U.K. Tech Defeats Banking Malware

By Anna Leach

A U.K. startup has devised new technology to defeat banking malware that outsmarted conventional security and stole millions of euros from customers.

Cambridge-based Cronto uses a special form of barcode, along with a smartphone app, to defeat “man in the browser” attacks.

Banks have spent millions in securing their sites, but there is little they can do to any malware that sits in the user’s browser. It was such an attack, from a bug called the Eurograbber, that stole €36 million ($46 million) in 2012.

This is where Cronto comes in. Cronto’s technology dodges man-in-the-browser malware by taking the transaction outside the browser.

A bank customer logs into their online bank as usual, and enters the details of a transaction, such as a transfer, or paying a bill. But rather than send those details directly from the browser, which are vulnerable to man-in-the-browser attack, Cronto’s technology converts all of the information into a special kind of barcode, an image made up of colored dots, that is displayed on the screen.

The user scans this image, either using an app or a special hardware device. This reads the picture, decodes it to show the transaction details so they can be checked, and if everything is correct, generates a six-digit code.

The user simply enters that six-digit code into the website and the transaction goes through.

Cronto CEO Igor Drokov said using two separate devices is much more secure. “Some solutions where you have to enter a PIN can be compromised because you only know what that number is because the bank’s website tells you. Here we create another channel of communication that it is not controlled by anything on your computer.”

Cronto use color because it means they can get more data into the pictures. “In black and white barcodes — black can be zero and white can be one. We use color which increases the capacity of the code without having to make it bigger, each color will be another data point. It’s important for usability because you don’t want the barcode to be half of your computer screen. When you use color, you can send more data.”

The technology has already been adopted by three European banks including German giant Commerzbank which has rolled it out to its 12 million customers.

Eurograbber was able to change both the amount and the recipient. A user trying to send, say, €100 to a friend might end up sending €1000 to a hacker. But customers didn’t realize till too late. When users were shown a summary of the transaction for approval, Eurograbber interfered again, showing the user the intended transfer. Eurograbber even faked text messages to the user through a simple social engineering trick, asking them to confirm their phone number and sending them text messages with a fake PIN to enter.