Computerworld

Cambridge Uni spin-off targets banking malware with image-based security system

Cronto develops PIN reader alternative with German bank for defence against man-in-the-browser attack

A Cambridge University spin-off has developed a new method of protection against 'man-in-the-browser' Trojan malware attacks on online bank customers, using a mobile device-based visual image security system to improve authentication and reduce the risk of fraud.

Trojan malware is used by cybercriminals to infiltrate a user's computer under the guise of a legitimate software program. Once the Trojan is installed it is possible for the malware to detect when a person is conducting an online banking transaction, before inflating the amount of money being transacted and diverting funds into another account, without immediate detection by the bank or the bank customer.

An example is the Eurograbber scam, which last year stole £24.5 million from over 30,000 bank users which had downloaded a variant of the Zeus Trojan, hitting customers in Germany, Holland and Spain, while Symantec recently highlighted the increasing sophistication of the Shylock malware, which is widening its geographic targets after targeting the UK banking sector in 2011.

In order to combat the rising use of Trojan malware to target the financial services sector, Cambridge-based Cronto has developed the photoTAN system along with German's second largest bank, Commerzbank.

The system involves using a two dimensional coloured dot image containing data that the bank wishes to send, developed by testing machine learning algorithms on large datasets of images. The image is presented to a user on-screen, which is scanned and decoded using an app on a mobile device. The application then generates a six-digit transaction authentication number (TAN) code which is used to complete the transaction.

According to Igor Drokov, Cronto CEO, the system provides advantages over existing PIN reader systems for completing transactions both in the ease of use and in the added layer of authentication.

"The device and app are as easy or easier to use than a PIN reader: it's just scanning the 2D barcode, confirming that all aspects of the transaction are correct, and entering a code which acts as a signature for the transaction," he said.

"PIN readers are very limited as they can only use digits, which are entered into a website. But if the website is compromised by a man-in-the-browser attack, the customer would still be at the mercy of the fraudster."

He added: "This technology is more future-proof as the bank can change the message contained within the data depending on the types of attacks they see, or the types of transactions the customer wants to carry out. Cronto provides the envelope around the data being sent between the bank and the customer."

Working with Commerzbank, Cronto developed a security protocol that has now been adopted by a number of banks in Germany and Switzerland, including comdirect. Drokov said that the software firm is in talks with UK banks about the use of the system, and is looking at rolling out the system here in future.