Washington Post Says Use Linux To Avoid Bank Fraud 422
christian.einfeldt writes "Washington Post Security Fix columnist Brian Krebs recommends that banking customers consider using a Linux LiveCD, rather than Microsoft Windows, to access their on-line banking. He tells a story of two businesses that lost $100K and $447K, respectively, when thieves — armed with malware on the company controller's PC — were able to intercept one of the controller's log-in codes, and then delay the controller from logging in. Krebs notes that he is not alone in recommending the use of non-Windows machines for banking; The Financial Services Information Sharing and Analysis Center, an industry group supported by some of the world's largest banks, recently issued guidelines urging businesses to carry out all online banking activities from 'a stand-alone, hardened, and completely locked down computer system from where regular e-mail and Web browsing [are] not possible.' Krebs concludes his article with a link to an earlier column in which he steps readers through the process of booting a Linux LiveCD to do their on-line banking." Police in Australia offer similar advice, according to an item sent in by reader The Mad Hatterz: "Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows."
Re:VM? (Score:4, Informative)
To be safe... (Score:4, Informative)
Well, don't do online banking.
Or, use a totally separate computer to do online banking. Only use the web browser to access one's bank account.
Or look for those "freeze" type software, which makes the harddrive essentially read only.
Also, it doesn't hurt to check which processes you are running, and whether any of those are unusual.
Re:What about the banks? (Score:5, Informative)
The Commonwealth bank in Australia (and probably many others) sends you a random code via SMS to your phone that you have to type back in to the site in order to transfer money to an account you've never transfered to before.
Re:What about the banks? (Score:1, Informative)
The attack described in the bank heists were two-factor. The login basically had them wait for another rolling code to enter, and in the wait period, the thieves stole the money. SNAP!
Re:What about the banks? (Score:5, Informative)
And asking me for my Mother's maiden name is really that much better? Or how about showing me an image that I picked out but will soon ignore after seeing that it never changes?
Those are both the same factor, just like a user's password.
Security factors are
In order to qualify as "two factor", you must have two of those (no, having two of the same factor doesn't count.)
So passwords, personal question, and favourite image are all examples of "something you know", and don't represent two-factor authentication.
The Security-token would be an example of "something you have", and thus combining them with a password would be two-factor authentication.
Re:Non-random bits on LiveCD can compromise securi (Score:3, Informative)
Huh? Random number generators can be seeded with other data from your hardware, such as the system clock time, reading PCI devices, or some random data off your hard drive. Every single time you reboot your system clock has changed. If you have a hard drive, the data on there has probably changed too, so you can just read some information off the drive at the block level (you don't need to mount it). Every user who uses a live CD has different hardware.
The problem is trivial at best to solve. It may not be the absolutely perfect solution, and probably not good enough if you need a true random number generator, but good enough for this purpose. You definitely won't be in the same state every time you reboot (at the very least the time changed).
Re:terrible advice (Score:4, Informative)
Yes, because everyone else has patched the bug.. Microsoft hasn't. But if you're using a LiveCD from before they patched the bug, then you are no more protected than the bozos using IE5.
Re:What about the banks? (Score:5, Informative)
That's not two factor, it's one factor. It's something you know, in two parts. A key fob introduces something you have.
A big problem with what you described is that 40 images to choose from is like adding one more character to your password, allowing lowercase, numbers, and 4 other punctuation marks only.
It doesn't add much to security at all, in other words.
Re:What about the banks? (Score:3, Informative)
An SMS code sent to your phone is just a poor-man's RSA "rolling code" security token. The instant you begin to type that code on your keyboard, you've lost the battle again. The running malware can intercept the form submission attempt and then use the code you typed in to do whatever it wants while it delays or just fails your real login request. This isn't a theory, it's a proven fact that's already in use by malware in the wild.
It's possible to engineer that out. Instead of sending you a code to "authorise your login", which can then be stolen by the software, the bank sends you a code to authorise a *specific action* which has been requested (either by you or by the pwnage bot). The SMS would contain details of the requested transaction. That way, you get to view the details of the transaction *that was actually lodged*, rather than the transaction that you thought you were lodging, on a much more trustworthy interface.
The next step, I guess, would be Windows malware that attempts to compromise any phones that are connected to the PC so that the bad guys can somehow interfere with the bank SMSs at the phone end of the link. That would be significantly more challenging for the bad guys, though.
Simple truths (Score:3, Informative)
Yes the title says it all.
We need to keep it simple people.
Facts:
1. Banks are keeping their costs down, they are not issuing hardware to all of their customers to generate one time keys.
2. Most people (more than 90%) run windows.
3. That the average user can not be sure that their computer running a Microsoft OS has NOT been compromised in some way.
4. A Linux LiveCD is able to solve the problem.
Put the CD in, reboot the computer, open Firefox, type in the URL for the bank and enter your user name and password. Simple and secure. Reboot and you are back to Windows. Nothing stored, nothing cached, and nothing saved.
When I say simple and secure. I am talking real world Joe six-pack security. If you have decided to bank online you have already given up worrying about DNS poisoning, compromised routers, man-in-the-middle attacks. If you don't want to spend the money for a Mac or a new PC just for banking, a Linux Live CD is a great choice. Not to mention you know it is secure, because you can't infect a live CD.
Re:What about the banks? (Score:3, Informative)
The ING bank in NL uses three forms (mostly after fully incorporating the Postbank).
