Washington Post Says Use Linux To Avoid Bank Fraud

christian.einfeldt writes "Washington Post Security Fix columnist Brian Krebs recommends that banking customers consider using a Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses that lost $100K and $447K, respectively, when thieves — armed with malware on the company controller's PC — were able to intercept one of the controller's log-in codes, and then delay the controller from logging in. Krebs notes that he is not alone in recommending the use of non-Windows machines for banking; The Financial Services Information Sharing and Analysis Center, an industry group supported by some of the world's largest banks, recently issued guidelines urging businesses to carry out all online banking activities from 'a stand-alone, hardened, and completely locked down computer system from where regular e-mail and Web browsing [are] not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting a Linux LiveCD to do their on-line banking." Police in Australia offer similar advice, according to an item sent in by reader The Mad Hatterz: "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."

What about the banks?

[Profane+MuthaFucka]

A little two factor authentication would be nice to see in American banks. Passwords just aren't adequate any more.

Re:What about the banks?

[nmb3000]

A little two factor authentication would be nice to see in American banks. Passwords just aren't adequate any more.

And how would an n-factor authentication scheme help when software on your computer is logging keystrokes, mouse gestures, and capturing images of your screen and then sending them near realtime to the bad guys?

If your computer has been compromised in this fashion, you've already lost. For you car enthusiasts, it's like adding additional locks to the car doors -- it doesn't help if the windows (haha) are already broken.

Re:What about the banks?

[Cousarr]

You realize that the way two factor security is supposed to work is that is requires you to know something and have something right? The way that two factor security is usually done from what I've seen is requiring a password that the client knows and a rolling code from a small device the client has. As long as a bank does not allow that same rolling code to be used twice it doesn't matter what kind of keystroke logging, mouse gesture capturing, or screen recording is used nor how fast it is sent to the bad guys.

For you car enthusiasts, it's like taking the engine with you when you leave the car. Even if the car is hot-wired, it's not going anywhere without that thing you still have.

Re:What about the banks?

[some_guy_88]

The Commonwealth bank in Australia (and probably many others) sends you a random code via SMS to your phone that you have to type back in to the site in order to transfer money to an account you've never transfered to before.

Re:What about the banks?

[shird]

And do you realise this authentication scheme has also been broken?

The crooks these days are breaking into your account in real-time by using your security token code as you login, and preventing you from logging in.

Read the article, he mentions this.

Re:What about the banks?

[Profane+MuthaFucka]

That's not two factor, it's one factor. It's something you know, in two parts. A key fob introduces something you have.

A big problem with what you described is that 40 images to choose from is like adding one more character to your password, allowing lowercase, numbers, and 4 other punctuation marks only.

It doesn't add much to security at all, in other words.

Re:What about the banks?

[Eivind]

True, but it doens't have to be that expensive to do right. My bank offers two different solutions for the second-factor. One is s crypto-key tokenthing that they send you to hang on your keychain. (so you log in with a password + a 5-digit security token from the gadget)

The other is, quite simply your mobile phone. You enter your username and password, if correct, they send you a SMS with a 5-char one-time-password, you enter this and are in.

Yes, it adds 10 seconds to the login-procedure, but it's a very efficient way of stopping keyloggers and malware from learning how to access your account. Even if they successfully snoop your password, that doesn't help them aslong as they can't ALSO intercept SMS-traffic to your cellphone. This isn't IMPOSSIBLE offcourse, but it sure as hell raises the bar.

Re:VM?

[shird]

Because as the author explains in the comments, key loggers can run at the low level device driver level. At this level, it can hook key presses in a VM just as well as the host OS.

It's a pain, because nobody wants to go to the trouble of rebooting twice for the sake of paying a few bills. But it's the only way to be sure of a clean environment, unless your BIOS has been hacked. It's at least one good argument for the trusted platform, TPM, or whatever it is. In theory you could be sure that you are running only un-altered digitally signed executables and nothing else.

Re:Just Linux?

[AvitarX]

I think the point is Boot CD, not Linux.

This would preclude any with an intelligent GUI (actually I am quite fond of Gnome at this point, but that wasn't what you meant).

If I am correct, using a Linux boot CD would make sense for Linux users too.

Re:terrible advice

[black3d]

Browser security is only an issue if you're visiting other sites, in the same session, on the same boot, on your LiveCD. Browsers on LiveCDs don't magically download malware from the internet by themselves - you have to direct them to. And most conventional malware must install itself - which won't happen on a LiveCD. There are a very few flash/js based attacks that work live in the same session - but really, if your either (a) your bank has third-party inline flash ads or (b) you don't trust java content from your bank's own website, then why are you banking with them online?

And going as far as questioning whether your CD burning software is infected is ridiculous. You can't be any more certain that your mouse doesn't have imbedded circuitry tracing your movement pattens, or your keyboard doesn't have a keylogger built directly into it, or the aliens aren't tapping directly into your cablings electromagnetic intereference patterns to directly access your bank account as you do. You're going to extremes purely for the point of argument, but although it may have passed you by, it was established several thousands years ago that "nothing is certain".

If you can imagine up scenarios like malware built into your cd-burning software specifically to target LiveCDs being used for online banking, I can't fathom how you trust a banks own employees enough to actually keep your money with them instead of under the mattress.