Washington Post Says Use Linux To Avoid Bank Fraud 422
christian.einfeldt writes "Washington Post Security Fix columnist Brian Krebs recommends that banking customers consider using a Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses that lost $100K and $447K, respectively, when thieves — armed with malware on the company controller's PC — were able to intercept one of the controller's log-in codes, and then delay the controller from logging in. Krebs notes that he is not alone in recommending the use of non-Windows machines for banking; The Financial Services Information Sharing and Analysis Center, an industry group supported by some of the world's largest banks, recently issued guidelines urging businesses to carry out all online banking activities from 'a stand-alone, hardened, and completely locked down computer system from where regular e-mail and Web browsing [are] not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting a Linux LiveCD to do their on-line banking." Police in Australia offer similar advice, according to an item sent in by reader The Mad Hatterz: "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."
Re:What about the banks? (Score:3, Interesting)
And asking me for my Mother's maiden name is really that much better? Or how about showing me an image that I picked out but will soon ignore after seeing that it never changes?
I like the security token [wikipedia.org] concept myself. It doesn't rely on easy to figure out (Mother's maiden name, hospital you were born at, etc.) information and is easy enough that most lusers can figure it out quickly. I don't understand why more financial institutions haven't adopted them.
Its not just Linux, its trusted boot... (Score:4, Interesting)
Its not just "linux vs Windows" but "trusted boot": All you need to rely on is that the live CD is OK and your BIOS is not corrupted and you can effectively safely connect to your bank.
I use it myself for my Schwab account, with the added bonus of there is enough math to show active traders lose big, so don't trade active, which goes into play here.
Re:terrible advice (Score:5, Interesting)
If you are using the LiveCD as a dedicated banking only environment, the only input your browser will see is your bank's website. If you can't trust user behavior, and want to really be sure, you could have it set to reject anything that doesn't have the bank's SSL cert. If your bank wants to 0wn you, you are already doomed. If no other site can reach your browser, your browser cannot be owned, no matter how buggy.
Phishing already solved. (Score:1, Interesting)
Re:terrible advice (Score:4, Interesting)
sigh. Just off the top of my head I can think of about a dozen attacks one could direct against a bank user who thinks they're bulletproof because they're using a Linux LiveCD. For example, booting off a LiveCD won't save you from the truncated SSL cert attack that was demonstrated in the direction of PayPal the other day.. only having an up-to-date browser will do that. Encouraging people to use unpatched known-vulnerable software to do their banking just so they can avoid malware on their regularly patched machines makes no sense at all. Of course, that's the extreme case.. suggesting people use a LiveCD of Linux instead of an unpatched copy of Windows XP SP1 is a different kettle of fish.
Re:What about the banks? (Score:5, Interesting)
For you car enthusiasts, it's like taking the engine with you when you leave the car. Even if the car is hot-wired, it's not going anywhere without that thing you still have.
A smart bank would be ALL over this... (Score:5, Interesting)
A bank with any technical savvy would be immediately preparing a LiveCD/USB distro that boots as quickly as possible into a browser pre-configured with the bank's portal page set as the home page. The distro would contain nothing extraneous -- just enough for fast, safe banking. It would, of course, be thoroughly branded, but completely legit vis a vis source code and license notices. Give them away in the mail, or even sell USB drives.
Re:terrible advice (akamai and cross site?) (Score:3, Interesting)
In the broader term, it might be worth looking into further cryptographic mechanisms. For instance, with debian packages, you can safely download from an untrusted mirror or an http mirror that might be subject to man-in-the-middle attack because the packages themselves are signed by the original distributor. Cryptographically, putting forged packages on a 3rd party mirror would be as difficult as man-in-the-middle attacking an SSLed connection to the original distributor. At worst, you disclose the fact that you downloaded package X to a hypothetical adversary(that isn't optimal; but it is far less than it might be).
If, for economic reasons, web sites that need to be secure wish to use 3rd party hosting for some of their material, a similar signing mechanism might be employed.
I connect to https://www.hypotheticalbank.com/ [hypotheticalbank.com] SSL assures me that I am in fact talking to the right people. hypotheticalbank.com says "Please obtain 'functionsandstuff.js' from '3rdpartyhosting.org', 'functionsandstuff.js' has been signed with our key and has SHA-1 hash XYZ, verify before loading." This would still be incrementally less secure than pure 1st party hosting, since 3rdpartyhosting.org can, by looking at my requests, infer that I am likely accessing hypotheticalbank.com at a given time; but it prevents an attacker, even if they control 3rdpartyhosting.org, from mucking with the code that my browser will end up executing.
