

Ask HN: How do you avoid literally Man-in-the-Middle actack? - kevinsimper

Hi hackers<p>I have been wondering about how to avoid the actually man in the Middle, not just a person who sniff your connection, but where another person/machine sends your information throgh to the real site REALTIME and are then able to ude your account.<p>Here in Denmark we have a paper keycard, that we have to use every time we log on to our bank account. You first write your username and password and the server responds with a number. That number you have to lookup on you card and respond back with the answer.<p>The problems is that some evil hackers has sit on the same time and just made the user think they were login in successful, but the hacker used their in info to login to the bank. The hacker now gets the question for the keycode, but do not have it. The hacker now ask the user who thinks that he has logged in successful, and then give the hacker the CORRECT keycode the hacker need, SUCCESS hack for the evil hacker.<p>All he has to do is to send a lot of spam and get people to fake websites who look like real websites and the hacker wins. The user do not think it is a problem because: "i have a keycard, nobody can hack me". That is a BIG problem.<p>I have thougt of a solution:<p>You could make the machine count secounds, because the hacker has to use the double time that it would normally takes to talk with the real server. That way you could tell the user, when the maybe have been comprimised, but what if the user has a slow internet connection.<p>You can not just say, make a program instead of using the browser, because a lot of time the user who is abused has already been infected by malware and spyware.<p>It does not help using SMS as a 2-factor because the hacker can still sit in the middle and log in for the user and the user will get the right SMS and send the code to the hacker.<p>How can we either educated our users to look for certain things like actually respond time or make a solution which do not make it possible for a hacker to do such an attack?<p>I ask this because several people in denmark have been hacked this way after what the Danish goverment promised to be unbreakable. Everything can be hacked in some ways, but the problem is the users thinks the can't and therefore act more stupid and freely, than before when people were told they would die if the told anybody.<p>Best regards from Denmark
Kevin Simper
======
Sambdala
Offtopic, but the Denmark 'paper keycard' is an incredibly ass-backwards
system.

All our customers from Denmark have to use their card to use our software, and
I can't believe something like this exists in 2012, or ever, really.

~~~
kevinsimper
Use your software? What have your company made? I just thougth that it was
only danish system that was made with it. I know you can apply for a API, but
did not know to any program outside denmark yet.

Yes, you are totally right, it is kind of stupid, but what system can you that
a whole nation can understand, from the 18 year olds to the 80 year olds?

~~~
Sambdala
We do use software to manage it, but that doesn't mean the concept itself
isn't misguided.

------
Ralith
<http://en.wikipedia.org/wiki/Public-key_cryptography>

~~~
kevinsimper
Thank you for that information, i will about that.

But how does that help against the hacker just repeating your information to
the server? Just as proxy?

I can not how the Public key works in that favor?

EDIT: Before the papercard we had a key computerfile that we had to find and
load every time we wanted to use the bank online. I think that is was you are
linking to, but the goverment must somehow have thougth that the papercard was
better? I do not know why?

~~~
n3x
youtube.com/watch?v=3QnD2c4Xovk

you can't just proxy it. the attacker can force his own certificate, but as
previously said, ssl ev should solve it by making the user aware something is
wrong in the address bar.

------
wmf
SSL EV certs are supposed to solve this. The address bar should be
significantly different on the MITM site.

