NSW Police: Don't use Windows for internet banking

By Munir Kotadia on Oct 8, 2009 5:31 PM
Filed under Security

Cybercrime expert endorses Linux, iPhone when banking online.

Consumers wanting to safely connect to their internet banking service should use Linux or the Apple iPhone, according to a detective inspector from the NSW Police, who was giving evidence on behalf of the NSW Government at the public hearing into Cybercrime today in Sydney.

Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online.

The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows.

"If you are using the internet for a commercial transaction, use a Linux boot up disk - such as Ubuntu or some of the other flavours. Puppylinux is a nice small distribution that boots up fairly quickly.

"It gives you an operating system which is perfectly clean and operates only in the memory of the computer and is a perfectly safe way of doing internet banking," van der Graaf said.

The collection of MPs listening to van der Graaf were very enthusiastic about his suggestion but didn't understand what he meant and asked for clarification.

"You may need to explain further for us," said one MP, while another responded, "yes, we need to understand that".

In response, van der Graaf explained what 'booting a computer' means and explained that his recommended method guaranteed a "100 percent clean installation".

He further explained that the clean boot would bypass any infections on the system. "if you have an infected hard disk ... that wont be an issue," he said.

Van der Graaf also mentioned the iPhone, which he called "quite safe" for internet banking.

"Another option is the Apple iPhone. It is only capable of running one process at a time so there is really no danger from infection," he said.

Van der Graaf said he mentioned the two alternatives to Windows because he was concerned about any future law that could require internet service providers or banks to check their users had protection before allowing them to connect.

"If you had a rule where ISPs would have to check for firewalls or that sort of thing, people using this safer system would not be able to do their internet banking. People using an iPhone, which is quite safe, would then not be able to do their internet banking," he added.

The hearing continues tomorrow when vendors including Microsoft and McAfee will make their presentations.

NSW Police: Don't use Windows for internet banking

64 comments in this discussion

"Yes, and the new super-secure device in the new article on ITnews in March 2010 is.... a clean Ubuntu boot off a thumb drive (miniature USB stick). The fact that the security experts decided to ..."

By Graeme Harrison (prof at-symbol post.harvard.edu)

Tags

internet, banking, security, windows, linux, apple, iphone, puppylinux, clean, boot

