Forgot your password?
typodupeerror
Linux Business Firefox Security The Almighty Buck Ubuntu News

Can Ubuntu Save Online Banking? 462

Posted by timothy
from the make-that-virus-throw-an-error dept.
CWmike writes with a pointer to this ComputerWorld mention of an interesting application of Live CDs, courtesy of Florida-based regional bank CNL: "Recognizing that most consumers don't want to buy a separate computer for online banking, CNL is seriously considering making available free Ubuntu bootable 'live CD' discs in its branches and by mail. The discs would boot up Linux, run Firefox and be configured to go directly to CNL's Web site. 'Everything you need to do will be sandboxed within that CD,' [CNL CIO Jay McLaughlin] says. That should protect customers from increasingly common drive-by downloads and other vectors for malicious code that may infect and lurk on PCs, waiting to steal the user account names, passwords and challenge questions normally required to access online banking." (But what if someone slips in a stack of doctored disks?)
This discussion has been archived. No new comments can be posted.

Can Ubuntu Save Online Banking?

Comments Filter:
  • Re:BIOS (Score:4, Informative)

    by hipp5 (1635263) on Thursday March 25, 2010 @07:28PM (#31620100)
    One of the major Canadian banks (RBC) was actually giving away netbooks (eeePC 700 I believe) a little while back (to those who switched to them). With that in mind this suggestion doesn't seem that crazy. In reality, you wouldn't even need a full netbook. A small screen, minimal keyboard, network card, and very small SD card would do. Some people might even be willing to pay $100 for them if it meant they could feel safe in their online banking.
  • Re:Reply (Score:2, Informative)

    by Anonymous Coward on Thursday March 25, 2010 @07:59PM (#31620390)

    Then boot the live cd in a VM... Jeez...

  • Re:Reply (Score:4, Informative)

    by MaskedSlacker (911878) on Thursday March 25, 2010 @08:02PM (#31620420)

    USB drive then?

  • by MaskedSlacker (911878) on Thursday March 25, 2010 @08:04PM (#31620446)

    The point of the LiveCD is that there it is rather difficult for hackers to compromise (owing to the physical, unalterable nature of the disk image). It has nothing to do with obscurity--the point is that each time they boot a verified, trusted disk image and then go straight to the bank's website--without a keylogger in the motherboard there aren't really any useful attack vectors.

  • Re:Behavior change (Score:2, Informative)

    by anarche (1525323) on Thursday March 25, 2010 @08:06PM (#31620462)

    Yep, security could be enforced if we made people walk into a bank with two forms of photo-id before they could do anything....

  • Re:Reply (Score:4, Informative)

    by obarthelemy (160321) on Thursday March 25, 2010 @08:11PM (#31620496)

    I'm wondering: If I'm running WIndows, and setup the bank's Linux in a VM, am I still vulnerable to windows's trojans and keyloggers ? I would guess Yes, because keystrokes go WIndows -> VM manager -> Linux VM ? Or not ?

  • by gumbi west (610122) on Thursday March 25, 2010 @08:21PM (#31620606) Journal

    You could use token authentication and just allow the disk to keep a cookie that logs them in with minimal interaction (either nothing or a short password like their pin).

    Also, just thought you might like to know... Et al. is short for et alii and translates literally as, "with others." etc. is short for et cetera and translates roughly as, "with other objects". There is a people/things distinction. So if the other stuff is people, "et al." and if the other stuff is things, "etc.".

  • Re:Reply (Score:4, Informative)

    by selven (1556643) on Thursday March 25, 2010 @08:28PM (#31620660)

    A VM is just a program, so any keystrokes will be sent to both the VM and whatever other program feels like it needs them. What you won't have, however, is contextual information - it's not as easy to tell when you're typing in a password in the VM from the host.

  • Re:Reply (Score:4, Informative)

    by h4rr4r (612664) on Thursday March 25, 2010 @08:42PM (#31620778)

    You do realize that all Virtual Machine guests are not secure from the host right? or that it would be trivial to screencap/input capture the guest?

  • Re:Technical problem (Score:1, Informative)

    by Anonymous Coward on Thursday March 25, 2010 @08:46PM (#31620816)

    I've gotten viruses from embedded PDFs in youtube comments.

