.

Ditch Windows for Online Banking

<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed Oct 14, 2009 1:17 pm

Ditch Windows for Online Banking

Wow... I read this and cannot figure out what this guys argument is. I think, he wants everyone to boot up a LiveCD every time they do banking. And not use the LiveCD for email, and to ignore ALL banking-related emails received.

Seems like a hassle to me, despite him saying it's quick and simple.

What happens when you receive a legit bank email? Print it off, boot to your live environment and follow the instructions?

Not to mention you'll be behind on patches/updates every time you go to boot into your livecd.

Anyway, here's a link to the article I'm ranting about:
Time To Ditch Windows for Online Banking and Shopping

Seems like it'd be easier to provide some more education than to jump through hoops....
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Wed Oct 14, 2009 3:25 pm

Re: Ditch Windows for Online Banking

Abit knee jerk and idealistic really.

Its not really going to happen in the real world is it, also most people who suffer from fraud and phishing and other similar attacks are the less computer literate.

Expecting them to know how to create a live cd boot from it, assign IPs, connect to wireless printers etc etc would be a total nightmare.

Improve education and awareness, and cross your fingers I say.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Oct 14, 2009 3:40 pm

Re: Ditch Windows for Online Banking

This is definitely a bizarre way of dealing with the problem.  I think that it goes into the same basket as creating silly laws to make up for lack of parenting.  Whatever happened to educating people?
~~~~~~~~~~~~~~
Ketchup
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Oct 14, 2009 4:26 pm

Re: Ditch Windows for Online Banking

I've seen several similar ideas lately. Including making a clean image virtual machine, and destroying the instance you run every time you surf the web. That way you're always loading a copy of the clean image. (a co-worker actually does this at home).

I have to agree education is an issue, but the question is where do you go to do the education? My mom and step dad (until I forced them to use Linux) were having to have their computer rebuilt every few weeks. Trojans, viruses and the like. Neither one will ever take a class, because they know how to turn the computer on and surf the web. They don't see the point in having to take one. It's not like a person needs a license to hit the "information super-highway"

I think the point the author was trying to make was, if you're using a clean distro (which you kind of lose with a persistent usb key like he suggested), you don't have to be worried about software key loggers and the like. If you don't use the same time to do banking and email you don't have to worry about being phished.

While I see it's merits, I just don't see it happening on a regular basis.
OSWP, Sec+
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Wed Oct 14, 2009 10:51 pm

Re: Ditch Windows for Online Banking

A guy in my DefCon group does this and it is surprising less painful than I would have thought. He leaves the CD in the tray and keeps an IronKey if he needs to copy anything off of it. He uses a netbook that he takes with him.

I think the real drawback is being too lazy to do it (me).
twitter.com/timmedin | http://blog.securitywhole.com
<<

Midnight

Newbie
Newbie

Posts: 1

Joined: Tue Mar 16, 2010 11:27 pm

Post Wed Mar 17, 2010 12:07 am

Re: Ditch Windows for Online Banking

While this method is 'safe', i agree that its outside most peoples ability and/or desire. As the 'computer guy' to my friends and family, I found that suggesting they research what phishing is and following some basic steps was enough to significantly cut back on their risks. Education is up to the individual in most cases.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Mar 17, 2010 5:15 am

Re: Ditch Windows for Online Banking

hmm...seems a little bit paranoid to do this every time you go online to do banking business. i know its the most secure way, but thats like hunting for the perfect security. the factor of convenience influence the security risk factor. what this guy is recommending is like if you want the lowest form of security risk it is recommended to not go online...
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Wed Mar 17, 2010 6:17 am

Re: Ditch Windows for Online Banking

Nice idea but not very realistic for the average user. This is trying to put a band-aid on a gaping wound which the banks and finance companies should be coming up with more secure ways to confirm users' identities in the first place.

If the full burden of the financial lost was placed on the financial institutions, rather than the customer and merchant, they'd work out a way to secure the transaction.

Until that time, banks don't care and the bad guys will keep stealing money and identities.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Mar 17, 2010 7:32 am

Re: Ditch Windows for Online Banking