Re:terrible advice (Score:2, Interesting)
Re:What about the banks? (Score:5, Interesting)
And how would an n-factor authentication scheme help when software on your computer is logging keystrokes, mouse gestures, and capturing images of your screen and then sending them near realtime to the bad guys?
The way it works here with some banks in Australia is they send you a code via SMS when you try to issue a transfer from Internet banking. You need to enter the code into the website to continue the transaction. So the extra factor here of having the phone offers a pretty useful extra layer.
My bank doesn't offer it; I wish it did.
Non-random bits on LiveCD can compromise security (Score:1, Interesting)
Re:What about the banks? (Score:5, Interesting)
Per TFA, the banks in the two cases mentioned in the summary used two factor authentication. The hackers' malware delayed their access, and the hackers used a VPN tunnel to access the bank through the compromised computer.
Re:What about the banks? (Score:5, Interesting)
This can be automated easily enough.
Also, it's trivial to redirect the POST to login.cgi or add an entry to /etc/hosts for bank.com to a different site that just presents a 'failed to login' instead of logging in. Meanwhile your password, security code etc has been sent off to the bad guys machine which does an automated "transfer *.* funds to x" script using these credentials.
It's been done.
Re:Non-random bits on LiveCD can compromise securi (Score:4, Interesting)
My battery is dead, you ignorant clod!
Actually, something like that happened at the Montreal Casino. The machines were shut down every day, so they would end up generating the same sequence of numbers. A guy named Daniel Corriveau noticed, played the numbers, won $600,000.
He initially claimed that he used chaos theory, and the casino claimed it was a bad random number generator. The reality was that the cmos batteries had been removed during development to make testing easier, and nobody put them back in, so every day, they started with the same seed. Simple incompetence. They paid the money after 2 weeks.
Re:What about the banks? (Score:1, Interesting)
Wrong. Read about security tokens, (link somewhere up there). If the factor two is a changing password which comes from a little device, then even logging keystrokes won't help the bad guys. I have a little thingy on my keychain, push a button and get a one time password valid for one minute, without that no one can do anything on my account.
Re:What about the banks? (Score:2, Interesting)
A banking chip on every motherboard? Sure, why not.
Connect a very very inexpensive terminal with a protected nonvolatile memory to it and you can enter banking codes. Banks could invent sealing and anti-tamper systems so, like a gas pump or electric meter, the seal is visible to the user where it can be verified to be intact, offering a bit of physical security.
Re:What about the banks? (Score:4, Interesting)
Wrong.
Security tokens store internally a crytographic key or a one time pad. It is mathematically impossible to find out what the secret key/OTP is on these devices from readouts on the display. You have to steal the device and read the bits using an electron microscope. Even if you could do that, it would be very difficult to create a cloned copy of the device and return it to the owner's possession in any length of time.
Thus, the inherent security is obvious : in order to break into an account protected by a keyfob, one absolutely HAS to steal the actual keyfob. That vastly limits the vulnerability : if the user still possesses the card, they KNOW they haven't been hacked to 99.9999999% certainty. Furthermore, only individuals who come in direct contact with the user have a chance to steal the card, and they cannot do so secretly - you could freely give your credit card to a waiter at a restraunt and have him use the keyfob with the secret code displayed, and know that the card could not have been skimmed.
And, of course, the moment the user of the card notices that it is missing, he can call the bank and cancel it and ask for a replacement, eliminating any further losses. If your account information had been compromised, you might not realize for month(s).
I will agree with you on "something you are" authentication. Even if you owned some kind of biometric reader and used it to log on to your bank, it is not any more secure than a password because a fingerprint or DNA sequence is a static piece of authentication. Well, ALMOST....
Theoretically, using technology not yet available, you could give the bank a sample of your genetic material and essentially have security whereby the bank asks your home DNA scanner "give me n->Z portion of the user's genome". This would only be a practical security measure if whole genome sequencing were still very expensive.
Re:Alternate Headline (Score:1, Interesting)
You don't have the slightest idea how credit fraud works. The CC company isn't liable for any of the fraud. In fact, they make money on it. The way it works is, once you report fraud, they chargeback all the fraud, so the retailer eats the charges. Further, the CC company charges for this "service", they also keep the transaction fees from the first fraud payments, and then slap on new transaction fees for the charge backs.
At the end of the day, the CC company made more money off the fraud than they would have off the actual purchase. Unless of course you have crazy high interest and don't make payments, in which case you are moron and shouldn't be using a CC in the first place.
