EU banks advised to assume user PCs infected

Powered by SC Magazine
 

Two-factor authentication not enough, agency says.

The European Network and Information Security Agency (ENISA) has advised banks to presume that all customer PCs are infected given "the current situation" of security.

In an advisory last week, the EU cyber security agency noted that many existing authentication systems have failed to prevent fraud.

The agency highlighted Operation High Roller, where McAfee and Guardian Analytics indicated that hackers had made off with at least £47 million ($A71 million) in fraudulent transfers from accounts at 60 or more financial institutions.

"Banks should instead assume that PCs are infected and still take steps to protect customers from fraudulent transactions," the advisory said.

“For example, a basic two-factor authentication does not prevent man-in-the-middle or man-in-the-browser attacks on transactions.

"Therefore, it is important to cross check with the user [about] the value and destination of certain transactions, via a trusted channel, on a trusted device (e.g. an SMS, a telephone call, a standalone smartcard reader with screen).

"Even smartphones could be used here, provided smartphone security holds up.”

ENISA warned organisations not to take smartphone security for granted, especially as an increasing number of transactions took place on smartphones or tablets.

It said the rapid adoption of smartphones also offered an important opportunity to improve endpoint security - for example by using vetted app stores or smartphones as second factors.

Security blogger Brian Krebs called the advice "blunt, timely and refreshing", particularly for financial institutions.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


EU banks advised to assume user PCs infected
 
 
 
Top Stories
There's no coke and hookers in the cloud
[Blog post] Where did the love go?
 
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1043

Vote