I should note that these are all for authorizing a transaction. Logging into your account still only requires a username and password. Should those be acquired by a malicious party somehow, they will be able to see your balance, your recent transactions (and if they see you always withdraw $200 from a specific ATM every tuesday at 10am, that's dangerous enough, tyvm), and change several settings including your password (but none of the transaction authorization methods).
So, transaction authorization then...
A. You go to complete the transaction and are presented with the challenge.. some long-ish unique number. You whip out an annoying little calculator device that you have to stick a smart card into. You enter that number, and you get the response..another number. You enter that number into the website form and the transaction has been authorized. Problems with these things are rife, from not having the calculator on you, not having the card on you, the device being broken (be that dirty contacts or truly broken), etc.
It's relatively secure, of course, as they'd have to steal your card (the calculators are the same across all clients, of course)
B. TAN-by-phone. You go to complete the transaction, and are presented with just a form where you enter a TAN. At the same time, a text message with that TAN is sent to your phone, along with the amount total. The amount total is shown so that -if- at any point some sneaky man-in-the-middle managed to add a transaction to your session, you should be able to see that, and stop the transaction, notify your bank, etc. Anyway, if all is well, you enter the response, and you're done again. Problems with this might be not having your phone on you, or dead battery, no signal, no carrier, etc. etc.
C. TAN-by-list. You go to complete the transaction and are presented with a challenge, which is basically a number from 1-100, or 101-200 if you've already made more than 100 transactions, etc. Basically 3-digit, maybe 4 if you make transactions all day long. This number can be found on a printed list that was sent to you beforehand by secure mail. Just find the number, and read the TAN code next to it, and enter that. Done. No technological problems with this one, but obviously it does have the weakness that it includes 100 TAN numbers and, if compromised (photo, scan, etc.), can be used multiple times without your direct knowledge until it's too late.
Of all the systems, I very much prefer option C. If I don't want to carry around a piece of paper, I can even move the list over to my phone if I were so inclined (and incur the issues of option B, of course). Its weakness is also easily solved by rotating the look-up relative to the TANs. I.e. shift all the TAN codes by N, say 50. You get a challenge asking you for the TAN code listed by number 80. Those who have a copy of your list go to number 80, enter the value, and the bank tells them 'nuh-uh.. try again, 2 attempts left'. Good luck to them figuring out that they -really- should have been looking at number 80+50 = 130. 130-100 = 30.
This is easily -as- secure as the calculator+smart card, if not -more- secure, a lot less prone to problems both technological and logistical.
Sadly, I think the EU will be mandating the smart card route in the nearish future. So I'll have to carry another card around in my wallet (which is already a nice theft target, but where the f else do I keep it?), drag a calculator with me all the time especially if going abroad (what, you think a Highway 9 Motel is going to stock online banking calculators for dozens of nations? Maybe a Hilton or above might, as a free service included with $500/night rooms.), worry about batteries (I dunno why they haven't made them solar-fed yet; I used to find solar calculators in laundry detergent boxes in the late 80's!), keeping contacts clean, etc. etc.
IE (Score:3, Informative)
Re:Non-random bits on LiveCD can compromise securi (Score:2, Informative)
Not Linux. Randomness comes from the time (hardware, persistent), but also from the randomness of network traffic and other driver miscellanea such as HDD head seek times, mouse movements, keystrokes, CPU temperature data, electrical noise on the power supply (with the right hardware)...
If you start the LiveCD only to use online banking there isn't much time between the startup and the time you need randomness for a secret key. The question is if there is enough time to gather sufficient entropy from the environment.
Others have suggested to seed with the current time, but that is easy to guess for an attacker. Netscape's original SSL implementation was broken because the PRNG used only the current time (in microseconds) and the PID as a random seed ([1], [2]).
[1]: http://marc.info/?l=bugtraq&m=87602167418753&w=2 [marc.info]
[2]: http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html [berkeley.edu]
Say what you like about the Germans... (Score:3, Informative)
Re:What about the banks? (Score:5, Informative)
As a victim of Identity Theft, I can tell you that banks and credit agencies just don't care. The bank writes off the loss due to fraud. The credit agency shrugs their shoulders at bad information in your credit file and tells *you* to fix it (while they happily go on reporting the bad information). In the case of stolen credit card numbers, the credit card company simply issues a new card and reverses the fraudulent charges. Meanwhile, the thief has their new television and the store is out a few thousand dollars.
In my case, the credit card company opened a line of credit for "me" even though the online application contained the wrong Mother's Maiden Name. I only found out about it because the thieves put in for a rush delivery of the card and *then* changed the address on the account. The card wound up at my house instead of their house/drop box/whatever. The incorrect maiden name and quick address change didn't set off any fraud alerts. Neither did "me" trying to get a $5,000 cash advance on the card prior to activating it. And when I called them about it, they refused to give me any information because "I might run out and kill the thief and then they're liable." They even gave the police department the runaround.
As I said, they just don't care. They'll do everything in their power to protect themselves. Even if protecting themselves in the short term means the identity thief gets away and commits more fraud against their business in the long term. In the end, you are only important to them insofar as how much green they can make off of you.
Re:What about the banks? (Score:3, Informative)
I had to click the one that was my image (this was rather than a sign in button).
The image you choose is used by Countrywide (BofA) to provide you with the verification that you are not signing into a phishing site, not as part of your login credentials.
Re:What about the banks? (Score:3, Informative)