Forgot your password?
typodupeerror
Linux Business Firefox Security The Almighty Buck Ubuntu News

Can Ubuntu Save Online Banking? 462

Posted by timothy
from the make-that-virus-throw-an-error dept.
CWmike writes with a pointer to this ComputerWorld mention of an interesting application of Live CDs, courtesy of Florida-based regional bank CNL: "Recognizing that most consumers don't want to buy a separate computer for online banking, CNL is seriously considering making available free Ubuntu bootable 'live CD' discs in its branches and by mail. The discs would boot up Linux, run Firefox and be configured to go directly to CNL's Web site. 'Everything you need to do will be sandboxed within that CD,' [CNL CIO Jay McLaughlin] says. That should protect customers from increasingly common drive-by downloads and other vectors for malicious code that may infect and lurk on PCs, waiting to steal the user account names, passwords and challenge questions normally required to access online banking." (But what if someone slips in a stack of doctored disks?)
This discussion has been archived. No new comments can be posted.

Can Ubuntu Save Online Banking?

Comments Filter:
  • Convenience? (Score:5, Insightful)

    by rschuetzler (1735324) on Thursday March 25, 2010 @07:05PM (#31619848)

    Isn't the point of online banking that it is convenient? And easy? For me, booting from a Live CD may be a piece of cake, but for a lot of people, it's far from that.

    Even if it is a great idea, 98% of the population won't latch on to something like this, and the 2% who might are probably already running linux

  • Re:BIOS (Score:3, Insightful)

    by jawtheshark (198669) * <slashdotNO@SPAMjawtheshark.com> on Thursday March 25, 2010 @07:13PM (#31619922) Homepage Journal

    I always keep hearing that claim. I've never found one and actually never heard of one reported in the wild.

    As for the article: Online Banking has worked perfectly fine the last years.... At least for me :-) It needs no saving...

  • Re:Convenience? (Score:3, Insightful)

    by HeavyD14 (898751) on Thursday March 25, 2010 @07:14PM (#31619934) Homepage
    I don't think its a question of difficulty. It would be a total pain in the rear if I had to reboot every time I wanted to get on my bank's website. Or do I keep a dedicated bank terminal ready to got at any instant?
  • Re:Reply (Score:5, Insightful)

    by GIL_Dude (850471) on Thursday March 25, 2010 @07:18PM (#31619970) Homepage
    I guess for those people who shut down their computers more than once a day it would be fine. For those of us who reboot about once a month and use sleep / resume the rest of the time it is a terrible idea to be rebooting all the time to do banking (maybe twice a day sometimes, but at least a couple of times a week). Why would anyone want to put up with that? Even for folks willing to accept it, the bank would inevitably get a smattering of "the wireless doesn't work on my netbook" or something (even though Ubuntu live CD's are pretty good about support they can't manage to support every device). I would be more accepting of a VM or something though than a live CD for my own use.
  • Re:Reply (Score:2, Insightful)

    by Anonymous Coward on Thursday March 25, 2010 @07:25PM (#31620050)

    I believe you, obviously a technical person, are free to set up a VM.

    However, Joe Average won't care to setup or purchase a VM for his current operating system, but will settle for rebooting and losing maybe 30s of productivity for it.

  • Re:Reply (Score:5, Insightful)

    by Khyber (864651) <techkitsune@gmail.com> on Thursday March 25, 2010 @07:29PM (#31620108) Homepage Journal

    "Gives the user something physical to insert"

    Except the netbook owners, whom have no optical drive.

  • Re:Convenience? (Score:5, Insightful)

    by tpstigers (1075021) on Thursday March 25, 2010 @07:30PM (#31620122)
    Actually, 98% of the population will only shy away from something like this is they're told what the process actually is. If they are told rather that it's their "Personal Online Banking Disc", and are then given instructions to walk them through the process, most people will happily buy into it. Most people wouldn't hesitate to install an app for this purpose, so the Live CD just needs to be marketed properly.
  • Theory vs. Reality (Score:5, Insightful)

    by DaMattster (977781) on Thursday March 25, 2010 @07:36PM (#31620186)
    In theory it is a fantastic idea to promote security and virtually prevent problems. In reality, here is what you face: 1. User inertia to do this because it removes some of the convenience of online banking. Maybe Joe and Jane Smith who would be using this would be less savvy than your average computer user and still find a way to bungle things up despite this being totally sandboxed. 2. The fact that this is openly downloadable - Criminal networks can now simply obtain CNL's distro and systematically look for a weakness. A weakness with Linux is generally in order of magnitudes harder to find than Windows. It might work if, you have a system where you must be a customer of the bank and the distro you download comes with a unique certificate tied to your identity. But the reality of online banking is that it is an inherrent security risk. But even then, it is not quite perfect.
  • Re:BIOS (Score:4, Insightful)

    by jawtheshark (198669) * <slashdotNO@SPAMjawtheshark.com> on Thursday March 25, 2010 @07:37PM (#31620190) Homepage Journal

    Gateway sells a $49 netbook

    ...

