Banks should presume that all customer PCs are infected, according to the European Network and Information Security Agency (ENISA).
According to an advisory from the EU cyber security division, it recommended that organisations should assume that all PCs are infected and for a bank, "in the current situation it is safer to assume that all of its customers' PCs are infected – and the banks should therefore take protection measures to deal with this".
In the wake of the report on Operation High Roller, where McAfee and Guardian Analytics warned of high-level bank account hacking yielding at least £47 million in fraudulent transfers from accounts at 60 or more financial institutions, ENISA pointed out that many authentication systems failed in that instance and worked on the assumption that the customer's PC is not infected.
It said: “Given the current state of PC security, this assumption is dangerous. Banks should instead assume that PCs are infected, and still take steps to protect customers from fraudulent transactions.
“For example, a basic two-factor authentication does not prevent man-in-the-middle or man-in-the-browser attacks on transactions. Therefore, it is important to cross check with the user [about] the value and destination of certain transactions, via a trusted channel, on a trusted device (e.g. an SMS, a telephone call, a standalone smartcard reader with screen). Even smartphones could be used here, provided smartphone security holds up.”
ENISA also said that as more and more transactions are carried out on smartphones or tablets, we should not take smartphone security for granted, but the rapid adoption of smartphones offers an important opportunity to improve endpoint security - for example by using vetted app stores or smartphones as second factors.
Security blogger Brian Krebs called the advice "blunt, timely and refreshing", particularly for financial institutions.
He said: “No doubt security is a constantly moving target; it is necessarily reactive and therefore lags behind new methods adopted by cyber criminals. But from my perspective, the advisory highlights a fundamental reality gap between threat perception and security practice in the banking sector today.
“Many financial institutions seem to pay lip service to security. Many simply urge customers to follow security advice that is increasingly quaint and irrelevant: use firewall and anti-virus software; don't respond to phishing emails; pick complex passwords and change your password often.
“What is almost never mentioned is that all of these security procedures amount to nothing if the customer's system is already compromised by a powerful banking Trojan such as Zeus or SpyEye.
Perhaps some banks here in the US already operate under the assumption that all customer PCs are compromised. But if so, I have yet to see a financial institution willing to communicate that to their customers.”