20 December 2014

Technology Strategy

Andrew Churchill - Technology Strategy

2Posts 4,959Views 13Comments

The computer you are reading this on is mine ...

24 July 2012  |  3009 views  |  0

For several years, the blogs and news stories on these pages have discussed a variety of threats from this Trojan or that, with Zeus making its first appearance in Finextra’s pages as far back as April 2008. So, whilst it may no longer really be ’news’ it was interesting to see Zeus back in the headlines recently over its latest manifestation in High Roller (http://www.finextra.com/news/fullstory.aspx?newsitemid=23838).

But what was rather more interesting was the reaction of ENISA, the European Network and Information Security Agency. http://www.enisa.europa.eu/media/press-releases/eu-cyber-security-agency-enisa-201chigh-roller201d-online-bank-robberies-reveal-security-gaps

Considering the implications of their statement, it is odd that their press release seems to have quietly slipped under everyone’s radar, so I thought it might be worth highlighting a few of their points, which are essentially the same as those I made at this years UK Card Fraud Conference.

 

Recommendation 1 – Assume all PCs are infected … assume that all of its customers’ PCs are infected – and the banks should therefore take protection measures to deal with this. [their emphasis]

 

Yes, that’s right - all security and fraud controls should work on the premise that I already have control of your machine. So that One Time Passcode you just generated on that pin pad, and the shared secret you just entered. They’re mine too – thanks for those.

 

Recommendation 2 - Secure online banking devices: Many online banking systems, some with one-time transaction codes, calculators or smartcard readers, work based on the assumption that the customer’s PC is not infected. Given the current state of PC security, this assumption is dangerous.

So recommendation1 is that banks should assume PCs are infected, and recommendation 2 is that this means that it is dangerous to assume that they are not. But it does go on to say …

For example, a basic two factor authentication does not prevent man-in-the-middle or man-in-the-browser attacks  on transactions. Therefore, it is important to cross check with the user the value and destination of certain transactions, via a trusted channel, on a trusted device

 

This puts us in a very interesting position in the light of the EU Green Paper on future payments, the ECB consultation on Security of online payments, and even the forthcoming Data Protection Regulation, because all the strong authentication mechanisms cited in these papers fail this basic check.

And this goes much further than just your bank, because if I own your machine, which I do, I own your online identity as a whole, be it with your company, with your Government services, with the lot. Thanks for those.

 

 

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Andrew

For once, it's not Government taking your money!

27 August 2012  |  1951 views  |  1  |  Recommends 0 TagsSecurityOnline banking

The computer you are reading this on is mine ...

24 July 2012  |  3009 views  |  0  |  Recommends 0

Andrew's profile

job title Director
location London
member since 2009
Summary profile See full profile »
Research into security flaws of Government and payment industry systems, particularly in relation to Identity and authentication, and development of security solutions to address attacks against such...

Andrew's expertise

What Andrew reads
Andrew writes about
Andrew's blog archive
2012 (2)

Who is commenting on Andrew's posts