What Is a Man in the Middle Attack?

In a man-in-the-middle attack, a malicious user inserts himself between two parties in a communication and impersonates both sides of the exchange. The attacker then intercepts, sends and receives data meant for either user, such as account numbers or passwords.

A typical communication flow occurs between a client and a server. To access your bank account via the bank's website, your computer (the client) sends the required login information to the bank's servers. If the information is correct, the bank sends back verification of the successful login attempt and allows you to access your account. Or, when you make a purchase on Amazon, for instance, that communication takes place between you and Amazon's servers, also creating another interaction between its server and the financial institution being used to charge your account for the purchase. Man-in-the-middle attacks change up this flow of information drastically.

The malicious user establishes a communication relay between a real client and server, and can thus monitor and modify all communication exchanged between the two. Instead of information going directly from a client to the receiving server, that information goes to the malicious user first. That user can alter what information is sent to the server, and vice versa.

For example, the sender may communicate that the receiving bank account should be 123456789, but the man in the middle intercepts that communication and changes the account number. The bank would be notified of the account number and, unaware of any foul play, send the money to the specified account, without realizing the theft had occurred until it was too late.

Other types of similar attacks

The man-in-the-middle attack is considered a form of session hijacking. A session is a period of activity between a user and a server during a specific period of time. Each time you access your bank account and actively interact with its contents is considered a session. When you log out, that session is effectively ended. There are many other types of attacks that prey upon session hijacking similar to that seen in a man-in-the-middle attack, including the following:

  • Sniffing. This entails the use of software that intercepts data being sent from or to your device.
  • Sidejacking. This attack involves sniffing data packets being sent between the client and the server to steal session cookies and gain access to your session. These cookies can include unencrypted login information, regardless of whether the site itself is secure.
  • Evil twin. Some malicious users go so far as to create a rogue wireless network that appears to be legitimate. Unknowing users join that network and use it for regular Internet activity, completely unaware that information is being collected and allowing for easier man-in-the-middle attacks.

Typical defenses

On the client end, few defenses exist against these types of attacks. Most protective measures on the server side exist in the form of strong encryption protocols between the client and the server. For example, a server authenticates itself by presenting a digital certificate, a verification that allows the server and the client to establish an encrypted channel for data exchanges. But this relies largely on the server having these encryption measures in place.

From a client standpoint, the best strategy you can employ is simply never connecting to open wireless routers, or by using browser plugins like HTTPS Everywhere and ForceTLS to force secured connections on sites whenever possible. [Related: 9 Tips to Stay Safe on Public Wi-Fi]