Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Linux

Washington Post Says Use Linux To Avoid Bank Fraud 422

Posted by kdawson
from the just-common-sense dept.
christian.einfeldt writes "Washington Post Security Fix columnist Brian Krebs recommends that banking customers consider using a Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses that lost $100K and $447K, respectively, when thieves — armed with malware on the company controller's PC — were able to intercept one of the controller's log-in codes, and then delay the controller from logging in. Krebs notes that he is not alone in recommending the use of non-Windows machines for banking; The Financial Services Information Sharing and Analysis Center, an industry group supported by some of the world's largest banks, recently issued guidelines urging businesses to carry out all online banking activities from 'a stand-alone, hardened, and completely locked down computer system from where regular e-mail and Web browsing [are] not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting a Linux LiveCD to do their on-line banking." Police in Australia offer similar advice, according to an item sent in by reader The Mad Hatterz: "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."
This discussion has been archived. No new comments can be posted.

Washington Post Says Use Linux To Avoid Bank Fraud

Comments Filter:
  • by sqrt(2) (786011) on Tuesday October 13, 2009 @09:42PM (#29740459) Journal

    We're trying to SAVE money here

  • by Shakrai (717556) on Tuesday October 13, 2009 @09:56PM (#29740549) Journal

    If your computer has been compromised in this fashion, you've already lost. For you car enthusiasts, it's like adding additional locks to the car doors -- it doesn't help if the windows (haha) are already broken.

    What's the computer equivalent of the "This car protected by Smith & Wesson" bumper sticker?

  • by Tynin (634655) on Tuesday October 13, 2009 @10:02PM (#29740591)

    What's the computer equivalent of the "This car protected by Smith & Wesson" bumper sticker?

    This computer is protected by retaliatory DoS attacks? I guess that is the best we can hope for until we work out a better implementation of PoIP (Punched over Internet Protocol).

  • by Anonymous Coward on Tuesday October 13, 2009 @10:18PM (#29740709)

    "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."

    I mean look at this a cop is saying something reasonable and sensible. That quote is obviously faked and it calls the rest of the article into question.

  • by Draek (916851) on Tuesday October 13, 2009 @10:26PM (#29740773)

    hey, who says your CD burning software isn't infected - implications on trusting trust and all.

    I understand there's only a fine line between safety and paranoia, but the idea of a CD burning software having been compromised to detect Linux LiveCD ISOs and add a software keylogger to the system included therein is so far up in 'paranoia' territory it already got full citizenship and is considering running for president against "Elvis is hidden in Area 51" and "9/11 was planned by Israel to draw the US into the middle east".

  • by JumpDrive (1437895) on Tuesday October 13, 2009 @10:48PM (#29740883)
    "This computer runs Windows 7"
    The most secure operating system yet.
    And it will stay that way , Mr Balmer, as long as you don't release it.
  • by Inner_Child (946194) on Tuesday October 13, 2009 @10:56PM (#29740925)
    What in the holy hell do people who make costumes have to do with any of this? I would be more concerned about the banks blaming things on their customers.
  • by Anonymous Coward on Tuesday October 13, 2009 @11:05PM (#29740983)

    DMCA

  • by SanityInAnarchy (655584) <ninja@slaphack.com> on Wednesday October 14, 2009 @12:41AM (#29741411) Journal

    Browser security is only an issue if you're visiting other sites, in the same session, on the same boot, on your LiveCD.

    Wrong. Any security compromise on the same boot lends a possibility of compromising that session. Not all vulnerabilities will lead to that, but some can.

    And going as far as questioning whether your CD burning software is infected is ridiculous. You can't be any more certain that your mouse doesn't have imbedded circuitry tracing your movement pattens, or your keyboard doesn't have a keylogger built directly into it,

    No, the question is not whether the software came pre-0wned. The question is, once this practice becomes widespread, won't malware authors target the ISO downloading and/or CD burning process? If malware attaches itself to Nero, and Nero injects something into your shiny new livecd, what are you going to do? Ask it to verify itself?

    or the aliens aren't tapping directly into your cablings electromagnetic intereference patterns to directly access your bank account as you do. You're going to extremes purely for the point of argument,

    Which is exactly what you just did, right there.

    See, keyboards with embedded keyloggers do exist, though mostly as proof of concept. While I'm not sure a mouse-movement-logging-mouse exists, it's not hard to imagine how one might be built.

    There isn't any convincing evidence that aliens exist, and if they are here, we have no idea how they could be monitoring our thoughts.

    All beside the point, of course, which is that this truly is security through obscurity, in two ways:

    First, because it'd be much harder to write malware that compromises all burning software and rootkits your new LiveCD and rootkits your current Windows system such that you won't be able to detect the rootkit on the LiveCD...

    But "harder" just means, they won't do it until it's worth it -- it's an obvious vulnerability.

    The second kind of security through obscurity is the fact that this technique is relatively obscure -- that is, not well known. If users never use LiveCDs a lot, this will probably work well, because someone fishing for account info will go for your neighbor's (who accesses his bank from IE6) rather than you.

    But neither kind is actually secure.

  • by euyis (1521257) <euyis@nospAm.infinity-game.com> on Wednesday October 14, 2009 @12:53AM (#29741457)
    For example, Mainland China, where all banks use the super-secure ActiveX technology to build their own authentication systems...
  • by jimicus (737525) on Wednesday October 14, 2009 @03:48AM (#29742197)

    Mitchell & Webb put this pretty well:

    http://www.youtube.com/watch?v=CS9ptA3Ya9E [youtube.com]

  • by bdwoolman (561635) on Wednesday October 14, 2009 @04:00AM (#29742257) Homepage

    What in the holy hell do people who make costumes have to do with any of this?

    If you are going to rob a bank anonymously you absolutely need a costumer. The costumer is the person who dresses up the bank robber in his archetypal stripped shirt and handkerchief mask. Costumers are typically blond with big... ideas.

  • by Rennt (582550) on Wednesday October 14, 2009 @07:15AM (#29743079)
    I'm confused, are you supporting or disagreeing with my post?
  • by Rudeboy777 (214749) on Wednesday October 14, 2009 @11:33AM (#29746331)
    If you are going to rob a bank anonymously you absolutely need a costumer. The costumer is the person who dresses up the bank robber in his archetypal stripped shirt and handkerchief mask.

    Right, but is it the bank or the costumer responsible for the sack with the dollar sign on it?

Hold on to the root.

Working...