Banks will NEVER try anything like this, because they have no one to pass the buck off on. They would have to eat it, but they aren't going to do that.
Re:terrible advice (Score:1, Interesting)
Its not hard at all. DNS poisoning, Man in the middle attacks, not to mention the bots constantly spamming attacks for known vulnerabilities would probably massively increase if this sort of misinformed quasi security practise was adopted
Poison DNS. Requires the name server for your ISP to be misconfigured or unpatched.
-AND-
MITM a cert that verifies as the bank (using null character hack). Requires a vulnerable browser and a CA that will issue it with a NULL, or some new unseen hack.
Not hard? Each is fairly difficult and you have to do both. That's hard-core.
The other 'vulnerability' you mention is rehacking a linux livecd running with no services and almost certainly behind a firewall or some kind during the time they are doing their banking? Good luck with that. Can you link to even *one* remote hack for the IP stack, that didn't require a service being run?
security through obscurity is NOT enough when you are talking about your financial details, even a patched windows box.....shudder... is BETTER than an unpatched liveCD.
Total BS. It's not security through obscurity, it's security though non-exposure. It doesn't matter that we are all vulnerable to hiv, you aren't going to get it if you don't exchange fluids. Even a ten year old livecd is better than a patched Windows that's been promiscuous.
Re:What about the banks? (Score:5, Interesting)
True, but it doens't have to be that expensive to do right. My bank offers two different solutions for the second-factor. One is s crypto-key tokenthing that they send you to hang on your keychain. (so you log in with a password + a 5-digit security token from the gadget)
The other is, quite simply your mobile phone. You enter your username and password, if correct, they send you a SMS with a 5-char one-time-password, you enter this and are in.
Yes, it adds 10 seconds to the login-procedure, but it's a very efficient way of stopping keyloggers and malware from learning how to access your account. Even if they successfully snoop your password, that doesn't help them aslong as they can't ALSO intercept SMS-traffic to your cellphone. This isn't IMPOSSIBLE offcourse, but it sure as hell raises the bar.
Re:What about the banks? (Score:3, Interesting)
I just thought of a solution to the man in the middle attack.
In order to do a large transfer of funds, or anything else that a hacker could benefit from, you would be required to enter a code from the keyfob a SECOND time. That is, you would have to enter the code once to log into your online bank, and a SECOND time with a new code in order to move any serious amount of money. PER major transaction.
This would be vastly more difficult to do a man in the middle attack on.
Re:What about the banks? (Score:3, Interesting)
technically, a key fob still uses "what you know", it's just "what you know that you are unlikely to know without what you have", which is good enough for now.
Re:Devil's advocate: Deepfreeze? (Score:3, Interesting)
Re:IE (Score:3, Interesting)
there's another fundamental problem with many Bank websites. They only work in IE.
As an Ubuntu user, my bank (FCU, actually) just sprung this "Windows/Mac only" policy lately. I've complained loudly to Member Services to no avail. They even said blankly that my "Lynux" system would no longer be able to access Online Banking because they were "beefing up security"!?!
I have CrossOver Office installed and it is simple to open IE8 and do my banking, but when I pointed out this flaw in their thinking, they had no comment.
Another point: I live in a rural area and have banked at this location for 15 years. I like all the tellers and ordinary staff. Changing banks would be a real hassle and there's no guarantee the new institution might not do the same thing...
Re:What about the banks? (Score:3, Interesting)
It's not a "usb-fob" it's a completely disconnected fob with a small lcd-display from which you read the one-time-pass and enter it into the login-form, using your eyes and fingers.
Sure, it could be sniffed on entry, that's where the "one-time" comes in, the info is useless, because next login, a different pass will be required.
Re:What about the banks? (Score:3, Interesting)
The point of two-factor authenthication is that when you need TWO factors, which are independent, it's a lot harder for a criminal to learn both than if you need only one.
To get into my account a criminal need to know my password AND intercept an SMS sent to my mobile phone.
This is a lot harder to do than *only* know my password. A keylogger or virus on my computer could conceivably steal my passwords and mail them to russia or wherever. It'd have a harder time doing that -AND- intercepting SMS-traffic to my mobile phone.
As I said, SMS by itself isn't impossible to intercept. But when you need to do that in -addition- to sniffing my password, the bar is raised significantly.
Re:Alternate Headline (Score:3, Interesting)
Why is the purchase price of wisdom in the hand of a fool seeing he has no heart for it? - Proverbs
I have spent the last 26 years immersed in computers. Computers I know about. Cars, even though I drive one, I do not know about.
