Can Ubuntu Save Online Banking?

CWmike writes with a pointer to this ComputerWorld mention of an interesting application of Live CDs, courtesy of Florida-based regional bank CNL: "Recognizing that most consumers don't want to buy a separate computer for online banking, CNL is seriously considering making available free Ubuntu bootable 'live CD' discs in its branches and by mail. The discs would boot up Linux, run Firefox and be configured to go directly to CNL's Web site. 'Everything you need to do will be sandboxed within that CD,' [CNL CIO Jay McLaughlin] says. That should protect customers from increasingly common drive-by downloads and other vectors for malicious code that may infect and lurk on PCs, waiting to steal the user account names, passwords and challenge questions normally required to access online banking." (But what if someone slips in a stack of doctored disks?)

Re:BIOS

[hipp5]

One of the major Canadian banks (RBC) was actually giving away netbooks (eeePC 700 I believe) a little while back (to those who switched to them). With that in mind this suggestion doesn't seem that crazy. In reality, you wouldn't even need a full netbook. A small screen, minimal keyboard, network card, and very small SD card would do. Some people might even be willing to pay $100 for them if it meant they could feel safe in their online banking.

Re:Reply

[Anonymous Coward]

Then boot the live cd in a VM... Jeez...

Re:Reply

[MaskedSlacker]

USB drive then?

Re:Why uses a PC to do banking?

[MaskedSlacker]

The point of the LiveCD is that there it is rather difficult for hackers to compromise (owing to the physical, unalterable nature of the disk image). It has nothing to do with obscurity--the point is that each time they boot a verified, trusted disk image and then go straight to the bank's website--without a keylogger in the motherboard there aren't really any useful attack vectors.

Re:Behavior change

[anarche]

Yep, security could be enforced if we made people walk into a bank with two forms of photo-id before they could do anything....

Re:Reply

[obarthelemy]

I'm wondering: If I'm running WIndows, and setup the bank's Linux in a VM, am I still vulnerable to windows's trojans and keyloggers ? I would guess Yes, because keystrokes go WIndows -> VM manager -> Linux VM ? Or not ?

The disk is a token? and etc. vs et al.

[gumbi west]

You could use token authentication and just allow the disk to keep a cookie that logs them in with minimal interaction (either nothing or a short password like their pin).

Also, just thought you might like to know... Et al. is short for et alii and translates literally as, "with others." etc. is short for et cetera and translates roughly as, "with other objects". There is a people/things distinction. So if the other stuff is people, "et al." and if the other stuff is things, "etc.".

Re:Reply

[selven]

A VM is just a program, so any keystrokes will be sent to both the VM and whatever other program feels like it needs them. What you won't have, however, is contextual information - it's not as easy to tell when you're typing in a password in the VM from the host.

Re:Reply

[h4rr4r]

You do realize that all Virtual Machine guests are not secure from the host right? or that it would be trivial to screencap/input capture the guest?

Re:Technical problem

[Anonymous Coward]

I've gotten viruses from embedded PDFs in youtube comments.

I call bullshit.

Re:Reply

[Runaway1956]

This is rated "funny" - but it's really not. I read a story about a credit union, in Texas I think, that found a bunch of CD's had been distributed to customers. The label claimed that they were distributed by the credit union, and that they contained software with which to securely connect to the bank. And, of course, the contents were just a trojan.

I kind of thought the story was covered here on slashdot, but I could be wrong.

Ahhhh - here we go. Someone tried to pass it off as "pentesting" in the slashdot story:
http://it.slashdot.org/story/09/08/27/2331201/Hackers-Or-Pen-Testers-Hit-Credit-Unions-With-Malware-On-CD?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+(Slashdot) [slashdot.org]

Re:Reply

[h4rr4r]

Damn, you are dumb.
You listen for the host to talk to the website, then you record keyboard input and do a screencap for good measure.

Re:Reply

[Anonymous Coward]

Go the other way. Run Windows in VirtualBox under Ubuntu, then do your online banking in Ubuntu's Firefox. A keylogger or virus running in Windows cannot see the keystrokes in Ubuntu.

I actually wrote the author of a keylogger to ask if his product would see the keystrokes in Ubuntu. His reply was no, it could not.

Re:Why uses a PC to do banking?

[fuzzyfuzzyfungus]

Aside from "branded consumer experiences" and all that stuff that gets the marketing guys excited, the one reason to make the disks bank-specific is that it makes security a lot easier.

If all the disk has to do is go to https://mybank.com/ [mybank.com] you can do all sorts of draconian but secure stuff: Disable loading any non-SSL page or element. Trust only your own cert/CA. Remove any option to approve an exception. Configure the firewall to block any and all traffic that isn't either a DNS(SEC, preferably) lookup for mybank.com, or communication between the host and mybank.com

If you have to coordinate between a bunch of banks, things get harder. Either you take on a big institutional verification task, enrolling reputable banks in your list of trusted sites and cert/CAs, and hopefully not having some front group sneak one in there for some XSS action, or you throw up your hands and just build a generic "browser liveCD".

The generic browser liveCD is still a good bit safer than Joe user's computer, since it needn't be a general purpose machine, or capable of running Limewire, or have every infection picked up in two years of browsing(since the max lifespan of a liveCD session will probably be a few hours); but it is still substantially less safe than a dedicated one. If there are any available exploits for the browser used, the user has a nonzero chance of picking one up while poking around and having it still resident if they bank after doing that, and before rebooting. There would also be the basic issue of cross site/cross tab stuff. Exploits of those sorts of flavors are discovered all the time. If you give up on the goal of having a general-purpose browser, you can neutralize most of them without even discovering them or patching the browser. If your browser has to be general purpose, you have to do the security the hard way.

Re:Reply

[bflong]

DNS is not encrypted. All they would have to do is record the dns requests and they would know when you are looking at mybank.com.

Re:Reply

[assassinator42]

No, they'll still be unencrypted. DNSSEC just signs the data so you know it hasn't been tampered with.

remastering the image

[viralMeme]

Among the several distinct ways to alter Knoppix, the one likely to be of broadest interest is remastering [ibm.com], during which you can substitute your own software for a portion of that on the standard Knoppix CD-ROM

Re:Reply

[Anonymous Coward]

DNS? Even a https connection won't encrypt the IP address the packets are sent to.

If it did, no router would know where to send it.