Slashdot Mirror
Knoppix Used in Internet Banking Solution
renai42 writes "Australian company Cybersource says it's currently talking to two domestic banks about providing Knoppix-based bootable CDs to consumers to ensure Internet banking security. The company says at least one bank will probably use the CDs in at least one sector of its operations. Cybersource envisages that banks will re-brand its product and provide the CDs alongside other marketing material."
until the network administrators find a serious vulnerability and have to burn/press about 35602638023862 new cds to patch it.
I can hardly keep track of an ATM card, now you're expecting me to carry around a big honking CD all the time?
Pass
when the bank customer takes this CD home and boots it on their OEM with the WInModem they wont ba able to get online (atleast it will be secure that way)...
Politics is Treachery, Religion is Brainwashing
There wont be key-loggers, virus infested OS's Active X, IE, blah, blah, blah. At least this is a step in the right direction.
...says... it's talking... one bank will probably use... envisages...
and from TFA: Banks eye bootable Linux CDs
wake me up when something happens, ok?
A step in the right direction.
But it seems odd to me that if someone wants a one-trick secure browser solution, he'd use anything other than OpenBSD.
If you sit down and do the analysis (without regard to "religion" or fashion), and say, "I only need a secure browser," you'll likely pick a BSD and it will likely be either NetBSD (hw support) or OpenBSD (security).
I did a similar analysis, and came to this conclusion, after attempting to dispassionately evaluate the options.
http://www.thebricktestament.com/the_law/when_to_
Boot from a tiny partition of Linux on a CC sized cd. Give it duel use and let all customers have it available.
The other security features on the credit card could be put onto the CD to ensure authenticity.
liqbase
This sounds like a great idea, provided that the Knoppix can be user-friendly enough to figure out how to boot up.
... reminds you of the Apple II days, where you had to boot half of the operating system off a floppy every time you turned on the computer.
There's really no surefire way to ensure that a user's harddrive-installed OS is secure for banking. Considering the staggering variety of adware/spyware/viruses on machines today, it must be quite easy for a malicious malware creator to make a program that hijacks name resolution (change DNS servers, or the HOSTS file) for perfect phishing, or they could install a keystroke logger, or whatever else. If they got their bank-website-hijacking malware on machines in whatever way all today's adware stuff gets on, they could easily phish thousands of bank transactions every day.
The prevalence of malware seems to indicate that people can't control or trust the programs on their own hard drives. If that's the case, they can't trust any of their online interactions. Since Knoppix kills your harddrive and all its flexibility, it's much more secure.
What would be funny is if more and more institutions started demanding the use of bootable OS's. Our PC's would be reduced to a BIOS, monitor, and keyboard
-Brendan
Public Service announcement:
All ATM's will now dispense Kash the new qt improved version of cash.
Even if this article is a bit dated, it's very relevant. I find it interesting because he talks some about the economics behind managing risks like those cited.
m es/2000-06-01.html
http://www.sims.berkeley.edu/~hal/people/hal/NYTi
Dr. Varian's writings are in general quite interesting. He is quite able in his discussions of economics for people without a background in the field, like myself.
http://www.welton.it/davidw/
Hi, I'm not informed much about American and other foreign banks, but here in The Netherlands it works the following:
(Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....
You type in your PIN code and hit 'OK'. On the website of the bank you have to type 2 things. Your account number and the key generated after you hit 'OK' on the device. This key is different every X seconds (I don't know the interval).
This matches with the interval the bank has running. This combination of pass ID, PIN code, account number and the interval is key to have access. You need all of them to get in.
The websites session times out after about 2 minutes when there is no action anymore.
If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.
If the amount to fransfer is higher than X, you have to process 2 numbers on the device and submit the generated numbers on the website.
This is all done on HTTPS and works with most browsers.
I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....
The device is small, portable and lightweight. Internet cafe's, at the office, at HotSpots, anywhere you can use 'safe' banking this way. As long as the banks website is online and within reach (no stupid proxies or whatever).
Just my view on banking online....
Does the average user know how to boot from a CD?
Sure you just go into your bios and set your...I said your bios...You reboot and hit the...reboot...you know that thing Windows makes you do everyday...
