In fact, the banks thought they were already doing more by widely introducing two-factor authentication for online transactions involving an out-of-band transaction authentication number (TAN) sent to the customer’s mobile phone. If stolen log-in credentials were being used by a criminal, the new unique TAN would remain unknown, and without it a transaction could not proceed. The Eurograbber campaign (see Zeus malware throws €36+ million lightning bolt across Europe) got around this by infecting both the user’s computer and smartphone, thus being able to use the two-factor system rather than be defeated by it.
The reality is that this is not a new idea from criminals; Trusteer discussed a similar attack last September. Eurograbber is, however, clearly the most successful to date – and a wake-up call to both banks and customers.
“The Eurograbber attack demonstrates that criminals are adapting their methods effectively, and continuing to explore the world of mobile and blending different methods (phishing and malware),” warns Nick Seaver, a partner in Deloitte’s Enterprise Risk Services practice. “Whilst 2011 showed a decrease in online retail banking fraud, we anticipate 2012 will show an increase as mobile banking continues to grow.”
Stewart James, a partner in the Intellectual Property & Technology group at DLA Piper, blames the banks’ desire to make things as easy as possible for the customer. “In the competitive rush to bring increasingly easier, mobile-enabled products to market, banks have to consider the trade-off between facilitating ease of use and providing secure access. Security, which is a barrier to easy access, is sometimes given less emphasis than it deserves as a result.”
Both James and Seaver believe the onus is now on the banks to improve security – especially (as demonstrated by Eurograbber) since commercial accounts are also increasingly coming under attack. Seaver makes four specific recommendations for the banks: regular assessments of their own security controls and processes; awareness of the limitations of mechanisms such as SMS; implementation of multi-layered defenses, and effective transaction monitoring systems; and “educate customers to help protect themselves.”
“In any security system the weakest link is the human element,” added James, “and customers need to be protected against insecure behaviors, such as setting weak passwords, and naivety.”
Failure to improve bank security in the wake of Eurograbber could be disastrous. “Before this year, we saw very few successful attacks against business and commercial online banking in the UK and Europe,” said Seaver. “However, as the retail banks have tightened up their security and corporate/commercial banks are developing mobile offerings, we’ve seen an increase in attacks against business and commercial online banking systems in 2012 and anticipate this will continue to increase.”
It is worth noting that while the Eurograbber C&C servers have been taken down, the user infections remain. Unless these are individually removed by the users, Eurograbber could return.