An agency of the European Union created to improve network and data security is offering some blunt, timely and refreshing advice for financial institutions as they try to secure the online banking channel: “Assume all PCs are infected.”
The unusually frank perspective comes from the European Network and Information Security Agency, in response to a recent “High Roller” report (PDF) by McAfee and Guardian Analytics on sophisticated, automated malicious software strains that are increasingly targeting high-balance bank accounts. The report detailed how thieves using custom versions of the ZeuS and SpyEye Trojans have built automated, cloud-based systems capable of defeating multiple layers of security, including hardware tokens, one-time transaction codes, even smartcard readers. These malware variants can be set up to automatically initiate transfers to vetted money mule or prepaid accounts, just as soon as the victim logs in to his account.
“Many online banking systems….work based on the assumption that the customer’s PC is not infected,” ENISA wrote in an advisory issued on Thursday. “Given the current state of PC security, this assumption is dangerous. Banks should instead assume that PCs are infected, and still take steps to protect customers from fraudulent transactions.”