Security Solution For Man-in-the-Browser Attacks

A security solution developed by Cronto that protects against Man-in-the-Browser attacks, one of the most serious threats to online banking customers, and which is responsible for millions in annual losses to the banking sector, iwireless sensor networkss being rolled out across Europe by a Cambridge University spin-out.

A Cambridge-based company Cronto in collaboration with one of Germany’s largest banks, has developed the technology that will help protect customers against the threat masqueraded by Man-in-the-Browser Trojan malware. Cronto’s aim was to produce a solution that was easy to use for millions of customers, but robust enough to meet the security challenges faced by banks.

Man-in-the-Browser is a security attack where the perpetrator installs a Trojan horse on a victim’s computer that is capable of modifying that user’s Web transactions as they occur in real time. According to security expert Philipp Guhring, the technology to launch a man in the browser attack is both high-tech and high priced. Use of the tactic has been limited to financial fraud in most cases, due to the resources required. Both Firefox and Internet Explorer on Windows have been successfully targeted.

“Man-in-the-Browser attacks in combination with social engineering techniques are the most present and active threat to online banking,” says Dr Elena Punskaya, Affiliated University Lecturer in the Department of Engineering and Co-founder and Chief Technology Officer at Cambridge-based company Cronto. “A combination of the malware and social engineering allows fraudsters to build a plausible story in order to initiate and hide the fraudulent payments.” Trojan attacks of this type can cause customers to lose millions: in 2012, a single Trojan attack known as “Eurograbber” was discovered to have illicitly transferred over €36 million from unsuspecting banking customers.

According to Igor Drokov, Cronto’s CEO, security in the world of online banking has to go beyond identifying who a customer is, whether via a password, the street they grew up on or the name of their pet goldfish. “That’s not enough,” he says. “To combat the level of sophistication poised by Trojan malware, the bank also needs to verify the action that the customer is trying to perform, whether it’s a purchase, a transfer or a change of address.”

The solution developed by Cronto protects against Trojan attacks by using a visual channel to transfer data securely from the bank to the customer. This Trojan horse, which is a type of malware, presents itself as a safe gift in order to convince users to install it, appearing as a legitimate software program. Once installed, hackers gain access to the computer in order to steal information or harm the system.

The Cronto solution allows the bank to generate a pattern of coloured dots – a proprietary two-dimensional barcode containing the data which the bank is trying to send to the customer, which is decoded by the customer using the solution mobile application or standalone hardware device. The company’s technology provides a secure “envelope” around the data so that it can be displayed to the customer on a trusted display for verification in any environment over any unsecured channel. Although, the Trojan can see the image being sent by the bank but it cannot change the secure data inside.

Trojan attacks are prevalent and growing. Security firm McAfee in their threats report has identified more than 1.5 million different Trojan malware variations in 2012, with financial services websites a popular target. Trojans are especially dangerous as they control both what the bank receives from the customer and what the customer sees in their browser – a type of attack known as Man-in-the-Browser.

In an example displayed by Cronto, during a Man-in-the-Browser attack, a customer may log on to their account on a real banking website and initiate a transfer to another account. The Trojan will detect this activity and will both increase the amount of the transfer and change the destination account number to that of the fraudster. Once the bank confirms that the transfer has occurred, the malware will change what is displayed to the customer, making them think that their desired transaction has been carried out. Effectively, the malware can freely alter the web page as it is displayed to the customer, and modify the requests sent back to the bank, so neither can detect that the fraud is taking place.

The 2D barcode which the team at Cronto developed allows the bank to securely transfer a message of over 100 characters that is decoded by the company’s application or hardware device in fractions of a second. The specific features of the image have been developed by testing machine learning algorithms on large datasets of images captured in different conditions.

Using the application or hardware device, the customer scans the image. Providing the security conditions are met, the customer will see the message from their bank, which is typically asking them to confirm the action they are attempting to perform, highlighting any aspects of the transaction which are out of the ordinary. To confirm the transaction, the customer simply uses a six-digit code, generated by the app or device, and enters it into their browser. The code acts as the customer’s signature for this specific instruction, and once received and validated by the bank, completes the transaction.

The technology can be used in any environment and is highly adaptable, as it gives the banks the ability to change the message they wish their customers to see, whether in response to an emerging security threat, or simply to allow the customer to perform a different type of transaction.

While Cronto is currently focused on the online banking sector, the team also sees commercial possibilities for their technology in e-commerce, peer-to-peer online payments, or any other application where there is a need to create a trusted connection between two parties.


University of Cambridge