22 November 2017
Andrew Churchill

Technology Strategy

Andrew Churchill - Technology Strategy

3Posts 9,504Views 19Comments

The computer you are reading this on is mine ...

24 July 2012  |  3966 views  |  0

For several years, the blogs and news stories on these pages have discussed a variety of threats from this Trojan or that, with Zeus making its first appearance in Finextra’s pages as far back as April 2008. So, whilst it may no longer really be ’news’ it was interesting to see Zeus back in the headlines recently over its latest manifestation in High Roller (http://www.finextra.com/news/fullstory.aspx?newsitemid=23838).

But what was rather more interesting was the reaction of ENISA, the European Network and Information Security Agency. http://www.enisa.europa.eu/media/press-releases/eu-cyber-security-agency-enisa-201chigh-roller201d-online-bank-robberies-reveal-security-gaps

Considering the implications of their statement, it is odd that their press release seems to have quietly slipped under everyone’s radar, so I thought it might be worth highlighting a few of their points, which are essentially the same as those I made at this years UK Card Fraud Conference.


Recommendation 1 – Assume all PCs are infected … assume that all of its customers’ PCs are infected – and the banks should therefore take protection measures to deal with this. [their emphasis]


Yes, that’s right - all security and fraud controls should work on the premise that I already have control of your machine. So that One Time Passcode you just generated on that pin pad, and the shared secret you just entered. They’re mine too – thanks for those.


Recommendation 2 - Secure online banking devices: Many online banking systems, some with one-time transaction codes, calculators or smartcard readers, work based on the assumption that the customer’s PC is not infected. Given the current state of PC security, this assumption is dangerous.

So recommendation1 is that banks should assume PCs are infected, and recommendation 2 is that this means that it is dangerous to assume that they are not. But it does go on to say …

For example, a basic two factor authentication does not prevent man-in-the-middle or man-in-the-browser attacks  on transactions. Therefore, it is important to cross check with the user the value and destination of certain transactions, via a trusted channel, on a trusted device


This puts us in a very interesting position in the light of the EU Green Paper on future payments, the ECB consultation on Security of online payments, and even the forthcoming Data Protection Regulation, because all the strong authentication mechanisms cited in these papers fail this basic check.

And this goes much further than just your bank, because if I own your machine, which I do, I own your online identity as a whole, be it with your company, with your Government services, with the lot. Thanks for those.



Comments: (0)

Comment on this story (membership required)

Latest posts from Andrew

Mere tokenism - how not to deploy security

09 February 2015  |  2897 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & online

For once, it's not Government taking your money!

27 August 2012  |  2642 views  |  1 comments | recomends Recommends 0 TagsSecurity

The computer you are reading this on is mine ...

24 July 2012  |  3966 views  |  0 comments | recomends Recommends 0

Andrew's profile

job title Director
location London
member since 2009
Summary profile See full profile »
Research into security flaws of Government and payment industry systems, particularly in relation to Identity and authentication, and development of security solutions to address attacks against such...

Andrew's expertise

Member since 2009
3 posts19 comments
What Andrew reads
Andrew writes about
SecurityMobile & online
Andrew's blog archive
2015 (1)2012 (2)

Who's commenting on Andrew's posts