For several years, the blogs and news stories on these pages have discussed a variety of threats from this Trojan or that, with Zeus making its first appearance in Finextra’s pages as far back as April 2008. So, whilst it may no longer really be ’news’ it
was interesting to see Zeus back in the headlines recently over its latest manifestation in High Roller (http://www.finextra.com/news/fullstory.aspx?newsitemid=23838).
But what was rather more interesting was the reaction of ENISA, the European Network and Information Security Agency.
Considering the implications of their statement, it is odd that their press release seems to have quietly slipped under everyone’s radar, so I thought it might be worth highlighting a few of their points, which are essentially the same as those I made at
this years UK Card Fraud Conference.
Recommendation 1 – Assume all PCs are infected … assume that all of its customers’ PCs are infected – and the banks should therefore take protection measures to deal
with this. [their emphasis]
Yes, that’s right - all security and fraud controls should work on the premise that I already have control of your machine. So that One Time Passcode you just generated on that pin pad, and the shared secret you just entered. They’re mine too – thanks for
Recommendation 2 - Secure online banking devices: Many online banking systems, some with one-time transaction codes, calculators or smartcard readers, work based on the assumption that the customer’s PC is not infected. Given the current
state of PC security, this assumption is dangerous.
So recommendation1 is that banks should assume PCs are infected, and recommendation 2 is that this means that it is dangerous to assume that they are not. But it does go on to say …
For example, a basic two factor authentication does not prevent man-in-the-middle or man-in-the-browser attacks on transactions. Therefore, it is important to cross check with the user the value and destination of certain transactions,
via a trusted channel, on a trusted device …
This puts us in a very interesting position in the light of the EU Green Paper on future payments, the ECB consultation on Security of online payments, and even the forthcoming Data Protection Regulation, because all the strong authentication mechanisms
cited in these papers fail this basic check.
And this goes much further than just your bank, because if I own your machine, which I do, I own your online identity as a whole, be it with your company, with your Government services, with the lot. Thanks for those.