Cambridge Uni spin-off targets banking malware with image-based security system

Cronto develops PIN reader alternative with German bank for defence against man-in-the-browser attack

A Cambridge University spin-off has developed a new method of protection against 'man-in-the-browser' Trojan malware attacks on online bank customers, using a mobile device-based visual image security system to improve authentication and reduce the risk of fraud.

Trojan malware is used by cybercriminals to infiltrate a user's computer under the guise of a legitimate software program. Once the Trojan is installed it is possible for the malware to detect when a person is conducting an online banking transaction, before inflating the amount of money being transacted and diverting funds into another account, without immediate detection by the bank or the bank customer.

An example is the Eurograbber scam, which last year stole £24.5 million from over 30,000 bank users which had downloaded a variant of the Zeus Trojan, hitting customers in Germany, Holland and Spain, while Symantec recently highlighted the increasing sophistication of the Shylock malware, which is widening its geographic targets after targeting the UK banking sector in 2011.

In order to combat the rising use of Trojan malware to target the financial services sector, Cambridge-based Cronto has developed the photoTAN system along with German's second largest bank, Commerzbank.

The system involves using a two dimensional coloured dot image containing data that the bank wishes to send, developed by testing machine learning algorithms on large datasets of images. The image is presented to a user on-screen, which is scanned and decoded using an app on a mobile device. The application then generates a six-digit transaction authentication number (TAN) code which is used to complete the transaction.

According to Igor Drokov, Cronto CEO, the system provides advantages over existing PIN reader systems for completing transactions both in the ease of use and in the added layer of authentication.

"The device and app are as easy or easier to use than a PIN reader: it's just scanning the 2D barcode, confirming that all aspects of the transaction are correct, and entering a code which acts as a signature for the transaction," he said.

"PIN readers are very limited as they can only use digits, which are entered into a website. But if the website is compromised by a man-in-the-browser attack, the customer would still be at the mercy of the fraudster."

He added: "This technology is more future-proof as the bank can change the message contained within the data depending on the types of attacks they see, or the types of transactions the customer wants to carry out. Cronto provides the envelope around the data being sent between the bank and the customer."

Working with Commerzbank, Cronto developed a security protocol that has now been adopted by a number of banks in Germany and Switzerland, including comdirect. Drokov said that the software firm is in talks with UK banks about the use of the system, and is looking at rolling out the system here in future.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecurityCambridge University

More about Cambridge UniversityCommerzbankSwitzerlandSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matthew Finnegan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts