How to Secure Online Bank Transactions: From Passwordless Logon to Contactless Cash Withdrawals
A lot has already been written about securing banking transactions and the need to do so has never been more apparent. The last 18 months has seen fraudulent activity on the rise as banking customers turned to mobile and online channels due to the pandemic.
Though banks can add authentication factors and security measures to secure online transactions, control often resides with the end user and fraudsters have developed sophisticated social engineering and phishing scams to exploit the user’s control of their online accounts. In a typical transaction process, the bank has zero control over the authorization decision. The user can authorize any request at any given time, including fraudulent ones. There is no context for the user, and phishing continues to be successful for this reason. Banks should instead look for solutions that take the trust decision out of the user’s hands without impeding the user experience. From there, banks should look beyond transaction security and choose a solution that will work for every customer in every channel.
In an earlier blog post titled, “Creating Secure, Simple Transaction Signing Experiences with Cronto”, we explored how OneSpan’s Cronto visual transaction signing technology helps create a secure and simple transaction signing experience while also helping banks and financial institutions to offer a secure and user-friendly transaction flow for every customer. OneSpan’s Cronto solutions are not limited to transaction signing alone, however. These solutions have become widely popular among our customers, because they cover a multitude of banking use cases. In this blog, we’ll cover five of the top use cases for Cronto beyond transaction authorization.
Top 5 Cronto Use Cases for Secure Financial Transactions
Cronto offers a multi-angular approach
Most authentication solutions available in the market today are designed to support a secure user login by utilizing authentication factors beyond static username and password credentials. Username and passwords are an unreliable method of authenticating and create a poor experience for the user. They are cumbersome; users need to memorize them and change them periodically. If the user happens to forget their password, it involves calling a helpdesk which can be a frustrating user experience.
Enter Cronto. Cronto is a passwordless solution that combines high security with a convenient user experience. Your users will no longer need to type a username, password, or challenge. You simply scan the Cronto image with your mobile or Cronto hardware authenticator.
The same experience is provided for transaction signing. You can authorize a transaction without having to manually add transaction details. Simply scan the Cronto image and verify the transaction details on your mobile or hardware authenticator. A visual cryptogram authentication code, similar in some ways to a QR code, is then generated on your mobile or hardware device in real-time and passed back to the bank’s server to complete the transaction.
One solution for logon and transaction signing
The great thing about this solution is that the user experience and authorization flows remain the same regardless of the user’s preference for a mobile or hardware device. Cronto demonstrates its flexibility by allowing the bank to choose which logon or transaction signing method to use. Banking customers can log on and/or sign a transaction using push notifications on mobile or a Cronto hardware device.
Alternatively, the user can enter the transaction details in the online banking app and scan and sign the transaction using their mobile. This versatility makes Cronto an ideal solution for banks that cater to the needs of a diverse user base and offers a perfect mix and match of hardware and software without having to deploy and maintain different solutions and authentication flows.
Besides the benefits of a passwordless logon and transaction signing flow, Cronto’s technology can also be deployed to allow you to withdraw cash without using a card. Interest in cardless cash withdrawals has heightened since the COVID-19 pandemic, and it will undoubtedly accelerate the adoption of methods to minimize contact with ATMs.
Banks that deploy Cronto technology enable their customers to withdraw cash without touching any screens. A user would simply open his secure mobile application and select the account and the amount of withdrawal. On the ATM screen, a secure Cronto image will be generated, containing the details of the transaction. The user then scans this secure Cronto image with their mobile phone. Once the user approves their request via the preferred authentication method such as mobile biometry or PIN entry, the mobile app sends the transaction confirmation code back to the bank, and the ATM dispenses cash.
Banks looking to provide a cardless cash option can rely on Cronto technology without needing to invest in additional software or solutions as the same Cronto solution can be deployed for logon and transaction authorization.
Secure PIN delivery
Have you ever opened a bank account, received your card in the mail, and were still unable to use it? PIN codes for debit and credit cards are distributed separately for security reasons, but how convenient is it when you have to wait for a PIN mailer? Other alternatives include SMS and email, whereby the PIN is delivered in clear text, but these are insecure delivery mechanisms. SMS and mail can be easily intercepted. Cronto solves this issue and enables secure PIN delivery.
Instead of sending the customer a PIN in the mail, the bank can deliver the PIN via an encrypted Cronto image. Only the intended user with his secure device (mobile or hardware) will be able to scan and read the new PIN. Banks can also choose to deliver the encrypted PIN via their online banking channel or email, thus eliminating the additional costs related to hardcopy PIN mailers. This creates a cost-efficient and user-friendly process for your customers.
Dynamic linking requirements (PSD2) fulfilled
Cronto is a good fit for any bank looking to fulfill the specific dynamic linking requirements of PSD2. European legislators introduced the dynamic linking requirement to counter attacker-in-the-middle (AitM) attacks. In a typical attacker-in-the-middle scenario, a cybercriminal intercepts the communication between the customer and the banking server and alters the details of a payment transaction without the genuine payer noticing. Communication between the customer and bank can be intercepted, for instance, through a malicious WiFi network offered as a public hotspot.
PSD2’s dynamic linking requirements comprise of four parts:
- The payer is aware of the amount of the transaction and the recipient
- the authentication code for each transaction must be unique and should be specific to the recipient and transaction amount agreed by the payer when initiating the transaction
- the authentication code should correspond to the original amount of the payment transaction and the identity of the recipient as intended by the payer
- any change to the amount or recipient (typical for an AitM attack), should result in an invalid authentication code
Cronto provides a convenient solution to fulfill these requirements. When you want to initiate a transaction, simply enter the transaction data in the online banking application. Based on the amount, recipient, and other transaction details you enter, the banking server generates a Cronto code that represents the transaction data in an encrypted form. The Cronto image is then displayed instantaneously in the browser.
Scan the code using your mobile or hardware device, and the device will decode the image by decrypting the transaction data. The details of the transaction are then displayed in clear text on the mobile device or the display of the hardware device. The user verifies the payment information, and if all is well, they can authorize the transaction by authenticating themselves using PIN or biometrics for instance.
This approach meets all dynamic linking requirements described above in a manner convenient for users, as it does not require you to enter any transaction data manually on the device.
One Solution, Multiple Use Cases and an Excellent User Experience
The above use cases demonstrate that Cronto is a fit for any financial institution looking for a secure, user convenient, PSD2 compliant, and cost-efficient authentication and transaction authorization solution. Its versatility allows for use across different channels without changing the authentication and transaction flows.