Way too painful.  To me, rather than a bootable distro, I'd prefer to just have a tightly locked down full Linux box to do my online banking.  With the advent (the past few years) of AppArmour and other security measures within many Linux distros, I feel comfortable with using my primary box to do my banking. 

Note - I don't do it 'regularly', but rather, occasionally, out of no need for 'regular' online activity.  But I'm still not that concerned. 

I do agree, also, that the banking companies and such have a lot of responsibility to deal with, in regards to online banking, etc, and they need to focus on ways to better secure and protect their customers' investments and finances.  I have many friends in IT, within banking companies, and all of them agree to this, even when many admit their organizations still have a long way to go.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Mar 17, 2010 12:10 pm

Re: Ditch Windows for Online Banking

You have to remember how this came about. There was a lot of phishing and zeus bot emails going around.

After seeing Zeus and others being a regular segment on HNNCast, Kerbs on Security and a few other places, I've rethought this some, and I do think it's a good idea. As others have pointed out, this is only a band-aid for a much larger problem, but it's all we have until we can force other people to fix the problem.
OSWP, Sec+
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Mar 17, 2010 3:04 pm

Re: Ditch Windows for Online Banking

i remember a great story in which i am the main character:

i didnt pay a single bill in over a moth just because my bank changed the visual appearance of the website and i was too scared to log in because i thought something was phishy (little spelling joke) :-[
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

robbk

Newbie
Newbie

Posts: 7

Joined: Thu Apr 02, 2009 7:16 am

Post Wed Mar 17, 2010 3:12 pm

Re: Ditch Windows for Online Banking

A liveCD only stops one vector of theft, and not necessarily the most sucessful one.  The wonderful thing (for a thief) about phishing attacks is they're largely platform- and browser-independant. 

I don't claim to know the magic bullet to fix the issue, but I suspect it will require a combination of end user education, increasing responsibility on the banks to validate users, and technological improvements from the operating system and browsers that are in use. 
<<

Knb15

Jr. Member
Jr. Member

Posts: 50

Joined: Tue Feb 23, 2010 10:18 am

Post Thu Mar 18, 2010 12:12 am

Re: Ditch Windows for Online Banking

To add to this, i agree that education is a big problem. By that, i don't mean that you need schooling, or to get certified in a field to know how to protect yourself. Being aware when you are online, knowing what not to click on or what not to open is a huge start.

Someone came to me with a story a week ago that i couldn't believe. The person received an email from someone claiming they were Bank of America, asking for all her personal data, account number, passwords, uncles middle name, mothers maiden name, i mean you name it... and guess what? Yeah... she clicked reply and sent all the information to the thief. Needless to say, the next morning she had a huge headache trying to fix all the crap the perpetrators did with her account information.

You would think that people would be smarter these days right? Wrong.. this woman is a very educated person, but knows diddly about computers...except to turn it on, write on word, send emails, and surf websites.

A little research and knowledge can go a long way.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Mar 18, 2010 7:28 am

Re: Ditch Windows for Online Banking

Knb15 wrote:Someone came to me with a story a week ago that i couldn't believe. The person received an email from someone claiming they were Bank of America, asking for all her personal data, account number, passwords, uncles middle name, mothers maiden name, i mean you name it... and guess what? Yeah... she clicked reply and sent all the information to the thief.

You would think that people would be smarter these days right?


Actually, that's how social engineering works. It's not that they're not smarter. It's that they have the deep down need to be helpful. The reason phishing attacks like that are successful relies on them wanting to be helpful. They just don't think to be skeptical.

The point of using the Live CD isn't so much to avoid phishing, but to avoid information stealing malware.

Granted the phishing is the bigger successful attack vector, but from the news (at least the news I see), phishing isn't the thing in all the head lines. It's usually Company lost X million Dollars due to having malware on computer.
OSWP, Sec+
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Mar 19, 2010 9:28 am

Re: Ditch Windows for Online Banking

Awareness would be one of the main factors here which can help. However, implementing such a LiveCD seems not to be a solution at all, in my opinion, as it does not really tackle the problem down.
Next

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software