Cronto Points out Weaknesses in New UK Chip and PIN Web Banking Security

CAMBRIDGE, England, February 26 /PRNewswire/ -- UK banking security specialist Cronto believes it has
discovered significant weaknesses in the enhanced security measures recently
introduced by a number of the major UK banks in their internet banking
services.

In order to counteract the increasing threat from fraudsters
now mounting attacks on popular web banking services, several of the UK banks
have recently distributed Chip and PIN based authentication devices which
their customers are now required to use to gain access to certain services
provided over the web.

Customers are finding the new chip card readers difficult and
cumbersome to use, as key transaction details have to be manually re-entered
into the small keypad of these devices, and the authentication codes
generated then typed back into the web page. In spite of these difficulties,
the banks perceive the threat to be so serious that this technology is
nevertheless being rolled out in large numbers.

In order to address some of the usability issues of these
devices, banks have tended to restrict this level of security to only the
most 'high risk' class of transactions, for example the setting up of new
third party payment mandates.

Cronto, a UK security company specialising in this area, has
analysed these recent developments, and believes that although transaction
authentication is definitely a step in the right direction, the threat has
not been eliminated altogether and web banking systems remain vulnerable to
fraudster attacks.

Founders of Cronto, Igor Drokov and Elena Punskaya commented
"The threat comes from so called 'man in the middle' attacks where the
fraudster connects his computer between the customer and the bank. The
customer thinks he is talking directly to the bank and the bank thinks it is
talking directly to the customer. In fact the fraudster is sitting in the
middle of the communication. This scenario has already been experienced by
several major banks' systems worldwide. The introduction of Chip and PIN
devices, whilst addressing some of the security issues, can however present
new opportunities for attack since its security relies on the correct
information always being keyed into the trusted device. The problems in the
UK arise mainly through operational procedure and customer perception - but
they are still very real. Cronto will be contacting the UK banks individually
to make them aware of their findings."

Cronto is concerned that banks and their customers may feel
lulled into a false sense of security by the introduction of these new
security measures, whilst fraudsters continue to exploit every opportunity to
attack these sites. "Transaction authentication offers powerful security and
significantly reduced banks' overall risk of fraud. It guarantees the
integrity of a financial transaction and is to be welcomed. However, the
issues of usability of the security devices now being deployed and the
existence of some subtle opportunities for the fraudster offered by UK web
banking systems is of concern" says Drokov.

The problem faced by the banking market in general is how to
introduce solid security without making their web banking systems unusable
for the customer. Cronto believes that strong transaction authentication
using visual signing technology offers a more user friendly approach than
awkward card based authenticators. "With the use of Cronto visual cryptograms
there is no need to re-key challenge codes and 'man in the middle' attacks
can be prevented. The problem goes beyond the security device used and a
holistic view of the solution is required" says Punskaya. "The chip card
based solution is not intrinsically insecure but its operation by the
customer can introduce opportunities to the fraudster which may not have been
anticipated."

UK banks are not alone in having these problems as banks
worldwide struggle to stay ahead of the on-line fraudster.

About Cronto:

Cronto Limited was established to provide a revolutionary new
response to the ever increasing problem of online fraud. The company combines
leading-edge engineering research pioneered at the University of Cambridge
(UK) with business and technology expertise to deliver a unique,
patent-pending visual signing solution for strong transaction verification.
For further information, please visit http://www.cronto.com.

For further information contact:

Nigel Walsh
Cronto Limited
Tel: +44-(0)1223-750001
E-mail: nigelw@cronto.com

Latest news

	Latest untethered jailbreak released for iOS 5.1.1 (26 May 2012 18:15) The Chronic Dev Team has released the latest version of their untethered jailbreak for iOS devices running 5.1.1. Says the blog post: "After copious amounts of work and many sleepless nights, ....
	Siri blocked from use on IBM internal networks (26 May 2012 18:08) IBM has understandably blocked the voice-activated digital assistant from its work networks. As 'Big Blue' confirms, Siri has been blocked due to the fact that Siri sends everything you ever .... 1 user comment
	Cisco kills off development of 'Cius' tablet (26 May 2012 18:00) Cisco has decided to pull the plug on its failed Cius tablet. The Cius, which was released in 2010 and aimed at enterprise customers, had a focus on business video conferencing and specifically ....
	Galaxy S III to hit U.S. and Canada on June 20th? (26 May 2012 17:54) Although Samsung unveiled the flagship device earlier this month, there has yet to be a set timetable for its release outside of Europe. Today, the Verge is reporting that the device will ....
	5000 books return to Kindle Store after dispute ends (26 May 2012 17:50) Thanks to a contract negotiation dispute between Amazon and the Independent Publishers Group, the giant e-tailer pulled 5000 titles from the Kindle Store back in February. As of today, however, ....