Microsoft promises faster Windows 8 boot times

Apple hunts for 'unreleased products' security guards

Mobile charging stations steal data from devices

Data leakage fears sparked IBM's BYO Siri ban

Breaking Stories

Online piracy inevitable: AFACT

CommBank deploys smartphones under BYOD plan

Ebay rebuilds Indian outsourcing relationship

Health reveals e-health record slippages

ACTA treaty faces European rejection

Comments: 64

steve 2.0 Oct 9, 2009 9:29 AM	This is all very well - but my bank's app (commbank netbank) fails 95% of the time when I use this 64bit Linux (Centos) machine. I have to load an XP virtual machine just to get in - and that never fails.
Photo_journ Oct 9, 2009 9:38 AM	The security flaws in Windows and IE are well-known and it's encouraging to see someone telling it as it is. No doubt the tech-savvy users, Microsoft, and to a lesser extent McAfee, will pounce onto this issue and lambaste the poor police inspector over his comments. However, we're not talking about tech-savvy aware users here. We're talking about the risk posed to semi-literate computer users, ie, those who make up the bulk of users. As demonstrated by the very questions coming from the politicians hearing the submission, those in charge of the standards are not as familiar as they could be with the terms, let alone technical issues, at play. From a security standpoint Windows has always been a dog of an OS and while McAfee will say they can protect everyone if people buy there software, that is not the issue here. The big computer attack on South Korea two months ago was a direct result of the poor standards used their and that country's almost total reliance on Windows and a system that excludes other OSs from eCommerce or ebanking access. Congratulations to Detective Inspector Bruce van der Graaf for telling it as it is. One can only hope someone was listening. Well done ITNews for showing the lack of understanding by the panel listening too.
funkyg Oct 9, 2009 10:24 AM	That is a great way to be as secure as possible when doing Internet banking. The excellant SecurityNow podcast discussed a similar thing a while back. Only trouble is nobody will do it as Internet banking is about convenience and booting into another OS is just not convenient. The iPhone solution seems attractive (I am writing this on an iPhone) but I don't really share the security sentiments as there has already been various attacks against the iPhone essentially allowing the device to be taken over. A possible compromise might be something like Sandboxie which allows a sandboxed (secured environment in windows) combined with a browser installation that you don't use for anything else. Maybe use firefox as your main browser and safari or chrome for banking). There is probably still a danger of keystroke loggers so the banks would need to do something to create one time passwords there end. This could be via a dongle or I guess SMS (though that isn't very secure either). The good bit about this is apart from the extra validation step the whole thing could be made almost invisible to the customer and would therefore still be convenient. Wouldn't it be great if the banks gave us a custom solution combining all these measures!
Sams Oct 9, 2009 10:33 AM	A few notebooks and mobos are building in a small, ultra-fast booting Linux OS, presumably in firmware, that can be used for playing music, videos, quick browsing, etc. I suppose people could use this for safer online transactions. Might make a nice selling point for said hardware.
wjc Oct 9, 2009 10:35 AM	STOP BLAMING THE USER! GIVE US A HOME PINPAD - Just like at the supermarket or petrol station. Yes - bootable ROM'ed LINUX, or even SELinux, good start - BUT - here we go again. "Blame the customer for the problem and not the vendor!" Let's get it right - a home PC is purchased for the purpose of safe and secure connection to the "information superhighway" (Remember that old term!). Well, it is the responsibility of the manufacturer, vendor and system operator (e.g.banks, governments) to warrant and guarantee that the product is FIT FOR THE PURPOSE, just like car vendors are legally responsible to offer cars that meet the "Motor Vehicle Standards Act 1988" requirements. The end-user of a home computer is NOT expected to be a computer expert nor should he or she be treated as such, just as a car driver is not a mechanic or mechanical engineer. If Microsoft, for example, sells a product (e.g. Windows) that is offered as being suitable for connection to the Internet then it is simple - just like selling a car for safe driving on a highway - the product must be safe and secure and fit for that purpose as offered and at time of purchase. BUT - it is really up to our elected politicians and governments to ensure that consumer protection is invoked and the product offered is fit for that purpose. For that highly reliable and well accepted EFTPOS system in Australia, remember, we have that ubiquitous PINPad at the supermarket that enables end-to-end encryption IRRESPECTIVE of the connected application system, such as the cash register, etc. SIMPLE - give us a PINPad for the home - with a "card present" transaction possible at all times and a trusted unit that is acceptable to the bank and to the home user alike, with a simple and now well understood interface. So - let's STOP BLAMING THE END USER and blame the industry. Let's get politicians and governments to live up to their responsibility of protecting society through proper regulation of the ICT industry - a long overdue need!
rumaer Oct 9, 2009 11:05 AM	wjc - you are apparently unaware of the $150,000 scam perpetrated in Perth over the past 2 weeks using EFTPOS skimmers.. Your suggestions are worthy but there is no foolproof (good word) secure system: people will try to break into your house no matter how many locks you use and all you can do to deter them is by making it a bit harder so they go next door.. and certainly, if possible, don't have any windows..
