The Ethical Hacker Network - Ditch Windows for Online Banking

chrisj

Hero Member

Offline

Posts: 1163

Re: Ditch Windows for Online Banking

« Reply #15 on: March 19, 2010, 11:30:14 AM »

Quote from: awesec on March 19, 2010, 09:28:11 AM

Awareness would be one of the main factors here which can help. However, implementing such a LiveCD seems not to be a solution at all, in my opinion, as it does not really tackle the problem down.

Actually it attacks 1 of the 2 problems.

Problem 1: social engineering

Problem 2: user's machine is infected with account stealing malware.

By using the live cd, you have a clean Read Only OS every time you do banking, thus bypassing the second problem


	Logged

OSWP, Sec+

UNIX

Hero Member

Offline

Posts: 1235

Re: Ditch Windows for Online Banking

« Reply #16 on: March 20, 2010, 08:42:53 AM »

Sure, it would be an solution, but not a very good one in my opinion. How would you introduce this into the world with so many people with no computer knowledge at all? It might work, yes, but this can't be the solution to the actual problems associated with online banking.


	Logged

chrisj

Hero Member

Offline

Posts: 1163

Re: Ditch Windows for Online Banking

« Reply #17 on: March 20, 2010, 10:27:57 AM »

I don't think it's meant to be a solution. I believe it's meant to be a stop gap to slow down the actual problem until real solutions can be found.

As for people not having computer skills. Live-CDs are pretty easy and don't take much skill to use.


	Logged

OSWP, Sec+

pizza1337

Full Member

Offline

Posts: 156

Resource is Power.

Re: Ditch Windows for Online Banking

« Reply #18 on: March 20, 2010, 11:39:03 AM »

Here is what i thought when i was taking a shower Grin

There should be a mode that comes with your OS, when you boot, you can press F8 or some other key.. It gives you list of modes you choose * Mode. The mode will run few essential programs
Before it loads all the files, it checks file hash, with more than one type of hashing
for example, it checks the file with MD5 and then it checks it with SHA,
If all files are correct then it boots,
else, it asks you to put in a CD or USB drive containing the file that will match the hash.

I don't know if this is possible, and i don't know where you would store the list of correct hashes securely so no one can change them. thats for OS devs to figure out Wink


	Logged

~~Knowledge~~ Resource is Power.

chrisj

Hero Member

Offline

Posts: 1163

Re: Ditch Windows for Online Banking

« Reply #19 on: March 20, 2010, 01:33:30 PM »

Quote from: pizza1337 on March 20, 2010, 11:39:03 AM

Here is what i thought when i was taking a shower Grin

You'd have to trust the users to back up the files, which would require a full backup. And they'd have to do it each time they patched the system or installed new software. The user would also want to keep backups over time, in case the user went a while between checks.


	Logged

OSWP, Sec+

hayabusa

Hero Member

Offline

Posts: 1633

Re: Ditch Windows for Online Banking

« Reply #20 on: March 21, 2010, 07:27:40 AM »

Quote from: chrisj on March 20, 2010, 01:33:30 PM

Quote from: pizza1337 on March 20, 2010, 11:39:03 AM

Here is what i thought when i was taking a shower Grin

Agreed with chrisj... Anymore, you simply cannot rely on end-users to do things, especially where they fall into the realm of security. Education is good, and NEEDS to happen, but in the end, with a topic like online banking, the customer base is so large, that the fix really needs to come on the backend. And there's not going to be an easy way to handle that.

Like I said before, personally, I'd use a solid Linux distro for my banking, but that's MY effort to protect MYSELF. Still does nothing for the community of users, at large.

You'd have to trust the users to back up the files, which would require a full backup. And they'd have to do it each time they patched the system or installed new software. The user would also want to keep backups over time, in case the user went a while between checks.


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

j0rDy

Hero Member

Offline

Posts: 590

Re: Ditch Windows for Online Banking

« Reply #21 on: March 22, 2010, 04:18:04 AM »

Quote from: pizza1337 on March 20, 2010, 11:39:03 AM

Here is what i thought when i was taking a shower Grin

how about a live OS function in the existing OS? just press some function key and it will boot in memory mode, nothing will be saved, just like a live cd.


	Logged

ISC2 Associate, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

hayabusa

Hero Member

Offline

Posts: 1633

Re: Ditch Windows for Online Banking

« Reply #22 on: March 22, 2010, 05:28:20 AM »

So what you're thinking about is some sort of virtualized (and sandboxed) OS. You could perhaps use something like a VMWare ThinApp-created internet browser, with a sandboxed memory and storage location. There are numerous possibilities. The issue in question, here, however, is that the general public still wouldn't have access to this, and it could potentially cost the bank or organization a lot of money to implement something with rights / licenses for so many customers / users.

There are MANY good ideas, but ultimately, in the end, there needs to be some better way of ensuring security, from the backend, for this to be truly cost-effective, while remaining a valid remedy. Otherwise, there's still risk, as too many unsuspecting / untrained customers WILL remain vulnerable.


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

j0rDy

Hero Member

Offline

Posts: 590

Re: Ditch Windows for Online Banking

« Reply #23 on: March 22, 2010, 07:19:36 AM »

you are absolutely right Hayabusa, but considered it takes two to communicate, you will need security on both ends. i doesnt matter how secure you make the banking server and the connection, if the user still takes no measueres to protect itself there will always be a weak link. as long as users put a vink at remember my password there will be a security breach...


	Logged

ISC2 Associate, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

chrisj

Hero Member

Offline

Posts: 1163

Re: Ditch Windows for Online Banking

« Reply #24 on: March 22, 2010, 10:16:35 AM »

It really comes down to a better authentication method than what exists today.

The problem with the current system is that it says "I have the information you requested here, there for I am allowed to use this account".

However if it gets too hard to use, people will stop using it or demand that it goes back to being less secure.


	Logged

OSWP, Sec+

Knb15

Jr. Member

Offline

Posts: 50

Re: Ditch Windows for Online Banking

« Reply #25 on: March 22, 2010, 02:34:05 PM »

In addition, whatever solution is put into place, it would have to be something that still works as fast or pretty close to how it works now.

If too much security is added in a way that users must do too much, and takes them a significant amount of time to do so, they won't use it.

People use online banking and other mechanisms available because they don't have much time to actually go to the bank, its more convenient. Put a system into place that takes them double the time to do their banking than what they are used to, and they won't use it anymore.

Is it worth going through more hoops in order to have a secure channel for online banking? If you ask me, yes. But again, it all comes down to the population at large.


	Logged

j0rDy

Hero Member

Offline

Posts: 590

Re: Ditch Windows for Online Banking

« Reply #26 on: March 23, 2010, 03:43:37 AM »

Quote from: chrisj on March 22, 2010, 10:16:35 AM

However if it gets too hard to use, people will stop using it or demand that it goes back to being less secure.

indeed, security and user friendly are two factors that are completly aligned against eachother. in this case it is necessary to find the ideal cross over rate of enough security to protect the user and still user friendly so they will use it.


	Logged

ISC2 Associate, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

pizza1337

Full Member

Offline

Posts: 156

Resource is Power.

Re: Ditch Windows for Online Banking

« Reply #27 on: March 25, 2010, 08:31:03 PM »

http://linux.slashdot.org/story/10/03/25/2350236/Can-Ubuntu-Save-Online-Banking?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+(Slashdot)

Here is another article, of course there are people who can't use live cd, or linux.


	Logged

~~Knowledge~~ Resource is Power.

Pages: 1 [2] Go Up

« previous next »