I can re-gap a spark plug, do a tune-up on an older model car, change my oil and change a flat. However, I am vastly ignorant about troubleshooting and doing most work on a car. Am I stupid? No. But I have no skill, no knowledge and no real inclination to learn everything I would need to know about a car to be an expert and be able to do most of my own repairs. Yet I can still drive a car just fine, even if I can't fix it. I know the difference between a computer and a car. There are people actively trying to hack into my computer or tempting me to run software that will let them hack me. The same is not true for cars. There is no one tempting me to drive to the bad side of town to be mugged. Tempting me to pour water in my gas tank or running around and cutting my break lines.
There are plenty of other domains that holds true for as well. Medical, fine arts, producing music, how to perform stand up comedy, etc.... I go to the doctor and take advice, I appreciate some sculptures, music and paintings. I listen to CDs and MP3's. I enjoy watching stand up comedy. Just because I have not learned how to do these things does not mean I do not have them in my life. It just means I am not an expert at understanding them, their ins and outs. Nor am I willing to invest the time to learn. I may pick up a fact here or there, but for the most part if you shoot to much information at me about these things it will just bounce off my head and I won't absorb it.
Sadly, this is the way it is for "Joe Sixpack" and most other average computer users. They can use a computer to some degree, may know an interesting fact or two about them. However they lack the knowledge to properly be able to secure a computer or tell if it has been compromised.
The average user is just not going to allow themselves to be educated about computers. As I said I have been doing this stuff for 26 years. I have one adult child and 2 kids still in high school. None of them remember a world before the Internet. They can all touch type. But none of them ever had the desire to learn how to program or how a computer works at a deep down level. They are more computer savvy than most of their friends and that frightens me. To them a computer is an office suite and a web browser with adobe flash player. We have lost the battle. Most users won't learn how to find files they have saved when working with said office suite or something downloaded with their web browser. They also will not learn enough about computer security to be safe. Microsoft does not help either. Every 3 years we hear "This is the most secure version of Windows Ever" and people think it must be safer. Education will not get the job done...people have for the most part decided NOT learn about computers.
FREQUENCY (Score:3, Interesting)
Re:What about the banks? (Score:2, Interesting)
I actually think if I have a grid of 40 images, and need to click on the proper one it is part of credentials.
though the other poster mentioned it is only adding one character to your password.
I still think it is more secure than a security question, and easier to remember too.
Re:What about the banks? (Score:3, Interesting)
Some have gotten a little better.
Both my credit card accounts are now setup so that if I login on a NEW computer (and after a period of time on a computer I've been using), they'll ask me for the answers to 3 security questions. If you get those correct you are then prompted for the password along with a message you entered when you first registered. The idea there being that if the phrase doesn't match, then you're not really on their site and it's a phishing attempt.
It's still not great, but it's decent. Ironically enough though my WoW account is FAR more tightly secured (via Blizzard's Authenticator) then my actual bank accounts :(.
Re:What about the banks? (Score:3, Interesting)
Its a device with a 1 time pad in rom (or similar). The 1 time pad could be easily read off of rom if you crack it open
At least on that point, they have planned for it already.
RSA fobs hold their secret key in RAM, not rom.
The battery is held on by the plastic case and not fastened to it in Any way.
If you pop open the case, the battery comes off the contacts and you lose the key.
Additionally, the ram, firmware, and CPU (as well as LCD driver) are all the same single chip.
You really do need an electron microscope to read them. I have attempted to run one through our xray machine at work as well, and the chips die is such a small nm length that you can't see anything of use anymore than photographs of any chips silicon are.
http://www.svtii.com/images/IC_Chip2_SVTI.gif [svtii.com]
That is an image of a chip from 20 years ago. Shrink the width of the traces by a factor of 4x (at least) and now imagine how useful that same resolution image is.
Most people don't even have access to an xray machine, let alone a device with the needed resolution.
Even then, all you get is firmware (which RSA is a publicly known formula, so you can get that much easier)
The private key being in RAM will make it extremely hard to read out with only physical access to the fob.
This is also why the fobs have an expiration date on the back. The battery can not be replaced, by design.
Let the banks supply a disk (Score:2, Interesting)
Like I suggested in August: http://slashdot.org/comments.pl?sid=1347481&cid=29198657&art_pos=4 [slashdot.org]
The banks should distribute a locked down version themselves. Then they can even build in extra authentication in the browser and minimise other programms with possible weaknesses