affinity Oct 9, 2009 12:50 PM	A number of points: 1. Apple is over rated for "security", as mentioned already, the iPhone has seen vulnerabilities already and I'm sure that ordinary Mac OSX users don't understand or realize that their systems can and will be potentially compromised -- Apple OS _may_ be safer, but the fact is, this is presently over rated and the risks are basically ignored today by most Apple users because they "believe" that Steve Jobs has given them the "perfect" computer; 2. The iPhone can run multiple processes, but not easily -- for instance you can use the media player and a different app, although it is harder (but not impossible) to run two "ordinary" apps.... that is just for starters. Jail broken iPhones are also another risk area, they can run multiple applications easily. The iPhone has also had a problem with deleted emails being "found" again through searching the device, the actual emails are not wiped correctly in some circumstances and the indexing that finds them was flawed; 3. McAfee or any other "security" product provider is always at risk of not having the latest data to protect the user; heck some data required to protect the user may be unavailable for quite some time or even never be discovered; 4. A Linux distro booting off a CD/DVD can become dated too quickly and when one distro is considered safe today, it might not be tomorrow. Are you going to download Puppy Linux every day that you want to do Internet banking? 5. Banks can and do provide extra features for authentication, including the simple use of SMS and also the much more secure device with a one-time key that is suitable for a very short period of time (like RSA SecureID); oh and some banks require you to enter passwords using a graphical keyboard that is different each time it is generated -- you need to use a mouse to select each key; 6. It is possible, but much harder to do technically, to compromise a computer at the BIOS level, in which case, the PC couldn't be considered secure at all. 7. Let's not forget the wireless keyboards either, they can pose a threat to those "listening" to keyboard output from a close proximity. 8. Simple addition of in-line keyboard loggers are also a possible threat (these are connected b/w the keyboard and the computer. In a nutshell, you are only as secure as your weakest link and unless your PC is kept in a strong room without any external connections possible, then you are always going to be at risk. The safest Intternet computer is one that never connects to the Internet at all, ever! It is too simplistic to tell users to use Linux and even more simplistic to tell them to use an iPhone. Microsoft products can definitely be less secure, but that need not be the case if a machine is well set up and safe computing use is practiced religiously. Having said all the above, it just may be true that using a Linux distro for Internet banking _might_ be more secure, but then again, it might not be for all sorts of reasons and I'm also very sure that my points above are not comprehensive either.
Sams Oct 9, 2009 1:21 PM	"A number of points" Mostly irrelevant ones. e.g. people breaking in to your home to install in-line keyboard loggers is nowhere near being "the weakest link in the chain".
vicer Oct 9, 2009 3:06 PM	@affinity: Number of good points to consider. Thanks. But regarding your 4th point, does it really matter even if the Linux distro is out-dated? I mean I can simply boot from the CD/DVD, open up my browser, type in url for the banking site, do any transactions, log off and reboot to my original OS. And I won't be using wireless keyboards and I can be pretty sure that my home comp. is free of hardware key loggers. Maybe I am missing the weakest link? :) In point 6 you mention the possibility of a BIOS level compromise. I don't know how it can happen technically. But yes, if it's possible it can be a threat to the 'boot from Linux distro' solution.
Graeme Harrison (prof at-symbol post.harvard.edu) Oct 9, 2009 3:35 PM	I just wasted 20 minutes of my life. I typed a longish submission on bank security recommendations, then upon 'Submit Comment' clicking, as so often happens the ITnews site reported "Server Error..." and wiped the contribution. It is SO appropriate that ITnews runs a story on internet banking, as both systems have the same user-unfriendly interface. If you have spent any time inputting a bank transaction, but your elapsed time went slightly over the bank's timeout period, the banking software, rather than prompting you for your password again, and thus accepting the details of the transaction as input, simply says "f-off" and after you log-in again, you must start the transaction input afresh. Heaven help you if you have any disability that makes you slow at data entry. Well, ITnews is JUST as unfriendly. If you take too long inputting your comment, or maybe the situation is if another contributor has put in another comment in the interim period, the ITnews service wipes your contribution and just as forcefully says 'f-off' with no ability to recover the comment you spent all that time typing. I think someone in ITnews ought fix this problem in the comment submission process, before you expend too much effort criticising others in the IT sphere.
funkyg Oct 9, 2009 3:39 PM	This all brings me back to my comment above: - Sandboxie > Separate browser > One time password My opinion is that this would be the best trade off security vs convenience. I should also add that I think the banks should all be forced to do this at the same time. There will therefore be no backlash against a particular bank for the 'increased difficulty' of internet banking.
Sams Oct 9, 2009 3:47 PM	Graeme: my tip is to prepare long submissions to any web forum in another editor, or face the chance of losing. In most cases the back button on Firefox will get your original form back, but I still wont chance it on important stuff. vicer: "But regarding your 4th point, does it really matter even if the Linux distro is out-dated?" Indeed. A stable Debian distro or derivative thereof has pretty good staying power. Most people don't keep their Windows machines up to date anyway.
aboctok Oct 9, 2009 8:59 PM	Graeme, you've hit the usual nail on its ubiquitous head. And as always, some moron associated with what passes for "effort" needs to lift their game up to the level of beginning to give a shite about helping out THE USER and not just endlessly showing off little programming sparkles.. ie: whacking in function after function (like timeouts) simply because they exist. Just because they exist, DOESN'T MEAN THAT THEY SHOULD BE IN YOUR PROGRAM. How many BILLIONS of times can we say this and not be heard??? I lose count of how many crap scripts I run into every single HOUR that have functionality that works against the user!!! V-E-R-Y, V-E-R-Y D-U-M-B! MANDATORY READING: David S. Platt; "Why software sucks..."
