New system to combat online banking fraud

April 18, 2013, University of Cambridge
CrontoSign device and image. Credit: Cronto

A security solution which protects against the most serious threat to online banking customers, responsible for millions in annual losses, is being rolled out across Europe by a Cambridge University spin-out.

Developed in with one of Germany's largest banks, the technology devised by Cambridge-based company Cronto is helping protect customers against the threat posed by "Man-in-the-Browser" Trojan .

A is a type of malware which, like its namesake, presents itself as a harmless gift in order to persuade users to install it, appearing as a legitimate . Once installed, gain access to the computer in order to steal information or harm the system.

The solution developed by Cronto protects against Trojan attacks by using a visual channel to transfer data securely from the bank to the customer. It allows the bank to generate a pattern of coloured dots – a proprietary two-dimensional barcode containing the data which the bank is trying to send to the customer, which is decoded by the customer using Cronto's or standalone hardware device. The company's technology provides a secure "envelope" around the data so that it can be displayed to the customer on a trusted display for verification in any environment over any unsecured channel. The Trojan can see the image being sent by the bank, but cannot change the secure data inside.

Trojan attacks are prevalent and growing. McAfee identified more than 1.5 million different Trojan malware variations in 2012, with websites a popular target. Trojans are especially dangerous as they control both what the bank receives from the customer and what the customer sees in their browser – a type of attack known as Man-in-the-Browser.

In an example of a Man-in-the-Browser attack, a customer may log on to their account on a real banking website and initiate a transfer to another account. The Trojan will detect this activity and will both increase the amount of the transfer and change the destination account number to that of the fraudster. Once the bank confirms that the transfer has occurred, the malware will change what is displayed to the customer, making them think that their desired transaction has been carried out. Effectively, the malware can freely alter the web page as it is displayed to the customer, and modify the requests sent back to the bank, so neither can detect that the fraud is taking place.

Trojan attacks of this type can cause customers to lose millions: in 2012, a single Trojan attack known as "Eurograbber" was discovered to have illicitly transferred over €36 million from unsuspecting banking customers. "Man-in-the-Browser attacks in combination with social engineering techniques are the most present and active threat to online banking," says Dr Elena Punskaya, Affiliated University Lecturer in the Department of Engineering and Co-founder and Chief Technology Officer at Cambridge-based company Cronto. "A combination of the malware and social engineering allows fraudsters to build a plausible story in order to initiate and hide the fraudulent payments."

According to Igor Drokov, Cronto's CEO, security in the world of online banking has to go beyond identifying who a customer is, whether via a password, the street they grew up on or the name of their pet goldfish.

"That's not enough," he says. "To combat the level of sophistication poised by Trojan malware, the bank also needs to verify the action that the customer is trying to perform, whether it's a purchase, a transfer or a change of address."

Cronto's aim was to produce a solution that was easy to use for millions of customers, but robust enough to meet the security challenges faced by banks. Dr Punskaya, a specialist in advanced machine learning algorithms and statistical data analysis, developed a new unique visual symbology optimised for secure, fast and reliable data transfer.

The 2D barcode which the team developed allows the bank to securely transfer a message of over 100 characters that is decoded by the company's application or hardware device in fractions of a second. The specific features of the image have been developed by testing machine learning algorithms on large datasets of images captured in different conditions.

Using the application or hardware device, the customer scans the image. Providing the security conditions are met, the customer will see the message from their bank, which is typically asking them to confirm the action they are attempting to perform, highlighting any aspects of the transaction which are out of the ordinary. To confirm the transaction, the customer simply uses a six-digit code, generated by the app or device, and enters it into their browser. The code acts as the customer's signature for this specific instruction, and once received and validated by the bank, completes the transaction.

The technology can be used in any environment and is highly adaptable, as it gives the banks the ability to change the message they wish their customers to see, whether in response to an emerging security threat, or simply to allow the to perform a different type of transaction.

Dr Steven Murdoch, a member of the Security Group at the University Computer Laboratory and Cronto's Chief Security Architect, designed and developed a new transaction signing solution able to withstand both attacks from criminals and the reality of industry.

Working together with banks, in particular Germany's Commerzbank, Dr Murdoch and the Cronto team implemented a state-of-the-art security protocol that has been adopted by leading banks in Germany and Switzerland, having successfully passed their internal and external security evaluations.

While Cronto is currently focused on the online banking sector, the team also sees commercial possibilities for their technology in e-commerce, peer-to-peer online payments, or any other application where there is a need to create a trusted connection between two parties.

Explore further: Human error puts online banking security at risk

Related Stories

Human error puts online banking security at risk

November 7, 2007

Using an SMS password as an added security measure for internet banking is no guarantee your money is safe, according to a new Queensland University of Technology study which reveals online customers are not protecting their ...

Bogus training offer opens hacker doors to bank accounts

February 5, 2012

( -- Mischief-making hackers, always willing to try clever ways to bypass advanced security safeguards, have figured out a way to make off like bandits, literally. According to a BBC report, the exploit first ...

Students develop secure new procedure for online banking

March 6, 2013

Researchers and students from the University of Tübingen, working with GFT Technologies AG, have developed a new process to make online banking more secure. Their software is being presented this week at the CeBIT computer ...

New Internet ID Card Prevents Online Fraud

March 31, 2008

Times are getting hard for anyone trying to get away with online fraud. That’s because Siemens, in cooperation with a partner company, has developed an Internet ID card the size of an ATM card that enables users to provide ...

Recommended for you

Researchers find tweeting in cities lower than expected

February 20, 2018

Studying data from Twitter, University of Illinois researchers found that less people tweet per capita from larger cities than in smaller ones, indicating an unexpected trend that has implications in understanding urban pace ...

Augmented reality takes 3-D printing to next level

February 20, 2018

Cornell researchers are taking 3-D printing and 3-D modeling to a new level by using augmented reality (AR) to allow designers to design in physical space while a robotic arm rapidly prints the work.


Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Apr 18, 2013
How is online banking fraud a threat to customers? Banks usually have to return the stolen amount even if it's not recovered. I understand it's a threat to banks but trying to make extra security seem like it's for the good of the customers is just cheap.
not rated yet Apr 18, 2013
How is online banking fraud a threat to customers? Banks usually have to return the stolen amount even if it's not recovered.

The bank still loses the money - which it gets back fom insurance companies.
However, more fraud mean higher insurance premiums for the banks which in turn are handed down to the customer via bigger overdraft charges/lower interest on savings/etc.

The banks come out of this with no loss either way. Only the customers get shafted no matter what (as usual).

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.