Slashdot Mirror
Washington Post Says Use Linux To Avoid Bank Fraud
christian.einfeldt writes "Washington Post Security Fix columnist Brian Krebs recommends that banking customers consider using a Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses that lost $100K and $447K, respectively, when thieves — armed with malware on the company controller's PC — were able to intercept one of the controller's log-in codes, and then delay the controller from logging in. Krebs notes that he is not alone in recommending the use of non-Windows machines for banking; The Financial Services Information Sharing and Analysis Center, an industry group supported by some of the world's largest banks, recently issued guidelines urging businesses to carry out all online banking activities from 'a stand-alone, hardened, and completely locked down computer system from where regular e-mail and Web browsing [are] not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting a Linux LiveCD to do their on-line banking." Police in Australia offer similar advice, according to an item sent in by reader The Mad Hatterz: "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."
Keyloggers could still capture the input from the Host OS.
# cat
Damn, my RAM is full of cats. MEOW!!
Well, don't do online banking.
Or, use a totally separate computer to do online banking. Only use the web browser to access one's bank account.
Or look for those "freeze" type software, which makes the harddrive essentially read only.
Also, it doesn't hurt to check which processes you are running, and whether any of those are unusual.
The Commonwealth bank in Australia (and probably many others) sends you a random code via SMS to your phone that you have to type back in to the site in order to transfer money to an account you've never transfered to before.
And asking me for my Mother's maiden name is really that much better? Or how about showing me an image that I picked out but will soon ignore after seeing that it never changes?
Those are both the same factor, just like a user's password.
Security factors are
In order to qualify as "two factor", you must have two of those (no, having two of the same factor doesn't count.)
So passwords, personal question, and favourite image are all examples of "something you know", and don't represent two-factor authentication.
The Security-token would be an example of "something you have", and thus combining them with a password would be two-factor authentication.
Huh? Random number generators can be seeded with other data from your hardware, such as the system clock time, reading PCI devices, or some random data off your hard drive. Every single time you reboot your system clock has changed. If you have a hard drive, the data on there has probably changed too, so you can just read some information off the drive at the block level (you don't need to mount it). Every user who uses a live CD has different hardware.
The problem is trivial at best to solve. It may not be the absolutely perfect solution, and probably not good enough if you need a true random number generator, but good enough for this purpose. You definitely won't be in the same state every time you reboot (at the very least the time changed).
Yes, because everyone else has patched the bug.. Microsoft hasn't. But if you're using a LiveCD from before they patched the bug, then you are no more protected than the bozos using IE5.
How we know is more important than what we know.
That's not two factor, it's one factor. It's something you know, in two parts. A key fob introduces something you have.
A big problem with what you described is that 40 images to choose from is like adding one more character to your password, allowing lowercase, numbers, and 4 other punctuation marks only.
It doesn't add much to security at all, in other words.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
As a victim of Identity Theft, I can tell you that banks and credit agencies just don't care. The bank writes off the loss due to fraud. The credit agency shrugs their shoulders at bad information in your credit file and tells *you* to fix it (while they happily go on reporting the bad information). In the case of stolen credit card numbers, the credit card company simply issues a new card and reverses the fraudulent charges. Meanwhile, the thief has their new television and the store is out a few thousand dollars.
In my case, the credit card company opened a line of credit for "me" even though the online application contained the wrong Mother's Maiden Name. I only found out about it because the thieves put in for a rush delivery of the card and *then* changed the address on the account. The card wound up at my house instead of their house/drop box/whatever. The incorrect maiden name and quick address change didn't set off any fraud alerts. Neither did "me" trying to get a $5,000 cash advance on the card prior to activating it. And when I called them about it, they refused to give me any information because "I might run out and kill the thief and then they're liable." They even gave the police department the runaround.
As I said, they just don't care. They'll do everything in their power to protect themselves. Even if protecting themselves in the short term means the identity thief gets away and commits more fraud against their business in the long term. In the end, you are only important to them insofar as how much green they can make off of you.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
I had to click the one that was my image (this was rather than a sign in button).
The image you choose is used by Countrywide (BofA) to provide you with the verification that you are not signing into a phishing site, not as part of your login credentials.