aboctok Oct 9, 2009 9:09 PM	Sams.. no offence, but the guy is smart enough to know about the editor, and being careful, and taking precautions, blah blah blah. His point remains excruciatingly valid—it is absolutely pointless (in programming etc) to neglect basic stability and reliability issues and play around with lovely little doovalakies that enhance mere presentation! All of this comes back to the basic reason you think you have for writing a web-page.. a program.. an application. Not enough people think about how it looks from the user's end, rather than from the smart-ass developer's end. Forget your front end til you have something that actually works!! You even see it at ATM's for God's sake..
mg2323 Oct 10, 2009 9:10 AM	To Graeme Harrison: Here's a tip that will end your script erasing woes, now bear with me here, it's pretty tricky. I will provide a step-by-step process here. 1) highlight the text you wrote, either by left clicking the mouse and hovering over the text you wish to save, or simply press and hold the Ctrl key and then press the "A" key, which will select all the text within the text field. 2) While the text is highlighted, right click and select copy. If you chose the latter option, while still holding the Ctrl key, press the "C" key, which will copy the text. 3) If your page times out or whatever, simply go back to that same text field, press and hold the Ctrl key again, then press the "V" key. Low and behold, the same text you just wrote! Seriously tough I know, but I know you can manage it.
Graeme Harrison (prof at-symbol post.harvard.edu) Oct 10, 2009 3:59 PM	Yes, thanks for all your most generous tips at how to work-around the design flaw in the ITnews comment submission. For the record, I usually do a Ctrl-A then Ctrl-C combo before clicking on 'Submit Comment'. But that time the Ctrl-A worked (all text was highlighted) but I either failed to press hard enough on the Ctrl-C or the timing of the concurrency of the two keys was not overlapping... so only prior contents of clipboard was available to my disgust... hence the spleen. BUT, nice as it is to remember which sites have user-unfriendly interfaces, and which work-arounds work, as some with an interface flair have commented, it is about time those responsible fixed the inherent flaws.
Slatts Oct 10, 2009 5:16 PM	Funnily enough when I've been hit with this problem I just hit the back arrow and the previous page returns complete with my missive. I suppose it's a caching thing...
Slatts Oct 10, 2009 5:20 PM	I just tried it after the previous post and there was my text, sitting happily in the text box. Of course I do my posting from the forum rather than the article mostly so perhaps it's different.
Slatts Oct 10, 2009 6:46 PM	serendipitously, I just suffered the same error as you described Graeme, while posting in an article. It was caused by my login timing out before I got around to posting my post. I hit the back arrow and my post reappeared with the reloaded page. I then logged back in in another tab, reloaded the page I was posting in (yes, the text reloaded once again) then submitted my comment. Looks like you can get your 20 minutes back if you're quick.
Sams Oct 11, 2009 12:33 AM	aboctok wrote: (shouting rant about scripts) Actually, Graeme said it was a "Server error", so its could be due to some kind of resource contention/exhaustion, or someone restarting a service, or a network/DNS interruption between components, etc. Always be prepared for a session to disappear .. use a text editor for long posts.
Jose_X Oct 11, 2009 2:29 PM	[affinity] >> 4. A Linux distro booting off a CD/DVD can become dated too quickly and when one distro is considered safe today, it might not be tomorrow. Are you going to download Puppy Linux every day that you want to do Internet banking? At this point in time, I belive using an outdated distro is a fairly low risk. As Linux gains popularity (or even now, as I do), you'd want to keep a distro installed, and update it periodically. You can also try to use (or custom build) a distro that is optimized for security and use a low frills browser. [affinity] >> Microsoft products can definitely be less secure, but that need not be the case if a machine is well set up and safe computing use is practiced religiously. I don't trust closed source. With Windows, rather than have the world able to spot check the code (as is the case for Linux), you have only that one company, Microsoft, and anyone that has gained access (eg, through employee leaks). I also don't trust Microsoft, specifically. With them, it's not just limited resources and bugs that worry me. It's dishonesty and opportunism on their part.
rossnixon Oct 13, 2009 9:02 PM	If you have a recent ASUS motherboard, it may include "ExpressGate" (a basic Linux implementation) in the BIOS. Boots in about 8 seconds and includes a browser based on Firefox 2, I think. This would be a good environment for your banking.
rossnixon Oct 13, 2009 9:07 PM	Further to that, the ExpressGate browser is called SplashTop. There was a local file-system security hole reported in July 2008, but newer releases of Splashtop (and its derivatives) are fixed.
freedomofchoice Oct 13, 2009 9:37 PM	To me, the Banks should take more responsibility for customer/end user support. You can't blame Windows, McAfee, Apple or Linux. If the Banks want to offer "convenience" then they should offer exactly that to anyone with an internet connection, be it with any mobile phone or any computer. Until then, do as the Policeman says...
afleslie Oct 14, 2009 9:29 PM	My Windows XP (SP3) has a nice tool to enter important data by mouse instead of keyboard - presumably this is virtually impossible to break without knowledge of where the window is positioned on your computer. Invoked by: Start->Programs->Accessories->Accessibility->On Screen Keyboard
Sams Oct 15, 2009 7:33 AM	@afleslie: if you have a trojan on your machine, it could be looking at network packets and thus wouldn't care what UI you are using.
