continuous protection throughout the whole user journey. What’s more important, the users don’t have to jump through any additional hoops to achieve that high level of security.

Besides ensuring the authenticity of identities and accounts and preventing fraud, behavioral biometrics do it without creating user friction and allow businesses to cut operational costs by drastically reducing the number of false positives. If you would like to learn more about behavioral biometrics and how it can help your business thrive, we are just two clicks away.