The Cambridge Boffs Hoping To End Cyber Bank Heists

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Cronto, a Cambridge University spin-out, believes it has a solution to the problem of banking malware

Bank heists aren’t what they used to be. Gone are the bearded, pistol-toting caricature crooks of the past (if they ever existed outside of the silver screen). They’ve been usurped by hooded hackers living in dark basements (if they exist outside of stock photo websites).

It’s safer and more profitable to rob banks online. There’s no threat of a shootout with the coppers and all the loot is digital, so there’s no need to drive around with bags full of notes in the boot. Just look at the Eurograbber attacks of last year, which were a shot in the arm for the financial industry, after €36 million (£30.7m) was pilfered from accounts across Europe.

And it’s easier, given the amount of clever tools selling on the darkmarkets. Zeus is the most famous bank Trojan. It activates every time an online banking session is opened, tricking users into handing over login information, and lets attackers steal money from customer accounts without them noticing a thing.

CrontoInternet crooks have figured out how to crack two-factor authentication too, finding ways of intercepting codes banks send to customers – mTANs or mobile transaction authentication numbers – when users make those transactions. This is often achieved with social engineering – tricking customers to download mobile software they believe to be from their bank, when in reality it had been designed to harvest those valuable mTANs. With their extra protection broken, banks are getting nervous.

Does Cronto have the answer?

Enter Cambridge University spin-out Cronto. It was set up back in 2005, but its growth was stymied by the financial crisis. Thanks to the recession, the company, despite the potential of its product, didn’t get much business. This year, it had several major German banks sign up, including the second biggest – Commerzbank AG, and Comdirect Bank AG. Now, the company wants to go global.

Its product plays in that two-factor authentication space, but with a twist. One that should make it considerably harder for attackers to crack.

When banks running the Cronto system want to send information to a customer, such as an authorisation code, it is delivered inside a proprietary two-dimensional barcode. The customer scans the barcode with their Android or iOS phone, or a device given to them by their bank, to download the information.

That data is symmetrically encrypted, so the same keys are used for locking and unlocking. There’s also a unique protocol set up between the bank and its customer, created by Dr Steven Murdoch, a member of the security group at the University’s Computer Laboratory at Cambridge, and Cronto’s chief security architect. Murdoch is somewhat famous for uncovering holes in the modern chip and PIN system – a good guy to have on board then.

The protocol is a completely separate channel of communication, meaning less secure channels used by certain banks, like SMS or standard phone lines, are avoided. But that doesn’t matter for the user – they’ll only see the process below:

Ending cyber bank heists

CrontoSign will not, Cronto admits, provide 100 percent security for people’s accounts. If desktop and mobile malware gets sophisticated enough to pick up on this new kind of two-factor authentication and is able to detect when data from the bank arrives, then Cronto might have some problems.

But Igor Drokov, Cronto’s CEO, tells TechWeekEurope the process more effectively guarantees the authenticity of the parties involved than any current systems used by the banks.

Thanks to the smartphone option, Drokov thinks the CrontoSign technology has usability advantages over other two-factor options out there, like the HSBC Secure Key, which sends codes to a calculator-like device, whilst offering equal or better security. It’s that combination that could turn this business into a British security success story.

For now, he expects the product to be used predominantly by banks with sizeable balances sitting on their systems, where investors who expect only the best security can do all kinds of transfers. In the future, he’d like to see that change as cyber threats get increasingly sophisticated.

“We have relationships with UK banks and we are continuing with our business development in this area,” Drokov adds. “To a degree the need for our solution correlates to the sophistication of the Internet banking service provided.

“Our solution, because it provides a lot of usability benefits, it’s not just about security, it’s about delivering it in the most usable way, the need for this is even more prominent if you have a lot of different actions your customers can perform.

“We see potential in the UK, but maybe in the midterm.

“If everyone used this, in my personal opinion, the bad guys will move on to other targets other than the banks.”

Drokov still has some worries around the security of mobile operating systems, admitting the standalone Cronto scanning device would be more secure for customers than smartphones. “We are monitoring the status quo on mobile platforms with regards to security. If new functionality comes in to provide more trusted execution environments on mobile platforms… we will be looking to utilise it in our application.”

Given the state of Android malware, which is proliferating fast and getting ever more sophisticated, he’ll be hoping for such improvements to come along soon. Otherwise banks might not jump on Cronto’s products as fast as he hopes.

What do you know about the Bitcoin bonanza? Take our quiz!