Ace Oct 15, 2009 4:36 PM	@Sams: if the on-screen keyboard is part of the online app (like the Westpac login), then is can be made quite secure, as each key can use a session encoded sequence rather than actually letters and numbers. However, a Windows-based on-screen keyboard does not add any level of security whatsoever, as all it would do is simulate a real keyboard.
Sams Oct 15, 2009 5:36 PM	Ace: "if the on-screen keyboard is part of the online app, then is can be made quite secure, as each key can use a session encoded sequence rather than actually letters and numbers" How is that better than using SSL? If someone has a trojan on your machine, all bets are off.
Mordd Oct 15, 2009 6:55 PM	@Graeme Harrison I've never had a server error on this site even once, i might have only been coming here a few months now but I now browse here multiple times a day from 3 different locations and never once had a problem. As far as your rant against similar problems with online banking, im with Westpac and if my session times out when I am entering in a lot of details, westpac internet banking asks me for my password again using the on-screen keyboard and continues on as normal as long as I re-enter my password correctly, maybe you should consider a better bank to use for your online banking...
Mordd Oct 15, 2009 7:00 PM	@aboctok Timeouts are there to protect a user against someone else clicking the back button on the machine later and then being able to pose as the previous user, which they would be able to do if the sessions iniated by the original user did not use a timeout value. Before you rant at what you don't understand, stop and think that just because you don't understand why something is there, does not mean its not there for a reason, and a good reason usually.
JamesyR1 Oct 19, 2009 10:35 AM	I agree with freedomofchoice. Banks reduce staff, increase fees and offer internet banking that is not safe. We have discussed this issue many times. It's very unrealistic to ask every user/consumer to have a linux boot OS! The banks need to do more. My mum and dad have no idea how to boot of a linux distro. And who says the linux distro is going to be safe from hidden malicious software planted there. Look at PuppyLinux and how many people have added ISO's with all the apps installed (including hidden keyloggers I am sure)! There are a number of products/services out there that protect you from this sort of crime, way past firewalls, content filtering, A/V software such as products like Trust Defender. TD shuts down all services running and only allows connectivity to the online bank, by locking down the online transaction session. Banks should be doing more to protect their consumers as they push them towards online banking services. They should be looking for vendors that offer this service and adding this service to their consumers. Currently we are all left out in the open. PCI DSS accreditation PCI (Payment Card Industry) standards were established for handling online financial transactions and at the end of 2007 all businesses handling cardholder data had to be fully compliant (irrespective of business size) which came at a huge cost to businesses (not the banks). I am fully behind the PCI DSS in Australia but banks needed to do more to support it and more so online transactions. They are the ones offering the service! James Righetti manageNET
Sams Oct 19, 2009 4:47 PM	"My mum and dad have no idea how to boot of a linux distro." Can we assume they can boot any other OS? You put a CD in a press the ON button. "They should be looking for vendors that offer this service and adding this service to their consumers." .. "James Righetti manageNET" Banks typically provide SSL, passwords with token-based authentication. This is sufficient provided the end point are secure. It doesn't matter what software you install on your OS, or whether you go through a VPN. If your machine is already compromised, any software or network communication can be subverted by the trojan. "TrustDefender u-turns on bank security claims" http://www.zdnet.com.au/news/security/soa/TrustDefender-u-turns-on-bank-security-claims/0,130061744,339275246,00.htm?omnRef=http://www.google.com/search?q=Trust%20Defender&ie=utf-8&oe=utf-8&lr=lang_en
JamesyR1 Oct 19, 2009 6:14 PM	@Sams My point is saying that all things that work toward protected online banking customers should be the objective of all the financial institutions offering online services. This post was to discuss alternatives as to what this article is telling us and how practicle it is. Why complicate the endpoints with boot CDs as this method doesn't seem practicle to the average consumer. As for Banks typically providing SSL, passwords with token-based authentication this is 'obviously' not sufficient as there are multiple breaches occuring daily across the globe. So I guess my last point is regardless on wether malicious software is installed or not, the idea of programs developed by companies like Trust Defender (are there others?), stop all services running on a desktop, checks for any malicious software, checks to ensure the URL is not fake etc is another layer of security that I would welcome and I am sure many consumers. I'll read your attached URL later
Jose_X Oct 19, 2009 10:39 PM	JamesyR1, what banks can do is to customize a Linux distro and (eg) provide the ISO or disc for their customers to use to get online and use all bank services. You are right that there are many possible weak links. The bottom line, wrt this article, is that you can use a system that has been shown repeatedly to be extremely vulnerable on an ongoing basis and which can only be audited by a very limited number of individuals, most of which have interests in the company being successful and making lots of money. It's a system that has a high probability of getting contaminated if you fail to pay your dues each month or year. Or you can use a CD where there is a very high probability of it being clean the moment you turn it on for use to do online banking and whose software likely has been audited to a modest degree by many independent groups. If you don't trust the remix someone posted of Puppy Linux or XYZ Linux, then ask your bank or some other group you trust to build their own Linux distro. I'm sure a market will arise in time where groups wanting to be seen as trusted will do just this to compete for your dollars. Heck, ask the local geek or service provider to build all the software from scratch using public auditable source code. I expect all of these services will exist some years from now, and Linux will do an outstanding job supporting hardware because vendors will realize that consumers will want Linux. You can virtualize Windows on top of Linux. Make a clean image of Windows (to the degree this is even possible or trustworthy), then run that same "virgin" virtualized environment to do banking. Regardless, the base system and everything that runs on it should be as trustworthy as possible. This is the motivation for keeping around an open source Linux Live CD. Even if the distro gets outdated, there tend to be few vulnerabilities over time if you select a safe version, and any such potential vulnerabilities likely won't be exploited between the time you boot up your clean slate and when you log out of the bank.
