Knoppix Used in Internet Banking Solution

renai42 writes "Australian company Cybersource says it's currently talking to two domestic banks about providing Knoppix-based bootable CDs to consumers to ensure Internet banking security. The company says at least one bank will probably use the CDs in at least one sector of its operations. Cybersource envisages that banks will re-brand its product and provide the CDs alongside other marketing material."

"Managing Online Security Risks"

[DavidNWelton]

Even if this article is a bit dated, it's very relevant. I find it interesting because he talks some about the economics behind managing risks like those cited.

http://www.sims.berkeley.edu/~hal/people/hal/NYTim es/2000-06-01.html

Dr. Varian's writings are in general quite interesting. He is quite able in his discussions of economics for people without a background in the field, like myself.

Dutch Banks

Hi, I'm not informed much about American and other foreign banks, but here in The Netherlands it works the following:

(Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....

You type in your PIN code and hit 'OK'. On the website of the bank you have to type 2 things. Your account number and the key generated after you hit 'OK' on the device. This key is different every X seconds (I don't know the interval).

This matches with the interval the bank has running. This combination of pass ID, PIN code, account number and the interval is key to have access. You need all of them to get in.

The websites session times out after about 2 minutes when there is no action anymore.

If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.

If the amount to fransfer is higher than X, you have to process 2 numbers on the device and submit the generated numbers on the website.

This is all done on HTTPS and works with most browsers.

I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....

The device is small, portable and lightweight. Internet cafe's, at the office, at HotSpots, anywhere you can use 'safe' banking this way. As long as the banks website is online and within reach (no stupid proxies or whatever).

Just my view on banking online....

Luxembourgish banks

[BlueUnderwear]

Hi, I'm not informed much about American and other foreign banks, but here in The Netherlands it works the following:

(Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....

Here is Luxembourg, banks are too cheap for handing out these calculator thingies. Instead they use a scratch-off plastic card with 16 alphanumeric digits on it. When logging in to their service, the site choses 2 (or some 3) positions out of the 16 possible, and you have to enter the corresponding digits.

This key is different every X seconds (I don't know the interval).

Well, here in Luxembourg, the "good" banks do it the same: the key (in our case: choice of scratch card numbers) is valid a set amount of time. However, some of the (less technically savy banks) propose you a different choice of digits each time you hit reload... so a thief who has sniffed some numbers (but not all) can just keep on hitting reload until the bank asks for numbers that he has... not good!

If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.

Our banks do not have this additional security yet... (Apart from maybe Cortal-Consors. I know their German operation has such a system).

This is all done on HTTPS...

In Luxembourg too. No bank is foolish enough to use plain http. and works with most browsers.

Unfortunately, this is not the case in Luxembourg (although some progress was made over the course of last year).

The currently worst offenders have a gateway page which features a Rube-Goldberg like chain of Java Applets, Java Script code, and VB code which only works on Internet Explorer (the Java Applet is MS proprietary java (using the proprietary com.ms.util.SystemVersionManager class...). The output of this is fed, via the VB script, and then the Javascript (!) into a second URL, which gives you access to the Web application itself. Interestingly enough, once that gate is passed, there is no further dependancy on MS-ware, and you can cheat yourself access to the contents (graphs of their mutual funds) by entering that second URL manually.

For their homebanking they have the same "proprietary applet" hack, and in addition a server-implemented browser check. Manually enter the JVM=1 bit into the URL, and fake an Internet Exploder User Agent and you are in! What the hell are they thinking?

I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....

Indeed, the number generated by the device makes it secure even against keystroke loggers that may be installed (but don't challenge your luck either...)