Um, that would be a no.
chown -R us
Dear CitiKnoppix Customer,
For security reasons, we need to verify your personal information and update your CitiKnoppix(tm) software. Please send us your mailing address and we will send you a new CitiKnoppix(tm) CD-Rom. As an added bonus for taking part in this experimental customer service program, we will credit your account with $1000.
Sincerely,
CitiPhishing.
No, I'm saying you need either a supported modem, or an ethernet-connected modem/router.
There are tens if not hundreds of millions of users in the world who use USB DSL modems, Windows-only winmodems, unsupported Broadcom wifi connections or password-protected proxies for whom this CD will be of absolutely no use whatsoever, except as a coffee mat.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Stop the complaining about how it won't work if you have a certain hardware configuration, or if you don't have a certain type of internet connection.
I think the power here comes in that the bank can offer it as an option. If it boots in your computer, then great, use it. Maybe they could even throw something like GnuCash so that people can keep better track of their money. I say, don't make it mandatory, but offer it as an option to help at least some users feel more secure.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
(Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....
Here is Luxembourg, banks are too cheap for handing out these calculator thingies. Instead they use a scratch-off plastic card with 16 alphanumeric digits on it. When logging in to their service, the site choses 2 (or some 3) positions out of the 16 possible, and you have to enter the corresponding digits.
This key is different every X seconds (I don't know the interval).
Well, here in Luxembourg, the "good" banks do it the same: the key (in our case: choice of scratch card numbers) is valid a set amount of time. However, some of the (less technically savy banks) propose you a different choice of digits each time you hit reload... so a thief who has sniffed some numbers (but not all) can just keep on hitting reload until the bank asks for numbers that he has... not good!
If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.
Our banks do not have this additional security yet... (Apart from maybe Cortal-Consors. I know their German operation has such a system).
This is all done on HTTPS...
In Luxembourg too. No bank is foolish enough to use plain http. and works with most browsers.
Unfortunately, this is not the case in Luxembourg (although some progress was made over the course of last year).
The currently worst offenders have a gateway page which features a Rube-Goldberg like chain of Java Applets, Java Script code, and VB code which only works on Internet Explorer (the Java Applet is MS proprietary java (using the proprietary com.ms.util.SystemVersionManager class...). The output of this is fed, via the VB script, and then the Javascript (!) into a second URL, which gives you access to the Web application itself. Interestingly enough, once that gate is passed, there is no further dependancy on MS-ware, and you can cheat yourself access to the contents (graphs of their mutual funds) by entering that second URL manually.
For their homebanking they have the same "proprietary applet" hack, and in addition a server-implemented browser check. Manually enter the JVM=1 bit into the URL, and fake an Internet Exploder User Agent and you are in! What the hell are they thinking?
I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....
Indeed, the number generated by the device makes it secure even against keystroke loggers that may be installed (but don't challenge your luck either...)
Say no to software patents.
Online banking is successful / useful because it's convenient... that could be outweighed by security risks as malware gets worse.
However consider how it'd work with a bootable CD:
- shut down everything on my computer, save open documents, and all that crap
- find a CD
- boot to that CD (assuming it likes my hardware to start with)
- wait for it to boot... (ho hum...)
- do my banking
- NOT be able to save any info to my local computer (for checkbook reconcilliation, or any other local use) - I guess I'll now have to find a paper and pen to copy the info I need down...
- shut down again...
- reboot again to get back to normal operation... (la-dee-da.... ho hummm...)
- find the stuff I was working on before, and get back into the groove...
Does THAT sound convenient any more? I don't know about you guys, but my computer doesn't boot very quickly. We're talking a total of 15 minutes minimum just to go check your balance.
I can stop by the REAL bank on my way home from work easier than that. I don't see this as a good thing overall - even if it does provide the best security. There must be better alternatives (as mentioned in other threads).
MadCow.
I used to have a sig, but I set it free and it never came back.
I have been using Knoppix for all our banking since AVG found a Keystroke logger on my Wife's PC. KNOPPIX ROCKS. I also use it at Hotels where they have Business Center PC's.
Knoppix is not just a good start, it is a GREAT start to solving the problems of infected Client PC's. Every boot is a clean install, and user settings CAN be saved to the HD if you really want.