31 October 2014

PCarroll

Pat Carroll - ValidSoft

78 | posts 274,885 | views 40 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.
A post relating to this item from Finextra:

Eurograbber PC-to-mobile virus loots EUR36 million from consumer accounts

05 December 2012  |  8112 views  |  0
A sophisticated multi-stage virus attack that infected consumer PCs and mobile phones was used to steal over €36 million from 30,000 customers of 30 banks in Italy, Spain, Germany and Holland over sum...

Why has Eurograbber been able to do the damage it has?

10 December 2012  |  4238 views  |  0

Eurograbber, a Trojan that transfers itself from a user’s PC to their mobile phone has come to light, reportedly having so far defrauded banking customers out of over €36m. The simple reason for this is that many banks are reliant on SMS as a means of authenticating the user and hence authorising online transactions. Because Trojans such as Eurograbber intercept SMS messages, such systems are inherently insecure. Another attack technique, SIM Swap, whilst very different in its technique, achieves the same aim of intercepting SMS messages carrying online banking authorisation codes.                     

The volume of those speaking out against this danger of relying on SMS based systems is picking up, and not just in Europe. Only last month, a lobby group for Australian telcos declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction after numerous reports came to light of Australians being defrauded.

The problem is that fraudsters can intercept an SMS, so they are not a secure means of authenticating the user.

Whilst the idea of utilising the customer’s mobile phone as a means of strong authentication is absolutely valid, the delivery mechanism needs to be carefully reviewed in the light of such attack vectors. For instance, interactive voice is not a store-and-forward protocol and as such is far less susceptible to mobile Trojans. However, even voice can be compromised by attacks such as SIM Swap and therefore, any Out-of-Band solution requires the necessary invisible detection techniques to combat such attacks. Solutions do exist to securely enable the ubiquitous mobile phone to remain an effective authentication tool.

TagsSecurityMobile & online

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

Chip and Signature, a Paradise Lost

28 October 2014  |  1710 views  |  2  |  Recommends 1 TagsCardsPaymentsGroupDisruption in Retail Banking

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  3035 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  899 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  2503 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Melvin Haskins
Ketharaman Swaminathan
Kenneth Carnesi
Andrew Smith