Cronto helps de-mystifying the growing threat of Internet banking fraud

29 April 2008

UK banking security specialists Cronto has published a guide to help demystify the latest threats to web banking services. Much publicity has been given to ‘phishing’ but the threat has now moved up to a much more sophisticated and worrying level.

Until recently, ‘phishing’ attacks simply used stolen access credentials (i.e. passwords and PINs etc) to fraudulently remove money from customers accounts. Banks strengthened their access security to defend against this type of attack.

Criminals have now developed this attack by tampering with the customer’s connection to the bank. There is no need to ‘phish’ for the banks account details as they can steal the customer’s money while he is legitimately connected to the bank. The customer will never know the attack has occurred – until their money has been removed.

These new types of attack are known as ‘Man in the Middle’ and ‘Man in the Browser’. They are highly sophisticated frauds and can be used to systematically attack thousands of customers. Kits to perform these types of attack are being manufactured by the criminal community.

With a ‘Man in the Middle’ attack the criminal creates a copy of a banks web site which he then tricks the customer to visit. The criminal passes through all information to the bank’s real web site so the customer is unaware of the attack, but the criminal has the opportunity to modify the conversation and remove funds from the customers account. If the customer is vigilant he might spot the fake address of the attacking site but this type of fraud has already proved dangerously effective.

‘Man in the Browser’ is even more destructive than ‘Man in the Middle’. In this case the criminal downloads a Trojan into the customer’s browser. A Trojan is a sophisticated piece of software that can control the customer’s PC, including the browser. This attack works in the same way as ‘Man in the Middle’ with the Trojan modifying the customer’s conversation with their bank during a legitimate session. Neither the customer nor the bank will be aware of this type of attack.

A recent ‘Man in the Browser’ Trojan was programmed to attack over 400 banks and once in the customer’s computer could even be automatically updated by the criminal to add new banks’ details. This Trojan was designed to be downloaded into hundreds of thousands of PCs and attack every customer’s bank account.

Sophisticated systematic attacks like these are far more threatening to the security of web banking services than simple ‘phishing’. Banks are now developing new defences against this type of attack.

The only way to completely defend against ‘Man in the Middle’ and ‘Man in the Browser’ attacks is to authenticate every important instruction the customer sends to the bank. The security effectively moves down from protecting the ‘front door’ at login to protecting each individual instruction. The problem has always been in finding an effective means of doing this without making the system unusable for the customer. Fiddly hand held authenticators, already introduced by some banks, are not the right solution.

Cronto had developed a unique solution based on its innovative visual cryptogram which secures transactions without requiring codes to be entered into fiddly authenticators. The customer, for example, can use the camera in his mobile phone to authenticate important instructions to his bank.

What is clear is that the criminal world has turned its attention to web banking and banks cannot delay any longer the introduction of transaction authentication of individual instructions.

Cronto’s guide ‘Beyond Phishing – De-mystifying the growing threat of Internet banking fraud’ can be downloaded free of charge from the Cronto website

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development