Recently all across Europe, the “Euro Grabber” stealthily stole around 36 million euro (Rs 286 crores) from Bank customers. These were all customers who thought that
a) Their money in the Bank was safe.
b) Internet Banking was a great way to do Banking
The Banks thought that they had introduced the “Two Factor Authentication” which was a sophisticated system and made Internet Banking safe.
However, there came a great thief called “Euro Grabber” along with his team of assistants and invaded thousands of PCs and Mobiles and finally stole money from around 30000 retail and corporate customers of different Banks across different parts of Europe.
“Eurograbber” is a new variant of the Zeus Trojan which steals the credentials of the banking customer both at the desktop and the associated mobile. Hence it easily bypasses the 2 Factor authentication system and is able to execute unauthorized transactions in the customer’s accounts. The trojan is currentlly known to have successfully attack the mobile systems using Android, Blackberry and Symbian operating system which in other words may mean more than 95% of the systems in usage.
The “Eurograbber” is an intelligent trojan which is often dropped through “Drive by Download” method. In otherwords, the infection does not require the user answering a “Phishng Mail”. All those Bankers who are crying from rooftops that “We donot ask for your passwords” and then say “Password can never be compromised unless the customer answers a phishing mail” must realize that the methodologies used by trojan droppers are above all these routine security warnings. Customers may get infected when they have visited a news paper site or clicked on an unrelated google search result or some times even by visiting the Bank’s own website. (Eg: Bank of India infection in 2007).
Once infected, the Eurograbber, when the customer visits the Bank website, it starts injecting instructions within the running session asking the customer to upgrade security etc. Since these instructions appear during a session initiated by the customer himself he believes that the instructions are from the Bank and proceeds to provide information that compromises his identity including the mobile number. The trojan then sends an SMS message to the mobile with similar instructions ensuring that the customer clicks on a link that infects the mobile also.
With both the desktop and the mobile being infected, the trojan then is able to manipulate both the banking instructions and the OTP password interception and is able to carry out fraudulent transactions.
When such “Unauthorized Transactions” are carried on during a valid session opened by the customer, it creates a huge evidentiary problem for the customers since the time of the transaction coincides with the time of a valid session. Even the IP address of the transaction initiation may tally with the IP address of the customer. Unless the judge hearing the case therefore understands the way these trojans function, it would be near impossible for the hapless customer to convince that the transaction was “Unauthorized”.
Who is to be blamed for placing the Bank Customer in such a situation?
It is clear that Banks are mainly responsible for operating a system of Internet Banking without the adequate security which places its customers in a compromising position.
To some extent, RBI also should share the blame since it places lot of thrust on the 2 Factor authentication through the mobile. Users are increasingly being coerced into the use of “Mobile Banking” with false promises. Banks also adopt the policy of “No Mobile-No account” and mandate the use of mobiles for Internet Banking.
In this scenario, it will not be long before we will witness a huge Banking fraud emerging in India on the back of the “Eurograbber” trojan.