Addressing Man in the Middle Attacks

One of our customers pointed out this interesting article to me today:

ABN Amro compensates victims of 'man-in-the-middle' attack

It shows why key fobs are really only part of answer to one problem.

It worries me that the executive board member states: "If the user sticks to the rules, Internet banking is a very safe, fast and easy way to bank"

I don't know what types of users there are in the Netherlands but users invariable tend to use any system in a way it was never intended. In this scenario message as well as transport security are required at both client and server to ensure confidentiality, privacy and integrity.

If you visit the Microsoft Security Center there are some great free tools, videos and resources to help add security as part of the whole development lifecycle:

Threat modelling is a key tool for identifying threats (and countermeasures for man in the middle amongst others) as part of a holistic Security Development Lifecycle (SDL).

Patterns and practice publish good security guidance here (they use the term "Session Hijacking"):

Locally Microsoft has a specialist Security team (part of the global Ace Team) . Rocky Heckman (Senior Security Technologist with the ACE Services Team) has some workshops on how the tools can be used and applied to existing and new development practices.

An oldie, but a goodie, article also exists on the key message for applications: Secure by design