Man-in-the-Browser (MitB), a form of Internet threat related to Man-in-the-Middle (MitM), is a trojan that infects a web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The only way to counter a MitB attack is by utilising transaction verification.
The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., and is therefore virtually undetectable to virus scanning software.
One of the most effective methods in combating a MitB attack is through an out-of-band Transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; typically an automated telephone call. OOB Transaction Verification is ideal for mass market use since it leverages devices already in the public domain (e.g. Landline, Cell Phone, etc) and requires no additional hardware devices yet enables Three Factor Authentication (utilising Voice Biometrics), Transaction Signing (to non-repudiation level) and Transaction Verification.