ENISA recommends "assume all PCs are infected"
Source: Zeus Tracker The European Network and Information Security Agency (ENISA) recommends that banks assume that their customers' computers are infected with online banking trojans such as ZeuS. The recommendation comes as part of an analysis of the recent targeted "High Roller" cyber-attacks and specifically refers to the frequently cited ZeuS Tracker statistics page, which suggests that anti-virus programs only detect about 40% of ZeuS trojans.
ENISA has even included special "secure online banking devices" in its recommendation. Many of these systems work on the assumption that the customer’s PC is not infected, said the agency, adding that, "Given the current state of PC security, this assumption is dangerous." ENISA explained that a basic two-factor authentication system does not prevent man-in-the-middle or man-in-the-browser attacks on transactions and recommended: "Therefore, it is important to cross-check with the user the value and destination of certain transactions, via a trusted channel, on a trusted device." According to the agency, such a trusted channel can be established using stand-alone smartcard readers with their own display or even mobile phones and smartphones.