Security x.0

"Since the records began", here at Cronto we have been talking about AND working on addressing the Banking Trojans and Man-in-the-Browser. Back then, there were very few public real-world examples of successful attacks and 2FA (Two-Factor Authentication), especially in a form of showing a picture of your dog, was all the rage

While we pronounced 2FA dead back in the beginning of 2008, it wasn't until Gartner's Avivah Litan, vice president and analyst, stated in December 2009:

"These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009" 



publishing the report on shortcomings of 2FA methods to address Trojan-based attacks that the Man-in-the-Browser/Trojan has arrived .

It's arrived and it's going mainstream judging from the recent article by USA Today:

First, they [criminals] acquire valid account log-ons, often by purchasing them from specialist data thieves. Next, they quietly access accounts, making note of high cash balances and access to credit lines. They also familiarize themselves with the bank's protocols for authorizing the creation of new online accounts and approving cash transfers.

They look for coding security holes — and invariably find them in the Web browser, the tool banks rely on to run programs that serve as a virtual bank teller. But Internet Explorer, Firefox, Opera, Google Chrome and Apple Safari are designed to let users navigate the entire Internet; they weren't meant to execute secure financial transactions [Sounds familiar? See The most insecure banking/sales terminal]. Cyberrobbers craft banking Trojans that inject software code into the Web browser, letting the attacker take control of online banking sessions, alter what the account holder sees and make stealthy transactions.

and talking about the solutions:

Litan, the Gartner banking security analyst, says banks need to move away from technologies that rely on common Web browsers, which is where banking Trojans thrive. Handheld optical readers, a more advanced technology, are available from Gemalto and Cronto. These devices must be used to take a picture of a visual cryptogram — a secure image produced by the bank — as part of authorizing any cash transfers.

It is absolutely great to see our technology - the Cronto visual cryptogram - mentioned in the article. A bit unfortunate that it only refers to the standalone hardware device - optical reader - whereas in fact our solution offers either a mobile app for your cellphone or a dedicated device. As we strongly believe in the power of choice when it comes to authentication solutions for banks and their customers, offering both options allows us to achieve the most optimal combination of usability, security and cost.

Now that the Trojan problem has become mainstream, there will be another "gold rush" of vendors to address it. Also, as usual, there will be some smart solutions and many not so smart Yet, we believe the visual channel is the best way to provide full secure "free-text" transaction signing and as of today the Cronto visual cryptogram is the only mature solution designed specifically to requirements of the online banking security market.

Want to see it in action? Watch this video, demonstrating the Cronto Blackberry mobile client app used for the visual transaction signing at Commerzbank AG, the second largest bank in Germany: