Cambridge University spin-out Cronto Ltd has translated research carried out at the engineering department into software for protecting customers from the greatest threat to online banking - Trojan malware – the source of millions in annual losses.
The system, which allows users to verify payments on a mobile app or hardware device before using a unique code to approve a transaction, has attracted the attention of Swiss and German banks.
Given recent warnings from the European Central Bank on the need to ensure the security of internet payments, and the debate in the European Parliament on electronic identification and trust services for electronic transactions, the need for new ways to protect online transactions is evident.
Secure banking in the Internet era
Banks recognise the need for a higher level of security than mere passwords or PIN numbers. Most pose personal questions – with memorable answers - to verify a user's identity. For more robust security, banks now provide random number generating devices, or other dynamic password systems, which operate on the basis that only the true customer will have access to the secondary information required to generate a valid code.
But despite the increasing sophistication of these security systems, they do not protect customers against so-called Man-in-the-Browser Trojan malware.
These Trojans present as a harmless gift of free software. But once installed, in common with the namesake in Greek mythology, they allow unauthorised access to a computer, so that data can be stolen or tampered with.
When a user logs into his or her account, the Trojan detects this activity and can alter the amount and destination of any money transfer. This fraudulent version of the transaction is what the bank’s computers see - and confirms. The Trojan then reverts to what was keyed in by the user, creating the impression that the desired transaction has taken place. Neither the bank nor the customer is aware of the fraud.
It’s not enough to be a bone fide customer
"It is no longer enough for the bank to confirm it is dealing with a real customer,” said Igor Drokov, CEO of Cronto. "To combat Trojan malware, the bank also needs to know that it is processing the transaction the customer actually wants to carry out."
This insight was the spur for Drokov, a graduate of Cambridge University and Bauman Moscow State Technical University, and his co-founder Elena Punskaya, Affiliated Lecturer in Software Engineering at Cambridge, to set up Cronto Ltd in 2005.
One Security Tool for Millions of Users
The challenge was to create a security system that is, “useable, cost-effective, and robust enough to cope with the number of transactions being completed and the sophisticated fraudulent mechanisms available,” Drokov told ScienceBusiness.
An added difficulty is presented by the variety of devices customers use to access bank accounts online, ranging from PCs, smartphones and tablets, to laptops.
As the company realised, the common element in all these devices is the screen. “If a customer is using online banking, they must necessarily be in front of a screen of some description. We decided that this was the easiest method of communication,” said Drokov.
This led Punskaya, as Chief Technology Officer, to employ advanced machine-learning and statistical data analysis algorithms to design a new visual barcode.
“While there are other visual channels available, none of these were appropriate for our purpose," said Drokov. "They were designed for industrial use, for example barcodes that would be printed out as labels and scanned using expensive industrial tools. Our device is very cost-effective, Commerzbank and comdirect offer our mobile application to their customers for free and the stand-alone advice for €14.90."
In 2008 Cronto and Commerzbank formed a collaboration to develop the product, called photoTAN in Germany (and CrontoSign elsewhere), ensuring both strong security of transaction signing and a simple user experience. Commerzbank announced it was rolling out photoTAN in February. Then earlier this month, commdirect launched the product. Crontosign has also signed deals with a bank in Chile and one in Switzerland.
“We have worked closely with Commerzbank, which helped to develop the CrontoSign visual transaction signing technology from innovative ideas to the product ready to serve the needs of millions of banking customers.” Drokov said.
Commerzbank's customers will be able to choose between using the photoTAN mobile app or a handheld photoTAN device.
When the bank receives a transaction request from a customer’s device, it generates a barcode of coloured dots, which it sends back to the device. The customer then scans the barcode to decode the information. "The device acts like a camera, which scans the code and shows the customer the data on the screen," said Drokov.
To confirm the transaction, the customer uses a six-digit code, generated by the application or device, and enters it into his or her browser. The code acts as the customer’s digital signature for this specific instruction, and once received and validated by the bank, the transaction is completed.
While a Trojan can see the image being sent by the bank, it cannot change the secure data inside. "The product offers great flexibility to the bank, as it controls what data is shown to the customer and when, without having to change any tool on the customer's side," said Drokov.
Ahead of the Game
Cronto filed a European patent in 2005, and this was granted in May 2012. The company privately funded and has received non-dilutive grants from the [now-defunct] East of England Development Agency and UK Trade & Investment.
Banks are notoriously secretive about losses they face through cybercrime, and as a result the threat posed by Trojans was not made public until 2012, when malware dubbed Eurograbber was revealed to have stolen €36 million from banking accounts across Europe.
While Cronto is currently focused on the online banking sector, Drokov says "The tool can apply to any situation where transactions require trust in an untrustworthy environment, especially the internet."