ENISA: banks should assume customer PCs are infected
By Stewart Mitchell
Posted on 6 Jul 2012 at 15:09
The European cyber security agency has warned banks to stop assuming that customers' computers are free from malware and consider offline checks before making large transactions.
The warning from the European Network and Information Security Agency comes in the wake of a series of multimillion pound heists on wealthy bank account holders.
“Banks really should change their stance and assume that all of the customer computers are infected, otherwise it’s difficult to be secure,” a spokesperson for ENISA told PC Pro. “With that in mind, you need to secure the devices and also have a cross check, because they can’t just assume customer computers are clean... The banks should take protection measures to deal with this.”
While banks do use stringent security measures, many of the systems can be circumvented if users' computers are infected with common malware packages, ENISA said.
Many online banking systems, some with one-time transaction codes, calculators or smartcard readers, work based on the assumption that the customer’s PC is not infected
“Many online banking systems, some with one-time transaction codes, calculators or smartcard readers, work based on the assumption that the customer’s PC is not infected,” ENISA said. “Given the current state of PC security, this assumption is dangerous.”
According the ENISA, instead of relying on web security alone when processing large transactions, banks should also use channels that cannot be interfered with by malware on their customers’ PCs.
“It is important to cross check with the user the value and destination of certain transactions, via a trusted channel, on a trusted device via an SMS or a telephone call,” ENISA said. “Even smartphones could be used here, provided smartphone security holds up.”
High-roller attacks
The warning follows a series of attacks – dubbed “high-roller heists” because the targets all had large account balances – that recently extracted million £48 million from bank accounts. The theft used a technique that circumvented the regular chip and pin authentication processes.
After using phishing attacks to identify wealthy, often corporate, accounts, malware - including SpyEye, Zeus and Ice 9 - was loaded onto the victim’s PC.
Later, the account details were used to transfer funds to mule accounts – all without the user’s knowledge and using a method that rendered the second-level authentication devices impotent.
“The banks’ protection measures, such as two-factor authentication and fraud detection, were circumvented,” ENISA said. “Users did not notice this right away because the fraudulent transactions were hidden by malware that was inserting Javascript code into pages.”
Agreed with the need to improve security, but I hope this doesn't lead to more insistence that I install the bank's choice of anti-malware software.
By halsteadk on 6 Jul 2012 
And that is NEWS?!?
That was taken as a given when I was working on Swiss next generation Internet banking projects, and that was in 2008..
By nuclear_glow on 7 Jul 2012
advertisement
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software
advertisement