Sams Oct 20, 2009 7:11 AM	"Why complicate the endpoints with boot CDs as this method doesn't seem practicle to the average consumer." [sic] Putting a CD in and pressing a the on button too complicated? Sounds easy. Easier than installing third party applications. "the idea of programs developed by companies like Trust Defender" Vested interest, perhaps? If your machine is compromised, Trust Defender won't help you. "As for Banks typically providing SSL, passwords with token-based authentication this is 'obviously' not sufficient as there are multiple breaches occuring daily across the globe." Got any well-sourced stats to back that up? Most "breaches" you are referring to are invariably the result of social engineering. Linux CDs or software is not going to help there. This sounds exactly like the kind of FUD campaign the TD was using to market its product (and had to make an embarrassing public retraction). I expect they are not above a bit of astroturfing as well. Like I said, those measure are sufficient as long as the end points are secure. A boot CD would be an excellent way of ensuring this, rather than some poorly-explained closed-source software that is as vulnerable as any other part of an OS to a trojan. "Trust Defender (are there others?), stop all services running on a desktop, checks for any malicious software, checks to ensure the URL is not fake" Speaking as someone who was once a principal engineer at RSA, I have to say this seems highly suspect. Some OS services are vital for your desktop system to operate properly. How would TD know which services are vital, such as third-party virus scanners? Would it interrupt critical hard drive operations? SSL (HTTPS) is the best measure for detecting fake URLs. Browsers already do this comprehensively.
JamesyR1 Oct 20, 2009 11:42 AM	What I am saying is that it should not be the responsibility of the users, it is to the banks, finance instituitions that profit from their online services not the consumer. A Boot_OS is not practical. My points are based on having experience managing thousands of endpoints. I do not discount the fact that a 'clean' boot CD is a good means but it is not ideal nor is a practical method. Production of tens of thousands of boot images on CD, posting to subscribers doesn't make sense either. Alternatively, using VMWare and running a clean image is what I do at home as it also supports my browsers needed for my bank. However, VMWare on every PC is also not practical for everyone to do either. It may be practical for IT professionals and even then, who is to provide the millions of consumers the funds and capabilities with the clean OS via VMWare or BootCD? Installing software that can be deployed easily, updated and managed is why I see it as a better, more realistic alternative both financially and strategically for consumers and enables the banks to take ownership of this problem.
Sams Oct 20, 2009 1:20 PM	"I do not discount the fact that a 'clean' boot CD is a good means but it is not ideal nor is a practical method. Production of tens of thousands of boot images on CD, posting to subscribers doesn't make sense either" I don't see why not. It is considerably less expense and effort to send out a cloned CD image to N user than sending out unique hardware tokens to N users. In fact, the two could be sent in the same package. There are companies that would be happy to bulk produce such CDs for banks.
JamesyR1 Oct 21, 2009 4:29 PM	Sorry, I am still finding it hard to see your side of this discussion Sammy. Of course companies would love to be paid to produce these CDs for banks but at what cost? Boot OS $ Boot OS system software user rights/licensing $ CD Manufacturing $ Mailout packaging and costs $ Replacement for lost/damaged CDs Versus Centralised Software Management Portal $ Portal Management/Infrastructure $ S/W deployment and maintainance $ Centralised User policies and controls I am speaking from having worked for a number of companies with over 10,000 endpoints to manage. Centralised management and control was always key to success and good ROI. I guess we can agree to disagree but thanks for your feedback :)
Sams Oct 21, 2009 6:21 PM	"Sorry, I am still finding it hard to see your side of this discussion" Clearly "Of course companies would love to be paid to produce these CDs for banks but at what cost?" For much less than the cost of the hardware tokens which they are going to send anyway. "Boot OS system software user rights/licensing" Free ($0.00). "CD Manufacturing" $0.05/CD $ Mailout packaging and costs Goes with hardware token, so $0.00. $ Replacement for lost/damaged CDs" $2 would be a reasonable with decent automation. Or download a live CD, but that is less secure (but no less secure than downloading the kind of software you advocate). You also left out the cost of your dodgy closed source software's end-user license in your side of the calculation, which is no doubt the largest part. Whoops.
Mordd Oct 21, 2009 6:39 PM	This discussion seems to be deviating from the original topic and turning into a bitch fest between competing security vendor employees with individual vested interests...
Sams Oct 22, 2009 1:57 PM	@Mordd - No vested interests here. I used to work in security software, but haven't for years. You'll usually find me building custom web-applications (esp. CMSs and membership databases) mostly for non-profits these days. My client include three state political parties, so Internet security is still of interest.
