Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

The computer you are reading this on is mine ...

For several years, the blogs and news stories on these pages have discussed a variety of threats from this Trojan or that, with Zeus making its first appearance in Finextra’s pages as far back as April 2008. So, whilst it may no longer really be ’news’ it was interesting to see Zeus back in the headlines recently over its latest manifestation in High Roller (https://www.finextra.com/news/fullstory.aspx?newsitemid=23838).

But what was rather more interesting was the reaction of ENISA, the European Network and Information Security Agency. http://www.enisa.europa.eu/media/press-releases/eu-cyber-security-agency-enisa-201chigh-roller201d-online-bank-robberies-reveal-security-gaps

Considering the implications of their statement, it is odd that their press release seems to have quietly slipped under everyone’s radar, so I thought it might be worth highlighting a few of their points, which are essentially the same as those I made at this years UK Card Fraud Conference.

 

Recommendation 1 – Assume all PCs are infected … assume that all of its customers’ PCs are infected – and the banks should therefore take protection measures to deal with this. [their emphasis]

 

Yes, that’s right - all security and fraud controls should work on the premise that I already have control of your machine. So that One Time Passcode you just generated on that pin pad, and the shared secret you just entered. They’re mine too – thanks for those.

 

Recommendation 2 - Secure online banking devices: Many online banking systems, some with one-time transaction codes, calculators or smartcard readers, work based on the assumption that the customer’s PC is not infected. Given the current state of PC security, this assumption is dangerous.

So recommendation1 is that banks should assume PCs are infected, and recommendation 2 is that this means that it is dangerous to assume that they are not. But it does go on to say …

For example, a basic two factor authentication does not prevent man-in-the-middle or man-in-the-browser attacks  on transactions. Therefore, it is important to cross check with the user the value and destination of certain transactions, via a trusted channel, on a trusted device

 

This puts us in a very interesting position in the light of the EU Green Paper on future payments, the ECB consultation on Security of online payments, and even the forthcoming Data Protection Regulation, because all the strong authentication mechanisms cited in these papers fail this basic check.

And this goes much further than just your bank, because if I own your machine, which I do, I own your online identity as a whole, be it with your company, with your Government services, with the lot. Thanks for those.

 

 

4832
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (0)

Join the discussion
Andrew Churchill

Andrew Churchill

ID & Authentication Standards author

MIDAS Alliance

Member since

04 Mar 2009

Location

London

Blog posts

4

Comments

20

More from Andrew

Now hiring

See more