    Gateway LT2016u (Verizon Wireless)

    I think so too, the grandparent has some issues with reading comprehension ;-)

  • by GreyLurk (35139) on Thursday March 25, 2010 @07:41PM (#31620230) Homepage Journal

    Sure, but who's likely to sit down and download 100mb worth of patches each time they want to check their BofA account balance?

  • Online banking? (Score:1, Insightful)

    by Anonymous Coward on Thursday March 25, 2010 @07:47PM (#31620282)

    Since when does online banking need saving?

  • Re:Convenience? (Score:2, Insightful)

    by Anonymous Coward on Thursday March 25, 2010 @08:30PM (#31620682)

    And even fewer systems are set to automatically set to boot from CD automatically, and the options to change it are usually located in the BIOS.

    Would YOU want to be their tech support guy, who would have to know how to modify the boot order on every model and make of PC or Mac that was built in the past 10 years? And heaven forbid getting a customer sets the boot order wrong, and then they can't get back into Windows when they remove the boot CD. You know damn well that they'll blame you for "breaking their computer".

  • Re:Reply (Score:4, Insightful)

    by h4rr4r (612664) on Thursday March 25, 2010 @08:40PM (#31620766)

    Bullshit, the infected host just watches the guests network traffic to see when it goes to mybank.com.

    VM guests are not secure from the host.

  • Re:Why use Ubuntu? (Score:2, Insightful)

    by h4rr4r (612664) on Thursday March 25, 2010 @08:43PM (#31620790)

    For Vista or Windows 7 users with adequate security, I think it is possibly less necessary.

    You don't pay much attention to the news do you?

  • FFS (Score:4, Insightful)

    by foo fighter (151863) on Thursday March 25, 2010 @08:43PM (#31620792) Homepage

    If you are going to go to the expense of creating and distributing physical media, just implement two-factor authentication.

    SECURITY NERD RAGE! RAUGH!

    In my opinion, pressing a little button on your bank-branded, credit card-sized PIN generator (such as the ones I have from Bank of America and PayPal/eBay) you keep in your wallet next to your credit cards and ID is waaaay easier than trying to remember what bullshit answer I gave to yet another off the wall "security" question. It's clearly much more secure.

  • Re:Reply (Score:4, Insightful)

    by Cyberax (705495) on Thursday March 25, 2010 @08:48PM (#31620848)

    All banking sites use HTTPS. So simple traffic listening won't help you.

    You'll need to do man-in-the-middle attack, and that's not simple. On Windows you'll have to do it in the kernel level, probably even below the TDI. Doable, but extremely hard.

  • Re:Reply (Score:3, Insightful)

    by Dhalka226 (559740) on Thursday March 25, 2010 @10:03PM (#31621386)
    Well, so what? Just because it doesn't solve every possible problem for all possible users doesn't mean it's not worth doing.
  • Re:Reply (Score:4, Insightful)

    by fuzzyfuzzyfungus (1223518) on Thursday March 25, 2010 @10:09PM (#31621414) Journal
    If you can't trust the client, a VM is of limited use(not zero use, the union of "the set of machines with malicious Browser Helper Objects that steal banking credentials" and "the set of machines with keyloggers" is almost certainly larger than "the set of machines with keyloggers"); but once a home user box is 0wned, there is very little stopping malware#1 from inviting malwares#2-#N as the situation dictates.

    At some point, at least for banks and accounts with real money in them, it will become economic to ship dedicated appliances and skip the LiveCD/reboot/hardware incompatible/etc problem entirely. There are several possibilities: Imagine, for instance, something like the Beagleboard [beagleboard.org], but stripped down(no need for that fancy CPU or most of the I/O, something cheaper can load the bank website), and locked down: sealed in a tamper evident plastic box, CPU has on die verification of the bootloader, bootloader will only load signed system image, etc. All that tivoization stuff that gets the Trusted Computing Group excited. Should be under $100, possibly even under $50, in reasonable volume and nigh impossible to crack by software means(and hard to crack by hardware means without the target noticing. It doesn't really matter much if some hobbyist manages to crack his own, with prolonged physical access, that is his business). Just plug in a monitor, ethernet cable, keyboard, and mouse, and away you go.

