Quiz Entry - updated: 2026.07.14
What are the three typical attack surfaces in E-Banking, and what attack does each represent?
User (social engineering / phishing) → User's browser (man-in-the-browser / malware) → Network (man-in-the-middle / session hijacking).
The path between user and bank server has three weak spots:
| Location | Attack class | What happens |
|---|---|---|
| At the user | Social engineering, phishing | User is tricked into entering credentials on a fake site, or talked into approving a transfer |
| In the browser | Man-in-the-Browser (MitB), malware | Malware running in the user's browser sees everything and can modify pages in real time |
| On the network | Man-in-the-Middle (MITM), session hijacking | Attacker between user and bank intercepts traffic; or steals the session cookie |
What each attack defeats:
- Phishing beats any auth that the user can be tricked into using on a fake site — TOTP gets typed in, mTAN gets typed in. Resists: FIDO2 / WebAuthn (origin-bound).
- MitB beats any auth where the response isn't bound to transaction details — TOTP, mTAN with no transaction binding, session cookies. Resists: transaction signing with details displayed on a separate device (PhotoTAN, chipTAN, Mobile ID).
- MITM is mostly handled by TLS + certificate pinning + HSTS — but if TLS is somehow defeated, transaction signing still protects integrity.
Tip: modern attacks combine all three (e.g. phishing kit → real-time MitB → session hijack). Defence has to assume any single layer can fall.