Why would I need a token?

The fact that money disappears from bank accounts has been known long enough. Attacks on account holders take various forms and become increasingly sophisticated. Our idea of virtual theft may differ significantly from how the thing actually goes down.

And it usually does in a stealth mode, sometimes under the tightly closed lid of our laptops. In its 2015 report, KasperskyLab points out that the dealings of just one hacker group called Carbanak, which targeted around 100 banks in Europe and China, brought a total loss of USD 1 trillion in the course of a year. Let us remember that the published data is probably incomplete, and such scams do spread much wider.

Hackers take advantage of our naivety and ignorance. Just a minute-long distraction, opening an infected attachment, logging in on a doctored site or leaving a smart card in the reader – are all that’s needed. What you see on your computer screen may be different from what you send to your bank, even though you have typed it directly from your keyboard.

More complex attacks can infect our phones and workstations. Under certain conditions, serving a bogus notification does not pose any problem. And when it happens, the one who gets it has practically no chance of defending themselves.

We most often find out about the loss of our funds post-factum, when it’s too late to block the funds. The consequences can be very painful:  liquidity risk and high stress are just the first of them. Could there be a way to find out about a potential attack at the right moment?

At Comarch, as early as in 2012, we had our hands full working on a concept of a device called tPro Touch whose main goal was to create a secure communication channel with the bank and find an equally secure way to show transaction details.

The idea of our device was very simple. The user sends a transfer order to the bank, the bank sends it back in an encrypted form via a secure channel to the client-assigned device, and the latter can then decipher and display the order details. After going through them, the user decides whether the data matches the one initially transferred to the bank. If so, the transfer is confirmed.

It is as if the user sent a letter to the bank with a handwritten signature. The bank then puts the letter in a safe deposit box, to which only the sender knows the code, and sends the box back by courier service.

Upon receiving the box, the user opens it using their unique code in order to make sure the account number and amount check out and confirms or cancels the transaction. Any attempt to breach the deposit box along the way is troublesome and immediately detectable.

This simple idea guided the whole tPro product family. Today, a prototype device called tPro Touch changes the current way of thinking about securing transfers and customer-bank communication.

After a wave of remote attacks on Polish banks in 2015, Comarch’s security engineers designed a device called tPro ECC. The basic assumption was to have additional transfer authorization just by pressing a button the device was equipped with. This simple mechanism effectively protects users from remote attacks, as clicks cannot be simulated in any way. Additionally, tPro ECC comes with a dedicated system supporting elliptical curves cryptography. Such new cryptosystem significantly increased security and operational efficiency.

What reinforces the need to have transaction authorization devices without an operating system is the fact that in January 2018 a loophole in X86 processor architecture was discovered, which shocked the IT world (Spectre/Meltdown).

The loophole allows critical data to be stolen by memory leakage from the kernel to userspace. The case turned out to be all the more serious because an attack can be made from JavaScript (i. e. a web browser) and almost all electronic devices on the market today are vulnerable: from smartphones and laptops through to PCs and servers.

Some cloud providers (Google, Microsoft, Amazon) have announced technical breaks in the operation of their services for this very reason. Today it is difficult to assess the scale of attacks based on this vulnerability, mainly because the attacks may have remained unnoticed and come directly from a web browser.

The conclusions are obvious: devices of strategic importance in medicine, military or banking should be based on dedicated systems such as cryptographic tokens. They increase the security of transactions way more than devices designed for universal use, such as smartphones. Tokens also effectively protect us against remote attacks, which we may be unaware of for a longer period of time.

More and more often, cryptographic devices are small and inconspicuous, and thanks to technological development they can already communicate with other devices without an additional software layer. Soon, the communication will be wireless.

Driverless solutions allow you to send your transfer orders directly to a cryptographic device without the need to install anything. Today, to ensure the security of an order, it is enough to insert a token into a USB port.

Technology should provide user-friendly and secure solutions. Fortunately, this is happening as I type.

Paweł Bułat, Project Manager at Comarch

Paweł is an expert with strong experience in the cyber security domain. For over a decade he has been gaining the experience in security solutions for online banking, based on strong cryptography. He has developed security extensions for web browsers and coordinated works over ECC Hardware Token (software and hardware layer). Currently, he is a member of  SecureAccess team where he works on the PAM family system for monitoring protocols such as SSH, RDP (also for VDI solutions).