Since the beginning of time scammers have been developing new and innovative ways to fool victims into giving away their secrets. In today’s electronically-enabled world those scammers have gone high-tech. One of the more surreptitious ways to electronically capture your private information is a man-in-the-middle attack. A man-in-the-middle attack works a little like a high-tech version of the children’s game telephone, except that it is no game. Your identity and financial information may be at stake.
Since the beginning of time scammers have been developing new and innovative ways to fool victims into giving away their secrets. In today’s electronically-enabled world those scammers have gone high-tech. One of the more surreptitious ways to electronically capture your private information is a man-in-the-middle attack. In this article, I’ll attempt to explain in layman’s terms how the attack works, what you can do to detect an attack, and how to prevent an attacker from getting your personal information.
A man-in-the-middle attack works a little like a high-tech version of the children’s game telephone. Jane wants to whisper a message to Sarah, but instead of speaking directly to Sarah, she whispers the message to Bob who in turn whispers it to Sarah. The communication from Sarah back to Jane also goes through Bob. The difference with the man-in-the-middle attack is that if Bob is successful, neither Jane nor Sarah knows that Bob is in the middle relaying their communications.
Here is how a typical attack works in the real world. Jane is using a public Wi-Fi network in a coffee shop, and Bob is sitting at quietly behind a laptop at another table attempting to intercept communications on the Wi-Fi network. When Jane turns her laptop on, Bob uses his laptop to tell Jane’s that his computer is the Internet router. He in turn tells the Internet router that his computer is Jane’s laptop. Once Bob has completed this process (called ARP poisoning), he is able to intercept all the network traffic between Jane’s laptop and Facebook. Jane is completely unaware that her communications are being routed through Bob’s laptop.
Jane notices that her connection to Facebook seems a little slow, but that happens sometimes, so she just ignores it. At the facebook.com website, she is prompted to login. She types her username and password and clicks the Login button. After clicking Login, her browser shows a message like the one below.
I need to take a little detour here to explain SSL/TLS certificates. To facilitate security on the Internet websites use either SSL or TLS encryption. Anyone can encrypt their Internet connections, so there is no real security unless a trusted third party verifies that the participants in the conversation are really who they say they are. This is where SSL/TLS certificates come in.
Website owners petition a well-known company like Verisign or GoDaddy to verify their identity and issue a certificate they can use to show their patrons that they are the real deal. Browsers can detect forged certificates, and when they do they will display a message like the one above.
Now back to our story about Jane, Bob, and Facebook. Jane’s Internet connection seemed slow because when Bob intercepts the traffic, it slows down the connection; however Jane was right that sometimes Internet access from public Wi-Fi hotspots is slow. The one and only definitive indication that someone was intercepting Jane’s communication was the warning her browser gave her.
Unfortunately Jane had seen a message like this one before, and she chose to “Continue to this website”. At that time, Bob was able to not only see all of Jane’s private information on Facebook, but he also captured her Facebook password. He can log now login to Facebook as Jane any time he likes, and she may never know he’s doing it.
How easy is it?
All of the tools to do the attack are freely downloadable, and tutorials on how to perform a man-in-the-middle attack are available online. I’ve even seen a magazine article with step-by-step instructions at the local book store. This type of attack has become popular among college students who think it’s entertaining to spy on unsuspecting Internet users.
How do I prevent it?
In this case Jane could have prevented the attack by heeding the warning in her browser. Facebook also has some security options she could turn on that are turned off by default. The most important of these settings is “Browse Facebook on a secure connection (https) whenever possible.” I recommend you always have this option turned on. You can find it under Account / Account Settings / Account Security.
For more sensitive Internet traffic like financial transactions, it becomes even more important to heed any certificate warnings in your browser. When you want a secure connection to a website, make sure your browser’s location bar displays “https://” at the beginning of the address. Most browsers will also display a padlock when using a secure connection. For more extreme security, simply don’t use public Wi-Fi networks to perform financial transactions.
More Information from Wikipedia
If you want more nerdy information about the things mentioned here, check out the Wikipedia articles linked below.