Banks Urge Businesses To Lock Down Online Banking

tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."

Sounds like they should hand out liveCDs

[fuzzyfuzzyfungus]

It wouldn't be rocket surgery, or especially onerous in cost/seat terms, for major financial institutions to hack together and press a bunch of "Banking liveCDs".

No writable persistent storage, just a browser(configured so that it will only accept pages from the institution's set of domains and only when those pages have appropriate SSL certs. Completely reject all non-SSL pages, and any SSLed pages with certs for other institutions, or from other CAs).

There would probably be some annoying edge cases(some ghastly graphics card that isn't supported by default, and freaks out in VESA mode, say) or network issues(though you could always offer a cheap USB ethernet or wifi adapter, with a known working chipset, at cost to interested customers); but it'd be fairly easy to cover 95% of the boring business boxes and common home machines that you would be concerned about, if suitably generic settings were used.

As hardware gets cheaper and/or for larger accounts, it might even make sense to put together a dedicated banking appliance offering, basically the cheapo embedded ARM embodiment of the above.

Re:...and how would you do that?

[Runaway1956]

Could we at least start by replacing the freaking pin numbers with something meaningful? A four digit numeric does NOT make a password FFS!!

Maybe next, we could graduate the bank's computers from Windows 2000 up to something remotely sane - like Redhat SEL.

The idea of a biometric ID in conjuntion with a reasonably secure password hash has it's appeal, as well. If my bank would use it, I'd install a fingerprint reader on my HOME computer. Businesses should just jump on that idea - it's a small price to increase security dramatically.

Finally, maybe we can get around to "Linux - the year of the desktop!" Face it, boys and fanbois - no unix-like machine is open to as many exploits as Windows is.

I'm just dreaming, of course. If I manage to live another 20 years, we'll still be having similar discussions, PIN numbers will still be 4 digit numerics, and Windows XP will be the ancient, outdated operating system of choice for banks.