When someone mentions man-in-the-middle attacks, I will immediately think about security concerns regarding an internet protocol such as TLS. However, recently, I rented a new apartment in a city far away from my previous place. I found the offer for the new apartment online on a popular website and received a positive reply from the landowner. It was time to transfer the deposit and the rent for the first month. Without having ever met the recipient or seen the apartment. Could this be a scam?
This was when I realized that the term man-in-the-middle attack makes sense in real life communications. Consider the following scenario.
There is a veracity offer for the apartment on website A. A scammer could copy the photos of the apartment from website A and use them to offer the apartment himself or herself on website B. If someone replies to the fake offer, for example, to request more photos or a copy of an ID, the scammer could pose as a potential renter on website A and thus redirect the request to the truthful landowner. This is literally what a man in the middle attack is.
Having a phone call with the landowner or receiving a copy of the passport does not prove that you are actually communicating with the person holding the passport.
One way to get a bit of assurance that the person you are communicating with is actually living where he or she claims is sending an old-fashioned, paper-based letter.
Even with hindsight, I don’t know if I was too paranoid or too gullible in that situation. Everything turned out to be fine. Obviously? Luckily? I don’t know. However, this made me think that email signatures and personal certificates should be much more commonplace than they are today. I think digital signatures for private persons, like PGP or PKI certificates, could be a solution in situations like this.