both simultaneously, and that you are allowed to play
White in one game, and Black in the other.
All you do is wait for your White opponent to move. Then
make this move against your Black opponent. When the Black
opponent responds, repeat this move against the White player.
The two Grandmasters are effectively playing each other. You,
the man-in-the-middle, are simply relaying moves between
them, although you are turning these moves into what looks
like two separate games.
A similar principle applies with a man-in-the-middle trojan.
The idea is simple, though the implementation may be
complex. The trojan waits for you to begin what you believe
to be a transaction with the bank, though you are in fact
transacting with the trojan. This means that you mistakenly
authenticate against the trojan, and the trojan uses the
information you supply – including the one-time password
you carefully type in from your token – to authenticate itself
with the bank.
The trojan is then free (at least within certain parameters) to
alter various aspects of the transaction, such as the amount,
the destination account, or any other details of its choosing.
Q. Are there already Trojans which can carry out this sort of
attack?
A. Not yet. The main reason is almost certainly that token
authentication is not very common in the Internet banking
world. This is partly because the expense and complexity of
introducing it to every customer is unappealing to the banks,
and partly because the need to carry and use a token is still
unpopular with many customers. So there has been little
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24