28 May 2017
Pat Carroll


Pat Carroll - ValidSoft

79Posts 334,323Views 40Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.
A post relating to this item from Finextra:

Eurograbber PC-to-mobile virus loots EUR36 million from consumer accounts

05 December 2012  |  9064 views  |  0
A sophisticated multi-stage virus attack that infected consumer PCs and mobile phones was used to steal over €36 million from 30,000 customers of 30 banks in Italy, Spain, Germany and Holland over sum...

Why has Eurograbber been able to do the damage it has?

10 December 2012  |  4888 views  |  0

Eurograbber, a Trojan that transfers itself from a user’s PC to their mobile phone has come to light, reportedly having so far defrauded banking customers out of over €36m. The simple reason for this is that many banks are reliant on SMS as a means of authenticating the user and hence authorising online transactions. Because Trojans such as Eurograbber intercept SMS messages, such systems are inherently insecure. Another attack technique, SIM Swap, whilst very different in its technique, achieves the same aim of intercepting SMS messages carrying online banking authorisation codes.                     

The volume of those speaking out against this danger of relying on SMS based systems is picking up, and not just in Europe. Only last month, a lobby group for Australian telcos declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction after numerous reports came to light of Australians being defrauded.

The problem is that fraudsters can intercept an SMS, so they are not a secure means of authenticating the user.

Whilst the idea of utilising the customer’s mobile phone as a means of strong authentication is absolutely valid, the delivery mechanism needs to be carefully reviewed in the light of such attack vectors. For instance, interactive voice is not a store-and-forward protocol and as such is far less susceptible to mobile Trojans. However, even voice can be compromised by attacks such as SIM Swap and therefore, any Out-of-Band solution requires the necessary invisible detection techniques to combat such attacks. Solutions do exist to securely enable the ubiquitous mobile phone to remain an effective authentication tool.

TagsSecurityMobile & online

Comments: (0)

Comment on this story (membership required)

Latest posts from

Pat's profile

job title Founder/Executive Chairman
location London
member since 2011
Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisations on industry bodies and leading participation in industry initiatives. At ValidSoft, he leads the R...

Pat's expertise

Member since 2011
79 posts40 comments
What Pat reads

Who's commenting on Pat's posts