21 August 2014

PCarroll

Pat Carroll - ValidSoft

74 | posts 260,176 | views 37 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.
A post relating to this item from Finextra:

Eurograbber PC-to-mobile virus loots EUR36 million from consumer accounts

05 December 2012  |  8005 views  |  0
A sophisticated multi-stage virus attack that infected consumer PCs and mobile phones was used to steal over €36 million from 30,000 customers of 30 banks in Italy, Spain, Germany and Holland over sum...

Why has Eurograbber been able to do the damage it has?

10 December 2012  |  4159 views  |  0

Eurograbber, a Trojan that transfers itself from a user’s PC to their mobile phone has come to light, reportedly having so far defrauded banking customers out of over €36m. The simple reason for this is that many banks are reliant on SMS as a means of authenticating the user and hence authorising online transactions. Because Trojans such as Eurograbber intercept SMS messages, such systems are inherently insecure. Another attack technique, SIM Swap, whilst very different in its technique, achieves the same aim of intercepting SMS messages carrying online banking authorisation codes.                     

The volume of those speaking out against this danger of relying on SMS based systems is picking up, and not just in Europe. Only last month, a lobby group for Australian telcos declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction after numerous reports came to light of Australians being defrauded.

The problem is that fraudsters can intercept an SMS, so they are not a secure means of authenticating the user.

Whilst the idea of utilising the customer’s mobile phone as a means of strong authentication is absolutely valid, the delivery mechanism needs to be carefully reviewed in the light of such attack vectors. For instance, interactive voice is not a store-and-forward protocol and as such is far less susceptible to mobile Trojans. However, even voice can be compromised by attacks such as SIM Swap and therefore, any Out-of-Band solution requires the necessary invisible detection techniques to combat such attacks. Solutions do exist to securely enable the ubiquitous mobile phone to remain an effective authentication tool.

TagsSecurityMobile & online

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

The Next Target-Style Attack This Holiday Season?

11 August 2014  |  1586 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Securing Transactions Means More Than Just Authentication

10 July 2014  |  2271 views  |  0  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

'Trust but Verify' : Trust in Data Protection and Mobile

13 June 2014  |  2287 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Chip and Skim Cards: Renewed Need for Layered Authentication

03 June 2014  |  2113 views  |  0  |  Recommends 0 TagsCardsSecurityGroupInnovation in Financial Services
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Kenneth Carnesi
Andrew Smith