CrontoSign
- 2. Trojan Malware: Man-in-the-Browser
No Transaction Signing = Stop-Gap
• Extra passwords, secret
questions, OTP tokens
etc. DO NOT WORK!
• Need to authenticate
the TRANSACTION
not just the user
"These attacks have been successfully and repeatedly executed against many banks and their
customers across the globe in 2009" Avivah Litan, vice president and analyst at Gartner.
© 2012 Cronto Limited 2
- 3. Choosing Transaction Signing
Criteria Requirement
Client Option Hardware Device & Mobile Application
Data Capacity 60-100 free text characters
User Experience The concept is familiar to the user
Speed < 1s decoding performance
Robustness Works on all mobile/computer screens and
in various lighting conditions
Personalisation Ability to Re-Personalise device/app
Security Encrypted data, transaction signature
Maturity Proven performance, ready for rollouts
© 2012 Cronto Limited 3
- 4. CrontoSign
• Designed for online banking
- full transaction signature
- dynamic: no hardcoded use cases
- effective personalisation
• Based on simple familiar to
user concept – take a picture
• Uses colour to increase data
capacity, speed and
robustness
• Available as mobile software
and standalone hardware
© 2012 Cronto Limited 4
- 5. Cronto Visual Transaction Signing
Cronto Visual Transaction Signing
Click
k
1. Bank generates the Cronto visual cryptogram
erates the Cronto visual cryptogram a photo of the computer
and Customer takes
omer takes a photo of screen using the CrontoSign client.
the computer
sing the Cronto client application.
© 2012 Cronto Limited 5
- 6. Cronto Visual Transaction Signing
Cronto Visual Transaction Signing
Check
k
ck 2. Customer checks payment details on the
r checks payment visual cryptogram to the web page and enters
erates the Cronto details on the
phone comparing
omer takes a photo of the authorisation code if details are correct
the computer
mparing to the web page and enters
orisationCronto client application.
sing the code if details are correct
© 2012 Cronto Limited 6
- 7. Encrypted Free Text Transaction Encoding
Bank chooses what data
to encode and when
© 2012 Cronto Limited 7
- 8. Dynamic Personalisation
• CronSign Device/App is
distributed unpersonalised
• Secure credentials
provisioned via a
CrontoSign image
• Update credentials without
replacing the device
NO Seed Data stored by
Cronto
© 2012 Cronto Limited 8
- 9. Try CrontoSign
• Download CrontoSign
demo app, available from:
- Apple App Store
- Android Market
• www.crontosign.com/get
• Use it at:
- www.crontosign.com
contact@cronto.com
+44 1223 750001
www.cronto.com © 2012 Cronto Limited 9
Notes de l'éditeur
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n