Protecting against Online Banking Threats: There’s an App for That

Frauke De Graeve,

From fitness to finances, mobile apps have changed our day-to-day lives. Not only are people using their phones for mobile banking, they are also using their mobile devices and apps to secure their online banking transactions as well.

Many mobile banking users are also avid consumers of online banking. In 2018, the Deloitte Center for Financial Services ran a survey of 17,100 consumers in 17 countries. According to the firm, “mobile banking customers who responded to our survey continue to use online banking channels extensively: 94% use the online channel at least once a month.”

People carry their phones with them everywhere and it’s become routine to have the phone handy when doing online banking on a laptop or desktop computer. This enables an elegant solution for use cases like out-of-band authentication and transaction data signing to protect against Man-in-the-Middle (MitM) and Man-in-the-Browser (MitB) attacks. Unfortunately, it’s still all too easy to unknowingly download malware onto a computer or laptop – and fall prey to financial fraud. Using a trusted mobile device as an additional layer of security during online banking is a simple way to defend against sophisticated online threats.  

When Deloitte looked at how likely consumers would be to increase their use of online and mobile banking, security was the #1 concern holding them back. Globally, 56% of respondents would make greater use of online banking if there were stronger data security in place. In this blog, we look at a specific type of security for online banking: app-based transaction data signing.

PSD2 and Transaction Data Signing (Dynamic Linking)

In Europe, as banks and other financial institutions (FIs) evolve their online and mobile banking experiences, they must also comply with the Revised Payment Services Directive (PSD2). PSD2 sets out requirements for Strong Customer Authentication (SCA) as well as dynamic linking, also known as transaction data signing.

European legislators introduced the dynamic linking requirement to counter Man-in-the-Middle (MitM) attacks. In a typical Man-in-the-Middle scenario, a cybercriminal intercepts the communication between the customer and the banking server, and alters the details of a payment transaction without the genuine payer noticing. One of the ways to take over the communication channel between the customer’s laptop (or any other device) and the bank can be a malicious Wi-Fi network offered as a public hotspot. People take advantage of public hotspots, not realizing they may be transferring their financial transaction data through a network controlled by a bad actor. Imagine a genuine transfer of 100 Euros to a friend being changed into a rogue transfer of 1000 Euros to an imposter!

PSD2’s dynamic linking requirement consists of three parts. First, it requires that the payer authenticate the transaction by calculating an authentication code over the transaction data, such as the amount of the transaction and information identifying the payee. The authentication code needs to be linked to the transaction data, so that any change in transaction details would invalidate the code.

Second, the confidentiality and integrity of the transaction data needs to be protected throughout the authentication process, so a bad actor cannot intercept and alter the details. This ensures the authentication code is calculated based on the genuine transaction details.

Finally, the customer needs to be aware of the transaction data they are asked to authenticate. This means that the transaction data needs to be presented to the customer at the time of authorization (also referred to as “What You See Is What You Sign”).

How Cronto Technology Mitigates the Risk

Cybercriminals use social engineering and banking Trojans to alter financial transactions and steal funds. Cronto thwarts these attacks by protecting the transaction authorization process. It’s a user-friendly way to block bad actors that target online and mobile banking.

Cronto technology does this by:

  • Establishing a secure communication channel to protect the confidentiality and integrity of the transaction data
  • Presenting the transaction details in plain-text to the customer, so that he or she can make sure they correspond to the intended transaction
  • Calculating an authentication code based on the details of the transaction

Because Cronto is available as a mobile app, the customer simply scans the Cronto code (essentially a colorful cryptogram similar to a QR code) with their phone to verify the details of their payment. The Cronto code contains the encrypted details of the transaction. Only the bank can generate this visual code and only the customer’s phone can decrypt it. The customer can then authorize the transaction by replying back to the bank with the response code generated by the Cronto image.

This visual approach to transaction signing simplifies the experience because it reduces the user interaction required to verify a transaction – customers simply point their phone at the screen and enter a response code into the browser. This allows all of the encrypted transaction details to be communicated between the bank and customer without the risk of interception or tampering by hackers. To see Cronto in action, watch a video demo.

Widespread Adoption of Cronto Technology

Visual transaction signing is among the most common methods used to protect online banking transactions. We are seeing increasingly adoption of “scan and sign” transaction signing globally, both in retail and commercial banking, because it’s so easy to use. It’s also a proven, cost-effective way to protect against malware. Select banks that have implemented Cronto include:

United Bulgarian Bank

United Bulgarian Bank (UBB) is part of the Belgian KBC Group, the biggest banking and insurance group in Bulgaria. It is the third largest bank in Bulgaria by assets, with a market share of nearly 11%. As part of UBB’s innovations strategy, the bank launched its mobile banking app, UBB Mobile. To protect its app from mobile malware, the bank turned to OneSpan’s Mobile Security Suite, a set of mobile SDKs for integrating application security, biometric authentication, and Cronto technology. UBB added the ability to sign transactions initiated via online banking using Cronto. The bank implemented Cronto to meet the PSD2 dynamic linking requirement and help mitigate human risk in online banking transactions. 

Bank of Cyprus

Bank of Cyprus Group is the leading banking and financial services group in Cyprus. The bank provides a wide range of financial products and services, including retail and commercial banking, investment banking, and insurance. The Bank of Cyprus needed to comply with PSD2 requirements for Strong Customer Authentication and dynamic linking. However, because the regulation is technology-neutral, it does not prescribe a specific method for implementing transaction signing. After several consultations and demonstrations that confirmed OneSpan’s solutions comply with PSD2 requirements, the Bank of Cyprus chose Cronto and other technologies available through the OneSpan Mobile Security Suite. (watch the Bank of Cyprus demo here)

Jibun Bank

When Man-in-the-Browser attacks first started causing havoc, Japanese Internet bank Jibun Bank looked for effective countermeasures that would not hinder user experience. Today, transaction signing is available in Jibun Bank’s mobile banking application, Smartphone Authentication Service. When customers complete transactions via the application, they don’t need to input additional information to authenticate themselves. When transactions are carried out via a PC, the transaction signing feature works as two-way authentication to defeat online fraud. 

Volkswagen Bank

Volkswagen Bank, established in 1949, is a wholly owned subsidiary of Volkswagen AG. Their products range from financing new and used Volkswagen vehicles to dealer financing. Volkswagen Bank leveraged the OneSpan Mobile Security Suite to develop and protect their PhotoTAN-App. This application was designed to communicate directly with Volkswagen Bank and allows its users to initiate banking transactions through their mobile device. The OneSpan Mobile Security Suite provides security for the application including biometric authentication, application shielding, and Cronto technology. Like UBB, the OneSpan Cronto solution enables the bank to comply with the PSD2 dynamic linking requirement.

To learn more about taking a visual approach to transaction signing, visit the OneSpan Cronto page.

Cronto Transaction Authorization

Combat social engineering attacks and mitigate human risk in banking transactions

Learn about the latest social engineering attacks and how cybercriminals exploit vulnerabilities in the transaction authorization process for account takeover. Minimize risk with industry best practices and technology recommendations.

Download the Social Engineering eBook