Mordd Oct 22, 2009 2:45 PM	@Sams - fair call, maybe you and I have backgrounds more similar than I thought, I too have some experience with similar work for NGO's and a couple of major political parties as well lol. I am also very aware of the fact that all camps employ people these days to help "guide" discussions on social networking sites such as this to twitter, etc..... and the debate going on here with unreferenced costs and the like just doesn't seem to be actually debating anything now, it more just reads like 2 well entrenched sides sniping at each other, neither willing to budge one millimetre from their own position. Just my 2 cents anyway.
andys@home Oct 22, 2009 9:41 PM	I believe that too much blame is attached to the mixture of literate and semi literate computer users in this case. Where the blame realy belongs is with the banks. OS choices are purely a red herring that is being used to cover for the banks ignoring security basics that go back decades. My bank uses something I know (username Password) and something I have (My mobile phone for SMS delivered one time code use). All the issues around internet banking generally would be mitigated if you choose a banking institution that uses 2 factor authentication. Any solution no matter where or who it is with, where there is a single factor authentication will be subject to comprimise and it will be those that criminals will target
andys@home Oct 22, 2009 10:20 PM	Actually on further consideration my post above focuses only on authentication,which I believe to be an area that needs to be fixed faster than anything else, after all most banking fraud is perpetrated at a later time with identity theft. That said, once the authentication is beefed up, to the point that identity theft alone wont do it for the criminals then they'll have to move to try and Hijak, however careful use of the 2nd facctor should mitigate that such as SMS details and one time codes, or they'll have to try and takeover the 2nd factor, which is probably a tougher ask. Hijak success will be dependant on OS choice, patching strategies and user literacy. So like with all security the answer is rarely one thing or another but rather a raft of complimentary choices.
onlinepeaceofmind Oct 23, 2009 10:48 AM	andy, i agree with you re the blame being on the banks. Let's face it, many users barely know what a firewall is, let alone how to ensure their pc is safe from malware etc. I also agree with you re authentication. people nowadays are having a false sense of security in believing 2factor authentication is "security". All authentication does is authenticate that at that specific point in time, it is really YOU doing the transaction. It doesnt protect the information you send. Key loggers and trojans can still intercept all of your information and use this to build up a profile of you.. i recently read a blog where the ceo of a medium-sized credit union was boasting about their new SMS authentication service stopping a fraudulent transaction. The victim received an SMS and knew his account had been hacked, so he rang the credit union and they immediately stopped the transaction. Nice, saved some money being stolen by the cyber criminals.. but my issue is that his account was still compromised by the crims and they had all of his credentials (username and passwords) to log into the account. Security should protect this information, not just authenticate the user. FYI, there is software out there that DOES protect your information and secures your pc BEFORE you even reach the banking login page. The software verifies the banking site you are visiting (make sure its not phishing attack) and locks down the session in a secure tunnel. So any information you enter (username, password, one time token etc) cant be intercepted by any malware.. I have been using it for over a year now and it has detected and protected me from weird and wonderful infections on my pc. its a small price to pay for online peace of mind.
Sams Oct 23, 2009 8:02 PM	"FYI, there is software out there that DOES protect your information and secures your pc BEFORE you even reach the banking login page." Oh, what a coincidence (!), we has just finished successfully arguing why similar software is a waste of money ... and suddenly a new user account appears trying to spruik the same software. Trying astroturf under a different user name is pretty lame. Are you going to do some sockpuppeting next? http://en.wikipedia.org/wiki/Astroturfing http://en.wikipedia.org/wiki/Sockpuppet_%28Internet%29 "The software verifies the banking site you are visiting (make sure its not phishing attack) and locks down the session in a secure tunnel. So any information you enter (username, password, one time token etc) cant be intercepted by any malware." Such software is called SSL (Secure Socket Layer) and it comes for FREE with your browser. And it works. "I have been using it for over a year now and it has detected and protected me from weird and wonderful infections on my pc. its a small price to pay for online peace of mind." I've been using Linux for years and haven't needed anything of the sort. $0 is small price to pay for genuine protection instead of fear marketing of snake oil products.
onlinepeaceofmind Oct 23, 2009 8:51 PM	sams, i don't know what your prob is.. this is a forum and i was simply sharing my 2c worth with others. Stop being so rude and arrogant. My first time contributing on the forum and this is how you welcome people? NO i wasnt referring to astroturfing nor sockpuppet.. Turns out that you don't know everything afterall. You can keep using your beloved linux, and so too can the rest of you techies. But newsflash, the majority of web browsers are using windows and have little knowledge of such technologies. Thus, my view that such simple-to-use software is still more practical to your average user.
Sams Oct 24, 2009 11:30 PM	"the majority of web browsers are using windows and have little knowledge of such technologies. Thus, my view that such simple-to-use software is still more practical to your average user" What is more simple to use than your average browser, which has all of the security feature you are touting built in anyway? It not like they need to know how SSL works any more than they need to know how your add on software works (or doesn't work, as is more likely the case).