    For the terminally clueless(no pun intended), for whom peripheral hookup is a bit daunting, there would be nothing stopping you from charging a touch more and shipping a whole netbook. Even full x86 netbooks can be found at ~$200 with fair frequency, and nasty little PDA-in-a-netbook's-body offerings have been under $100 for a while now.

    If even networking is too much of a challenge, you could go the Amazon route of baking in cell access: with proper caching and/or the use of a dedicated application preloaded on the client, the amount of data transfer for most people's banking needs would be tiny(and banks love adding monthly fees, so I'm sure they could find some way to recover the cost).
  • Re:Reply (Score:2, Insightful)

    by ToasterMonkey (467067) on Thursday March 25, 2010 @10:46PM (#31621746) Homepage

    what a croc. I tried sleep/resume on both linux and windows vista and in both cases there were sometimes issues, and when it DID work, it took just as long to reach a useable state as just cold-booting in the first place. What a useless piece of crap idea that is...

    Either boot your pc normally or use a sometimes iffy mechanism that takes just as long...

    Usually when people refer to using sleep/hibernate as a reliable and quicker alternative to booting, the Mac is implied.

    Just sayin...

  • Re:Reply (Score:3, Insightful)

    by hairyfeet (841228) <.bassbeast1968. .at. .gmail.com.> on Thursday March 25, 2010 @11:22PM (#31621946) Journal

    The problem with this idea is it is gonna be a nightmare for support. Lets be honest folks..while Ubuntu and other Linux distros have come a loooong way on hardware support, there is still an assload of funky cheapo hardware out there that Linux isn't gonna work well with, and the kind of folks that would require this kind of help certainly aren't gonna be technical enough to run a bunch of CLI crap to get their cheap ass wireless card or other cheap shit to go. How well does Ubuntu support those funky SiS chipsets and GPUs? How about all those shitty wireless cards in the $299 best buy specials? And don't forget you are also gonna have customers running old shit, like those Ali and other off brand chips.

    This idea might be fine if we were talking about at least some sort of standardized hardware, but we ain't. Trust me, as a PC repairman I see all the time huge amounts of cheap ass, funky ass, WTF were they thinking Chinese junk cross my desk ALL the time. Hell getting some of that crap to work in Windows can be a royal PITA, especially the cheapo junk laptops that everybody seems to be buying nowadays. I can't even imagine what a royal PITA nightmare from hell supporting all those funky configs with a Live Ubuntu CD is gonna be like.

  • by slashbart (316113) on Friday March 26, 2010 @03:26AM (#31623060) Homepage
    My Dutch bank ING uses my cellphone for authorization of transactions or changes online. I can log in and view my account data with just a password, so that might get compromised, but for a transaction or for instance changing over to a new cellphone number, I need a transaction number that is being sms-ed to the cellphone.
    My other Dutch bank ABN/AMRO uses some kind of calculator thingy that provides a transaction number based on a value you receive from the banks webpage.
    The same ING bank also provides a very simple system where you have a sheet of paper with transaction numbers, and the webpage just asks you for your next TAN code.

    What do all these have in common? Right, a separate transaction authorization outside the browser. How hard is that?

  • Re:Reply (Score:5, Insightful)

    by rabiddeity (941737) on Friday March 26, 2010 @03:44AM (#31623140) Homepage

    >USB drive then?

    If you're going to do that, then you might as well just make an intelligent crypto token that generates a sequence of numbers according to some known algorithm. The device should have a set of buttons (akin to a small PIN pad) where the user enters a known sequence of buttons on the device itself. Online bank software either queries the device directly as USB (which may introduce other security issues) or has the user enter a set of numbers from an onboard display, in addition to their username and password. A single PIN entry allows a single login session. For extra security have the user press a "confirm" button on the device and perform another verification every time money is transferred or other sensitive operations take place.

    Prevents access via software keyloggers, because the buttons are on the device itself. Provides two-factor authentication, making phishing attacks a little bit tougher if done correctly. Should be reasonably cheap. And it's a lot more convenient than booting into another OS to do your banking.

There are never any bugs you haven't found yet.

Working...