    I call bullshit.

  • Re:Reply (Score:5, Informative)

    by Runaway1956 (1322357) on Thursday March 25, 2010 @09:01PM (#31620968) Homepage Journal

    This is rated "funny" - but it's really not. I read a story about a credit union, in Texas I think, that found a bunch of CD's had been distributed to customers. The label claimed that they were distributed by the credit union, and that they contained software with which to securely connect to the bank. And, of course, the contents were just a trojan.

    I kind of thought the story was covered here on slashdot, but I could be wrong.

    Ahhhh - here we go. Someone tried to pass it off as "pentesting" in the slashdot story:
    http://it.slashdot.org/story/09/08/27/2331201/Hackers-Or-Pen-Testers-Hit-Credit-Unions-With-Malware-On-CD?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+(Slashdot) [slashdot.org]

  • Re:Reply (Score:2, Informative)

    by h4rr4r (612664) on Thursday March 25, 2010 @09:04PM (#31620990)

    Damn, you are dumb.
    You listen for the host to talk to the website, then you record keyboard input and do a screencap for good measure.

  • Re:Reply (Score:1, Informative)

    by Anonymous Coward on Thursday March 25, 2010 @10:20PM (#31621500)

    Go the other way. Run Windows in VirtualBox under Ubuntu, then do your online banking in Ubuntu's Firefox. A keylogger or virus running in Windows cannot see the keystrokes in Ubuntu.

    I actually wrote the author of a keylogger to ask if his product would see the keystrokes in Ubuntu. His reply was no, it could not.

  • by fuzzyfuzzyfungus (1223518) on Thursday March 25, 2010 @10:27PM (#31621582) Journal
    Aside from "branded consumer experiences" and all that stuff that gets the marketing guys excited, the one reason to make the disks bank-specific is that it makes security a lot easier.

    If all the disk has to do is go to https://mybank.com/ [mybank.com] you can do all sorts of draconian but secure stuff: Disable loading any non-SSL page or element. Trust only your own cert/CA. Remove any option to approve an exception. Configure the firewall to block any and all traffic that isn't either a DNS(SEC, preferably) lookup for mybank.com, or communication between the host and mybank.com

    If you have to coordinate between a bunch of banks, things get harder. Either you take on a big institutional verification task, enrolling reputable banks in your list of trusted sites and cert/CAs, and hopefully not having some front group sneak one in there for some XSS action, or you throw up your hands and just build a generic "browser liveCD".

    The generic browser liveCD is still a good bit safer than Joe user's computer, since it needn't be a general purpose machine, or capable of running Limewire, or have every infection picked up in two years of browsing(since the max lifespan of a liveCD session will probably be a few hours); but it is still substantially less safe than a dedicated one. If there are any available exploits for the browser used, the user has a nonzero chance of picking one up while poking around and having it still resident if they bank after doing that, and before rebooting. There would also be the basic issue of cross site/cross tab stuff. Exploits of those sorts of flavors are discovered all the time. If you give up on the goal of having a general-purpose browser, you can neutralize most of them without even discovering them or patching the browser. If your browser has to be general purpose, you have to do the security the hard way.
  • Re:Reply (Score:5, Informative)

    by bflong (107195) on Thursday March 25, 2010 @10:57PM (#31621804)

    DNS is not encrypted. All they would have to do is record the dns requests and they would know when you are looking at mybank.com.

  • Re:Reply (Score:3, Informative)

    by assassinator42 (844848) on Friday March 26, 2010 @01:25AM (#31622540)

    No, they'll still be unencrypted. DNSSEC just signs the data so you know it hasn't been tampered with.

  • by viralMeme (1461143) on Friday March 26, 2010 @06:06AM (#31623936)
    Among the several distinct ways to alter Knoppix, the one likely to be of broadest interest is remastering [ibm.com], during which you can substitute your own software for a portion of that on the standard Knoppix CD-ROM
  • Re:Reply (Score:1, Informative)

    by Anonymous Coward on Friday March 26, 2010 @07:15AM (#31624392)

    DNS? Even a https connection won't encrypt the IP address the packets are sent to.

    If it did, no router would know where to send it.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...