Creating Secure, Simple Transaction Signing Experiences with Cronto

Sarah Van De Vyver,

Online and mobile banking increased in popularity during COVID-19 induced lockdowns, and the trend is here to stay. In an extensive survey across 14 countries in the midst of the pandemic, Mastercard concluded that online banking is now the standard for personal banking. Over half (53%) of the world’s population are using banking apps more than they were before the pandemic.1 At the same time, social engineering fraud has risen and fraudsters focus their attention particularly on SaaS and financial institutions. Given the change in consumers’ behavior, it is crucial for banks to offer a satisfactory customer journey while safeguarding users from social engineering fraud.

OneSpan’s Cronto solutions help financial institutions protect against social engineering attacks, while at the same time offering an intuitive user experience regardless of the channel the consumer uses. In this blog, we explore how financial institutions can achieve these twin goals, especially with users who are new to the digital channels.

Mobile and online banking surged during the pandemic

The pandemic caused a shift in our behavior: how we work, communicate, shop, and even how we meet. Lockdowns have become part of everyday life in many countries, and the internet became the epicenter of remote work, online education, entertainment, personal shopping, and almost all activity. Banking is no exception and online and mobile banking surged in 20202. A recent Deloitte survey of 1,500 working-age individuals living in Switzerland showed that almost 20% of all retail banking customers have used at least one online service for the first time during the crisis3.

These first-time users will most likely continue using online/mobile banking (14%) or a mix of in-branch and online banking (51%). Surprising to me, however, is while that mix might seem logical for complex interactions, such as loans and mortgages, 34% of first-time users still prefer in branch solutions over online transactions. Deloitte researchers concluded that a minority of customers who have experimented with online payments were dissatisfied with their experience and that this may be the case for specific customer segments and more complex transactions.

It is key for retail banks in this digital age to embrace these new first-time customers and live up to their expectations. The digital customer journey experience will be essential when customers ask themselves post-COVID whether to continue transacting digitally or return to the branch.

Social engineering fraud spikes during COVID-19 pandemic

Mobile and online banking have surged under the influence of COVID-19, but this has also affected the threat landscape. Throughout the pandemic, social engineering attacks have been on the rise as cybercriminals seek to exploit the crisis. Hackers preyed on uncertainties and the vulnerable by masquerading as government entities, sending emails with precautionary measures, or by selling products promising to prevent or even cure COVID-19. Scammers enticed people to divulge sensitive information (such as banking details), click on malicious links, or even conduct monetary transactions.

In addition, phishing attacks have become increasingly harder to detect as bogus websites are almost identical to the websites they target. Automation tools and crime-as-a-service packages make it even easier for cybercriminals to target a broader audience, thereby increasing their chances of success. And phishing is not confined to the online world only. Malware can be circulated via WhatsApp, Messenger, and even via SMS. Financial institutions rank second as the most targeted industry after SaaS and webmail, which means that almost 1 in 5 phishing attacks is targeted at banks and financial institutions.4

Stand out in the crowd: pair security with an outstanding user experience

The best practices to avoid falling prey to social engineering attacks such as man-in-the-middle (MITM) and phishing schemes still apply: think before you click, never share personal information, and verify a website’s security. Every bank and financial organization has espoused them numerous times through mailing campaigns, in call centers, and even by building warning signs within the app.

Despite banks investing countless resources in reducing fraud risk, social engineering attacks still remain successful today. Even with advanced fraud technology in place, it is difficult to reduce social engineering fraud, because it exploits the user themselves rather than holes within a security strategy.

So how can banks help customers steer away from social engineering schemes without encumbering their user experience?

OneSpan’s Cronto® technology helps financial institutions drive down fraud. Cronto mitigates human risk in online banking transactions by moving transaction authorization control from the user to the trusted device and the bank.

Put simply, the Cronto technology creates a secure channel between the bank and the customer ensuring message authenticity. Users can be assured the transaction request they are being asked to sign originates from the bank. Within this secure channel, only the bank can initiate an authorization code, and only the customer’s authorized device can read the code.

How Cronto combats social engineering

Cronto greatly reduces the risk of customers being tricked into revealing an authorization code and blocks criminals from intercepting and manipulating transactions.

The solution uses a visual challenge encoded in a cryptogram. The Cronto code is initiated by the bank following a genuine transaction request and displayed on the customer's screen for transaction authorization.

The Cronto code contains encrypted transaction data, including the transaction amount and recipient account details. This makes the Cronto code unique for each transaction. There is no PIN number or password to steal through a social engineering scheme. Furthermore, if a fraudster intercepts the code and changes anything, such as the beneficiary account, the code will become invalid.


How Cronto simplifies and secures the user experience

The Cronto visual transaction signing solution enables banks to secure financial transactions with minimal friction. The entire process of scanning a code, verifying transaction details, and signing the transaction is completed within seconds.

Users also don’t need to manually enter a passcode to sign a transaction, which helps create a better user experience. In addition, peace of mind is an important factor for a positive user experience. The ”what you see is what you sign” principle makes the transaction signing process very intuitive and transparent.

Using Cronto technology allows banks to serve their entire customer base – regardless of the customers’ preference for a mobile or hardware token. The solution provides a consistent user experience for every single customer, regardless of the channel they use, without adding additional authentication friction to the user experience. The latter will be crucial in convincing new or first time users to continue to leverage online or mobile banking services. I firmly believe that banks who get this right can gain a competitive edge.

In a nutshell, Cronto helps banks effectively reduce social engineering fraud by mitigating human risk, creating a secure banking experience, and offering an easy and intuitive customer journey.

Social Engineering Attacks on Banking Transactions

Social Engineering Attacks on Banking Transactions

Learn how to protect your customers from the latest social engineering attacks. Minimize risk with industry best practices and technology recommendations.

Download Now


Sarah is Product Marketing Manager at OneSpan and responsible for OneSpan’s FIDO, hardware and server solutions. She has over 15 years of experience in ICT and Communications and held previous positions within OneSpan’s Corporate Communications department.