LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three typical attack surfaces in E-Banking, and what attack does each represent?

User (social engineering / phishing) → User's browser (man-in-the-browser / malware) → Network (man-in-the-middle / session hijacking).

The path between user and bank server has three weak spots:

Location Attack class What happens
At the user Social engineering, phishing User is tricked into entering credentials on a fake site, or talked into approving a transfer
In the browser Man-in-the-Browser (MitB), malware Malware running in the user's browser sees everything and can modify pages in real time
On the network Man-in-the-Middle (MITM), session hijacking Attacker between user and bank intercepts traffic; or steals the session cookie

What each attack defeats:

  • Phishing beats any auth that the user can be tricked into using on a fake site — TOTP gets typed in, mTAN gets typed in. Resists: FIDO2 / WebAuthn (origin-bound).
  • MitB beats any auth where the response isn't bound to transaction details — TOTP, mTAN with no transaction binding, session cookies. Resists: transaction signing with details displayed on a separate device (PhotoTAN, chipTAN, Mobile ID).
  • MITM is mostly handled by TLS + certificate pinning + HSTS — but if TLS is somehow defeated, transaction signing still protects integrity.

Tip: modern attacks combine all three (e.g. phishing kit → real-time MitB → session hijack). Defence has to assume any single layer can fall.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026