Machine in the middle

Jerry Fishenden writes about the thorny problem of "man in the middle attacks":

It's not only the good side of the Web that reinvents itself of course: it's the dark side too. Every time someone improves security, new attack methods appear.

One of the most current annoyances is what I guess is called "real time man in the middle". Think about an online bank. To log in online to bank Websites these days, you need a whole host of different authenticating information. Usually things like account number, customer number and some memorable facts and dates. Often you get asked for some random digits from a memorable number - you know, give me the 1st, 4th and 5th numbers of your memorable number. The idea is that it makes phishing attacks harder - since a phishing site would not get all of your logon data in one go.

Well, that was the thinking. Except now there are phishing sites with real-time scripts talking to the genuine sites behind them. So you get asked to type into the phishing site exactly what the real site is asking. The phishing site sits between you and the real site, as a real time man in the middle, capturing your keystrokes and playing them back to the real site in real time. When the real site asks for the 1st, 4th and 5th numbers, so does the phishing site: they don't need to get your whole memorable number, just the bits the real site is asking for.

And there's the problem of inferring human identity across digital networks: compared to the incredibly rich set of cues we use to identify one another in our face-to-face human interaction, identifying cues provided by digital user interfaces remain primitive. Because we can be so easily hoodwinked into thinking that website Y is in fact website X, there's always the possibility that someone will intercept the information we generate in our interactions with the website to impersonate our identity.