Abit knee jerk and idealistic really.

Its not really going to happen in the real world is it, also most people who suffer from fraud and phishing and other similar attacks are the less computer literate.

Expecting them to know how to create a live cd boot from it, assign IPs, connect to wireless printers etc etc would be a total nightmare.

Improve education and awareness, and cross your fingers I say.

I've seen several similar ideas lately. Including making a clean image virtual machine, and destroying the instance you run every time you surf the web. That way you're always loading a copy of the clean image. (a co-worker actually does this at home).

I have to agree education is an issue, but the question is where do you go to do the education? My mom and step dad (until I forced them to use Linux) were having to have their computer rebuilt every few weeks. Trojans, viruses and the like. Neither one will ever take a class, because they know how to turn the computer on and surf the web. They don't see the point in having to take one. It's not like a person needs a license to hit the "information super-highway"

I think the point the author was trying to make was, if you're using a clean distro (which you kind of lose with a persistent usb key like he suggested), you don't have to be worried about software key loggers and the like. If you don't use the same time to do banking and email you don't have to worry about being phished.

While I see it's merits, I just don't see it happening on a regular basis.

While this method is 'safe', i agree that its outside most peoples ability and/or desire. As the 'computer guy' to my friends and family, I found that suggesting they research what phishing is and following some basic steps was enough to significantly cut back on their risks. Education is up to the individual in most cases.

Nice idea but not very realistic for the average user. This is trying to put a band-aid on a gaping wound which the banks and finance companies should be coming up with more secure ways to confirm users' identities in the first place.

If the full burden of the financial lost was placed on the financial institutions, rather than the customer and merchant, they'd work out a way to secure the transaction.

Until that time, banks don't care and the bad guys will keep stealing money and identities.

You have to remember how this came about. There was a lot of phishing and zeus bot emails going around.

After seeing Zeus and others being a regular segment on HNNCast, Kerbs on Security and a few other places, I've rethought this some, and I do think it's a good idea. As others have pointed out, this is only a band-aid for a much larger problem, but it's all we have until we can force other people to fix the problem.

A liveCD only stops one vector of theft, and not necessarily the most sucessful one.  The wonderful thing (for a thief) about phishing attacks is they're largely platform- and browser-independant. 

I don't claim to know the magic bullet to fix the issue, but I suspect it will require a combination of end user education, increasing responsibility on the banks to validate users, and technological improvements from the operating system and browsers that are in use. 

Actually, that's how social engineering works. It's not that they're not smarter. It's that they have the deep down need to be helpful. The reason phishing attacks like that are successful relies on them wanting to be helpful. They just don't think to be skeptical.

The point of using the Live CD isn't so much to avoid phishing, but to avoid information stealing malware.

Granted the phishing is the bigger successful attack vector, but from the news (at least the news I see), phishing isn't the thing in all the head lines. It's usually Company lost X million Dollars due to having malware on computer.