By David Vergara, Senior Director of Product Marketing at OneSpan
In recent years, the booming growth of mobile applications has changed the way we go about our daily lives. We’re using these apps for just about everything imaginable, from shopping, to communicating and even managing our finances.
Back in 2018, a survey by Deliotte of over 17,000 consumers reported that 94% of mobile banking users also used online banking at least once a month. Furthermore, a report into the state of UK finance in 2020 found that only 7.7% prefer in-branch visits for their banking, with the vast majority using online or mobile channels. Now with the global pandemic, consumers that weren’t using digital banking platforms have been forced to adopt them due to social distancing mandates. While this has helped to keep individuals safe, it has also increased the target of attack for cybercriminals.
Cyberattacks have become so sophisticated that users can find themselves falling victim to man-in-the-browser (MitB) or man-in-the-middle (MitM) attacks, and unknowingly installing malware on to their laptops or desktop computers. This has serious consequences for online banking. Fortunately, using a trusted mobile device can offer an additional layer of security and can help defend against sophisticated online threats through app-based transaction data signing.
Man in the middle attacks: What are they?
MitM attacks occur when a cybercriminal is able to intercept communications between a customer’s device and the banking server. They are then able to alter details of transactions without the customer ever noticing it. A normal transaction of 100 pounds could be changed to 1,000 pounds by a malicious actor.
There are several ways to intercept these communications. One example of this is when a banking customer is using a public hotspot. These public Wi-Fi networks are often insecure, so when a user carries out a transaction while connected to public Wi-Fi, they may unknowingly be transferring their financial transaction data through a network controlled by a cybercriminal.
Man in the middle attacks: How to combat them?
In Europe, the Revised Payment Services Directive (PSD2) has pushed banks and financial institutions to evolve both their mobile and online banking experiences which has helped implement measures to counter MitM attacks.
PSD2 has set out requirements for Strong Customer Authentication (SCA) in addition to dynamic linking, which is also known as transaction data signing. This dynamic linking requirement protects a transaction in three parts. First, it requires that the payer authenticate the transaction data they’ve inputted such as the amount and the payee and confirm that it’s correct. An authentication code is then generated that links to the transaction data, so that any change in transaction details would invalidate the code.
Second, the confidentiality and integrity of the transaction data needs to be protected throughout the authentication process, so a bad actor cannot intercept and alter the details. This ensures the authentication code is generated based on authentic transaction details.
Finally, the customer needs to be aware of the transaction data they are asked to authenticate. This means that the transaction data needs to be presented to the customer at the time of authorization.
Cronto Technology: putting the theory into practice
Transaction verification, using Cronto technology, is one way banks are ensuring they protect their customers against MitB and MitM attacks.
Cronto secures the communication channel to protect the confidentiality and integrity of the transaction. It then presents the transaction data in plain-text so the user can confirm it corresponds with their intended transaction before generating an authentication code based on the transaction’s details. Cronto is available through a mobile app on a trusted second device, and the customer scans the code – which is essentially a color QR-like image.
Only the bank is able to generate this code and it can only be decrypted by the user’s mobile device. This unique approach to transaction verification simplifies the experience because it reduces the user interaction required to authenticate a transaction – customers simply point their phone at the screen to scan the image and enter a response code into the browser. This allows all of the encrypted transaction details to be communicated between the bank and customer without the risk of interception or tampering by hackers.
As a result, banks can offer a quick, user-friendly security solution that protects customers, ensures compliance and ultimately improves the user experience.