How to prevent risks and mitigate social engineering attacks using Cronto
According to Forrester’s latest European Digital Experience Review, nearly a third (29%) of surveyed bank customers use apps on phones or other mobile devices as their top option for managing their bank accounts, while 85% use mobile banking apps frequently.
Yet the growth of online and mobile banking has happened in tandem with social engineering fraud. In fact, social engineering fraud and phishing attacks in Europe are on the rise and fraudsters focus their attention particularly on social media accounts and financial institutions. After all, a successful social engineering attack relies on user error.
Given the change in consumers’ behavior, it is crucial for banks to offer a satisfactory customer journey while safeguarding users from social engineering fraud.
OneSpan’s Cronto solutions help financial institutions protect against social engineering attacks while offering an intuitive user experience regardless of the consumer's channel. In this blog, we explore how financial institutions can achieve these goals, especially with new digital channel use.
Social engineering fraud is on the rise
Bad actors are always looking for ways to exploit events and world crises. One of the most common forms of social engineering attack preys on the vulnerable by masquerading as government entities, sending emails with precautionary measures, or selling products promising to fix whatever the current problem is. Scammers entice people to divulge sensitive information (such as bank account details), click on malicious website links, or even conduct monetary transactions.
And you can’t always blame the user for not recognizing a scam from the real thing. Phishing attacks have become increasingly harder to detect as bogus websites are almost identical to the websites they target. Automation tools and crime-as-a-service packages make it even easier for cybercriminals to target a broader audience, thereby increasing their chances of success.
Stand out in the crowd: Pair security with an outstanding user experience
Phishing is not confined to the online world. Malware can be circulated via WhatsApp, Messenger, and even SMS. Worth noting is that financial institutions rank second as the most targeted industry after social media platforms.
The best practices to avoid falling prey to various types of social engineering attempts such as adversary-in-the-middle (AiTM) attacks - also known as man-in-the-middle (MiTM) attacks - and phishing schemes, still apply:
- Think before you click
- Never share personal information
- Verify a website’s security
Every bank and financial organization has flagged them numerous times through mailing campaigns, in call centers, and even by building warning signs within the app.
Despite banks investing countless resources in reducing fraud risk, social engineering attacks still remain successful today. It is difficult to reduce social engineering fraud, because it exploits the users themselves rather than holes within a security strategy.
So how can banks help customers steer away from social engineering schemes without encumbering their user experience?
OneSpan’s Cronto® technology helps financial institutions drive down fraud. Cronto mitigates human risk in online banking transactions by moving transaction authorization control from the user to the trusted device and the bank.
Put simply, Cronto technology creates a secure channel between the bank and the customer, ensuring message authenticity. Users can be assured that the transaction request they are being asked to sign originates from the bank. Within this secure channel, only the bank can initiate an authorization code, and only the customer’s authorized device can read the code.
How Cronto combats social engineering
Cronto greatly reduces the risk of customers being tricked into revealing an authorization code and blocks criminals from intercepting and manipulating transactions.
The solution uses a visual challenge encoded in a cryptogram. The bank initiates the Cronto code following a genuine transaction request and displays it on the customer's screen for transaction authorization.
The Cronto code contains encrypted transaction data, including the transaction amount and recipient account details. This makes the Cronto code unique for each transaction. There is no PIN number or password to steal through a social engineering scheme. Furthermore, if a fraudster intercepts the code and changes anything, such as the beneficiary account, the code will become invalid.
How Cronto simplifies and secures the user experience
The Cronto visual transaction signing solution enables banks to secure financial transactions with minimal friction. The entire process of scanning a code, verifying transaction details, and signing the transaction is completed within seconds.
Users also don’t need to manually enter a passcode to sign a transaction, which helps create a better user experience. In addition, peace of mind is an important factor for a positive user experience. The ”what you see is what you sign” principle makes the transaction signing process very intuitive and transparent.
Using Cronto technology allows banks to serve their entire customer base – regardless of the customer's preference for a mobile or hardware token. The solution provides a consistent user experience for every customer, regardless of the channel they use, without adding additional authentication friction to the user experience. The latter will be crucial in convincing new or first-time users to continue to leverage online or mobile banking services. Banks that get this right will gain a competitive edge.
Cronto helps banks effectively reduce social engineering fraud by mitigating human risk, creating a secure banking experience, and offering an easy and intuitive customer journey.
Learn how OneSpan helps financial institutions deliver better customer experiences.
Blog
See what happens when you combine two of the most powerful security solutions
VISION FX combines the benefits of FIDO and Cronto® technology to help banks future-proof security.
Learn more
