How to Prevent Replay Attacks

What is a replay attack?

A replay attack is a form of a “man-in-the-middle” network attack. Also known as a repeat or playback attack, it's where a cybercriminal gains access to a network, sniffs out data packages being sent over that network in order to intercept them and resends (replays) it under the guise of an authentic message.

The attackers will normally target personnel with elevated privileges such as CEOs or they will go for new IT administrators. Replay attacks can also be used to access server-based platforms or front-end onsite platforms.

There are usually four steps to a replay attack:

Step 1: Gain access to a network, either through installing malware on a victim's device or setting up a fake hotspot.

Step 2: Eavesdropping on the network to determine the types of communications and data sharing that take place. They will be particularly interested in login credentials, passwords, or financial requests.

Step 3: The bad actor will then intercept legitimate user information.

Step 4: Finally, the hacker will fraudulently “replay” or resend the information to fool the receiver into believing the hacker is a genuine user.

Another common form of replay attack focuses on a person's internet session.

Known as a session replay attack, this is when a hacker steals a session ID and reuses it to spoof the target system into believing they are the authorized user. By doing this, they gain access to all of the system privileges of the session ID's original owner.

So now you know what a replay attack is, the next question is: What damage can it do?

What are the consequences of a replay attack?

The problem with replay attacks is that a hacker doesn't need to be particularly advanced or technically savvy in order to pull them off. They don't need to be able to decrypt any of the data packages. This makes the likelihood of replay attacks happening high, and their impact, severe. This is also why replay attack prevention is key, but we'll get to that soon.

Let's see what can happen.

Replay attackers gain access to your network

With access to your network, a cybercriminal can hijack the data of anyone connected to the network. If they wanted, they could also cripple that network or implement ransomware across the network but usually, in the case of a replay attack, that's not their motivation. Instead, they want to intercept sensitive information which they can use for their financial gain.

Confidential information intercepted by unauthorized parties

With more business meetings happening online, it's more and more common for transcripts and important and confidential files to be shared over the internet. A replay attack can easily intercept or manipulate sensitive data and cause reputation or financial damage to a company.

Identity fraud

Identity fraud is when your stolen personal details are used in criminal activity to obtain goods or services by deception. This might be to open a bank account, obtain loans or credit cards, make purchases, or conduct an account takeover attack.

In terms of a replay attack, an attacker may intercept a purchase transaction and “replay” or duplicate the original order with only one change— to the delivery address.

Since many e-commerce sites allow you to change the delivery address, this won't necessarily be flagged as a suspicious transaction. This way, the hacker can get whatever was in the original order with the original customer footing the bill.

A replay attack can also be used to create fake users, for example, sending 'new” employee details to HR or administrative staff to process access cards to onsite premises or grant access to online systems.

Show me a replay attack example

Ok, sure. The best way to truly understand all of this is to look at some replay attack examples. Here are three scenarios to help get your head around it.

Replay attack example #1

John is completing an online purchase for his new office. He receives and pays an invoice from Jane's office furniture for $10,000 via PayPal. A cybercriminal has been lurking on the network and decides to replicate this transaction, replacing Jane's PayPal email with their own. John's account is charged another $10,000 and the replay attacker withdraws the cash. John won't know anything has happened until he next looks at his PayPal account.

Replay attack example #2

An employee working remotely uses their company email to transfer confidential files regarding a possible merger with a large competitor. The email and its private contents are intercepted by a cybercriminal who leaks the data on a public forum or sells them to an interested third party. These actions can cause the merger to fall through completely or be rushed through with huge financial ramifications for the company.

Replay attack example #3

Suzy wants to buy new frames for her art business, so she goes online to a popular framing store. She adds what she wants to the cart, enters all the relevant information including billing, delivery address, and credit card details, and hits submit. She gets a confirmation of the purchase and all is well.

But as the data is transmitted from her server to the online store's server, an attacker captures the information. They duplicate the order, changing only the delivery address. When Suzy finally gets her credit card bill she discovers the double order. The attacker has some lovely frames for free that they can resell or use and Suzy has the headache of calling her bank.

Replay attacks prevention

It is particularly difficult to mitigate replay attacks for the simple reason that they look like legitimate messages. However, there are certain measures you can take to maximise reply attack prevention.

Timestamping

By adding timestamps to data packets, you attach unique data that specifies exactly when that packet was sent. The network server can be set to ignore data packets with timestamps outside of a set time range. This replay attack prevention method stops hackers from reusing data packets outside of a certain (and preferably short) time window.

Session IDs

We know that hackers can steal session IDs for replay attacks, but using them still adds an extra layer of authentication. Anything that comes between the hackers and your network is worth implementing, even if it just makes their task more difficult.

TLS/SSL certificates

Implement network communications security protocols such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). This encrypts your communications using public-key cryptography and reduces an attacker's ability to sniff out data packages.

One-Time Passwords (OTP)

You can choose to protect every packet exchange with a one-time password (OTP). Since each password is only good for one data packet, even if hackers manage to steal one, they can't reuse it. This is a common replay attack prevention method used by institutions where data security is crucial, like banks.

Enable two-factor authentication

A password is not enough to deter a determined cybercriminal. Whether it's at work or on your personal accounts, it's a good idea to use two-factor authentication (2FA). It adds an extra layer of protection, as you have to authenticate using either a different device, an app, a token, or a code.

Avoid HTTP websites

Most websites use HTTPS, a security protocol that shows that the data traveling between the user and the server is encrypted. But there are still some websites using unsecured HTTP. If you see this is the address bar, don't input passwords, credit card numbers, or any other sensitive data, as they will be pretty much plain to see to a hacker. It's a simple replay attack prevention technique that could save you from a whole world of trouble.

Delete cookies and install network updates

Cookies can store authentication data, personalization details, or session management information which is why you should delete them regularly. It's also important to regularly update your networks to ensure any security holes are patched.

Of course, replay attacks aren't the only cyber threat out there. Read more on the Hoody Privacy Hub: Are You Aware of the Most Common Phishing Attacks?