UK banking security specialist Cronto believes it has discovered significant weaknesses in the enhanced security measures recently introduced by a number of the major UK banks in their internet banking services.
In order to counteract the increasing threat from fraudsters now mounting attacks on popular web banking services, several of the UK banks have recently distributed Chip and PIN based authentication devices which their customers are now required to use to gain access to certain services provided over the web.
Customers are finding the new chip card readers difficult and cumbersome to use, as key transaction details have to be manually re-entered into the small keypad of these devices, and the authentication codes generated then typed back into the web page. In spite of these difficulties, the banks perceive the threat to be so serious that this technology is nevertheless being rolled out in large numbers.
In order to address some of the usability issues of these devices, banks have tended to restrict this level of security to only the most ‘high risk’ class of transactions, for example the setting up of new third party payment mandates.
Cronto, a UK security company specialising in this area, has analysed these recent developments, and believes that although transaction authentication is definitely a step in the right direction, the threat has not been eliminated altogether and web banking systems remain vulnerable to fraudster attacks.
“The threat comes from so called ‘man in the middle’ attacks where the fraudster connects his computer between the customer and the bank. The customer thinks he is talking directly to the bank and the bank thinks it is talking directly to the customer. In fact the fraudster is sitting in the middle of the communication. This scenario has already been experienced by several major banks’ systems worldwide.
“The introduction of Chip and PIN devices, whilst addressing some of the security issues, can however present new opportunities for attack since its security relies on the correct information always being keyed into the trusted device. The problems in the UK arise mainly through operational procedure and customer perception – but they are still very real. Cronto will be contacting the UK banks individually to make them aware of their findings,” say Igor Drokov and Elena Punskaya, founders, Cronto.
Cronto is concerned that banks and their customers may feel lulled into a false sense of security by the introduction of these new security measures, whilst fraudsters continue to exploit every opportunity to attack these sites.
“Transaction authentication offers powerful security and significantly reduced banks’ overall risk of fraud. It guarantees the integrity of a financial transaction and is to be welcomed. However, the issues of usability of the security devices now being deployed and the existence of some subtle opportunities for the fraudster offered by UK web banking systems is of concern,” says Drokov.
The problem faced by the banking market in general is how to introduce solid security without making their web banking systems unusable for the customer. Cronto believes that strong transaction authentication using visual signing technology offers a more user friendly approach than awkward card based authenticators.
“With the use of Cronto visual cryptograms there is no need to re-key challenge codes and ‘man in the middle’ attacks can be prevented. The problem goes beyond the security device used and a holistic view of the solution is required. The chip card based solution is not intrinsically insecure but its operation by the customer can introduce opportunities to the fraudster which may not have been anticipated,” says Punskaya.
UK banks are not alone in having these problems as banks worldwide struggle to stay ahead of the on-line fraudster.