Can Ubuntu Save Online Banking?

CWmike writes with a pointer to this ComputerWorld mention of an interesting application of Live CDs, courtesy of Florida-based regional bank CNL: "Recognizing that most consumers don't want to buy a separate computer for online banking, CNL is seriously considering making available free Ubuntu bootable 'live CD' discs in its branches and by mail. The discs would boot up Linux, run Firefox and be configured to go directly to CNL's Web site. 'Everything you need to do will be sandboxed within that CD,' [CNL CIO Jay McLaughlin] says. That should protect customers from increasingly common drive-by downloads and other vectors for malicious code that may infect and lurk on PCs, waiting to steal the user account names, passwords and challenge questions normally required to access online banking." (But what if someone slips in a stack of doctored disks?)

Re:BIOS

[hipp5]

One of the major Canadian banks (RBC) was actually giving away netbooks (eeePC 700 I believe) a little while back (to those who switched to them). With that in mind this suggestion doesn't seem that crazy. In reality, you wouldn't even need a full netbook. A small screen, minimal keyboard, network card, and very small SD card would do. Some people might even be willing to pay $100 for them if it meant they could feel safe in their online banking.

Re:Reply

[MaskedSlacker]

USB drive then?

Re:Why uses a PC to do banking?

[MaskedSlacker]

The point of the LiveCD is that there it is rather difficult for hackers to compromise (owing to the physical, unalterable nature of the disk image). It has nothing to do with obscurity--the point is that each time they boot a verified, trusted disk image and then go straight to the bank's website--without a keylogger in the motherboard there aren't really any useful attack vectors.

Re:Reply

[obarthelemy]

I'm wondering: If I'm running WIndows, and setup the bank's Linux in a VM, am I still vulnerable to windows's trojans and keyloggers ? I would guess Yes, because keystrokes go WIndows -> VM manager -> Linux VM ? Or not ?

The disk is a token? and etc. vs et al.

[gumbi+west]

You could use token authentication and just allow the disk to keep a cookie that logs them in with minimal interaction (either nothing or a short password like their pin).

Also, just thought you might like to know... Et al. is short for et alii and translates literally as, "with others." etc. is short for et cetera and translates roughly as, "with other objects". There is a people/things distinction. So if the other stuff is people, "et al." and if the other stuff is things, "etc.".

Re:Reply

[selven]

A VM is just a program, so any keystrokes will be sent to both the VM and whatever other program feels like it needs them. What you won't have, however, is contextual information - it's not as easy to tell when you're typing in a password in the VM from the host.

Re:Reply

[h4rr4r]

You do realize that all Virtual Machine guests are not secure from the host right? or that it would be trivial to screencap/input capture the guest?

Re:Reply

[Runaway1956]

This is rated "funny" - but it's really not. I read a story about a credit union, in Texas I think, that found a bunch of CD's had been distributed to customers. The label claimed that they were distributed by the credit union, and that they contained software with which to securely connect to the bank. And, of course, the contents were just a trojan.

I kind of thought the story was covered here on slashdot, but I could be wrong.

Ahhhh - here we go. Someone tried to pass it off as "pentesting" in the slashdot story:
http://it.slashdot.org/story/09/08/27/2331201/Hackers-Or-Pen-Testers-Hit-Credit-Unions-With-Malware-On-CD?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+(Slashdot)

Re:Reply

[bflong]

DNS is not encrypted. All they would have to do is record the dns requests and they would know when you are looking at mybank.com.