18 October 2017
Pat Carroll


Pat Carroll - ValidSoft

79Posts 343,540Views 40Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.
A post relating to this item from Finextra:

Eurograbber PC-to-mobile virus loots EUR36 million from consumer accounts

05 December 2012  |  9176 views  |  0
A sophisticated multi-stage virus attack that infected consumer PCs and mobile phones was used to steal over €36 million from 30,000 customers of 30 banks in Italy, Spain, Germany and Holland over sum...

Why has Eurograbber been able to do the damage it has?

10 December 2012  |  4992 views  |  0

Eurograbber, a Trojan that transfers itself from a user’s PC to their mobile phone has come to light, reportedly having so far defrauded banking customers out of over €36m. The simple reason for this is that many banks are reliant on SMS as a means of authenticating the user and hence authorising online transactions. Because Trojans such as Eurograbber intercept SMS messages, such systems are inherently insecure. Another attack technique, SIM Swap, whilst very different in its technique, achieves the same aim of intercepting SMS messages carrying online banking authorisation codes.                     

The volume of those speaking out against this danger of relying on SMS based systems is picking up, and not just in Europe. Only last month, a lobby group for Australian telcos declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction after numerous reports came to light of Australians being defrauded.

The problem is that fraudsters can intercept an SMS, so they are not a secure means of authenticating the user.

Whilst the idea of utilising the customer’s mobile phone as a means of strong authentication is absolutely valid, the delivery mechanism needs to be carefully reviewed in the light of such attack vectors. For instance, interactive voice is not a store-and-forward protocol and as such is far less susceptible to mobile Trojans. However, even voice can be compromised by attacks such as SIM Swap and therefore, any Out-of-Band solution requires the necessary invisible detection techniques to combat such attacks. Solutions do exist to securely enable the ubiquitous mobile phone to remain an effective authentication tool.

TagsSecurityMobile & online

Comments: (0)

Comment on this story (membership required)

Latest posts from Pat

Security by Obscurity is the key!

27 January 2015  |  3944 views  |  0 comments | recomends Recommends 0 TagsSecurityTransaction bankingGroupInformation Security

Chip and Signature, a Paradise Lost

28 October 2014  |  5273 views  |  2 comments | recomends Recommends 1 TagsCardsPaymentsGroupDisruption in Retail Banking

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  5015 views  |  1 comments | recomends Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  2339 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  3753 views  |  1 comments | recomends Recommends 0 TagsSecurityPaymentsGroupInformation Security

Pat's profile

job title Founder/Executive Chairman
location London
member since 2011
Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisations on industry bodies and leading participation in industry initiatives. At ValidSoft, he leads the R...

Pat's expertise

Member since 2011
79 posts40 comments
What Pat reads

Who's commenting on Pat's posts