murt Oct 26, 2009 11:58 AM	good to see a robust discussion - may I throw in another Q ? My hotmail was hacked recently despite daily updates of security software - I'm guessing a fun email from a friend downloaded a keylogger - not sure. So now I'm more paranoid. I'd like to get wireless broadband (iiNet Bob) but am wondering about internet banking - I guess it would have fairly good encryption/firewall, but then one TV show said warDrivers could hack any wireless system in 30 mins, so I don't know. Others' comments suggest NetBank already uses SSL/encryption so pretty good, but I'm wondering about sniffers reading any unencrypted passwords, or even cracking the encrypted ones. Any suggestions ?
Sams Oct 26, 2009 1:54 PM	murt wrote: "Others' comments suggest NetBank already uses SSL/encryption so pretty good, but I'm wondering about sniffers reading any unencrypted passwords, or even cracking the encrypted ones. Any suggestions ?" Tips: Don't do internet banking unless they are using encryption (SSL a.k.a. https//...). I can't imagine any banking site not using it though, since it is relatively cheap to set up. Use an online bank that also provides you with a hardware token that generate a one-time password each time (typically a 6 digit number). You enter the freshly generated number each time as well as your password. You might pay a few bucks extra to purchase the token, but it is worth it. I've had one for years - the battery must last for ages. Always have encryption switched on when using a wireless network. Only older protocols (WEP) are easily hackable. WPA2 is reasonably robust. Don't click on links in emails that purport to be from banks. They are easy to forge. Always go straight to your banking site using a known bookmark. Research what constitutes a "strong password" and always use strong passwords. Change your password occasionally. That's all I can think of right now.
Graeme Harrison (prof at-symbol post.harvard.edu) Oct 26, 2009 2:18 PM	My thoughts on best changes to improve bank security are: 1. ALL banks and other financial institutions should allow you to select your own Account Identifier AND Password. Currently the bank selects at least one (used to be both) and makes string so long, you need to write the bloody thing down, and writing things down is the SINGLE largest cause of bank fraud. The reason the banks moved from bank-specified ATM PINs to user-specified PINs, was because people routinely wrote the PIN on the card (in plain text or simple code), so they would have the information available to them at the ATM. It is accepted that security-access information is far better stored in someone's head, but to do that you need to ensure that the data CAN be remembered. The ONLY reasonable requirement is that the account identifier ought be unique. However, one only needs to do the same as is done on any web-forum: if the chosen user-name is already taken, then the person has to select another. So people might have their name followed by their date of birth. That does NOT lessen security, as you can have 'toughness' measures applied to the password chosen (eg min 6-char length with at least some as digits)... but it is counter-productive to push this logic too far, as longer passwords again force people to write things down. 2. Linked to the above change, all banks ought send an immediate SMS AND email to you if there is an invalid password attempt to log-in to your account. It should say, this is the Nth attempt within the past week, and Mth within the past 12-months. That way, any sensible customer would know if it was them just stumbling on the keyboard, or someone else trying to access their account. If the latter, most would accept a reminder to switch immediately to a different and 'tougher' password. 3. Similarly, any major change in spending (concurrent use overseas within a day of Australian-based transactions) or any significant increase in spending with 'new' vendors ought generate a courtesy SMS and email to the accountholder, just to prompt them to check their transaction history. Any such SMS or email should explicitly note the type of trip-wire which triggered the alert, both so they know what to look for, AND so they know if they don't need to do so, because they did just make a major purchase with a 'new' vendor. 4. ALL banks should use moveable on-screen keyboards for password entry (like Westpac's) as it does defeat simple keyboard loggers. 5. It is best for such apps to send different (masked) data for each mouse-clicked 'virtual key', in case SSL is breached. 6. SMS-sent one-time-keys should have two thresholds, one for new account transfers and one for existing account transfers. A user should be able (by personal photo-ID appearance at a branch) to change these to reasonable tresholds. The bank can then allow users to 'sign off' on setting thresholds at values not recommended by the bank. In my case my weekender (Goodmans Ford - only 115km from Macquarie Place in Sydney as the crow flies) requires a one-hour round trip to get within mobile range... by the time you've driven back to the house, the one-time-code would have expired. The bank alternative is to carry a code-generation device, but I don't want to HAVE to carry an extra device with me, so why not let me allow first-time transfers of up to $1000 without SMS or key-generator, IFF I know the risks and sign off to this regime. 7. Banks should also allow opt-in to have an SMS and/or sent to you every time you make a transfer (that did not require an SMS one-time-key to authorise) and/or every time there was a non-fee transaction on your account (ie including EFTPOS or web purchases). Large corporations would never want that (due to transaction volume), but smaller customers may LOVE the idea of real-time tracking of transactions. That could pick up children buying concert tickets with your credit card etc. It would certainly stop long-term 'milking' of accounts in many situations (OK, I'll concede nothing can stop a spouse's spending on a conjoint card). 8. Banks ought also be more explicit about security risks. Currently they try to release NIL information, (for face-saving reasons) but that does not help. I received a phone call from my bank saying "My ATM may have been compromised" I then said "Well, do you mean it HAS been compromised, was used at an ATM that you later found was compromised, or is this just a general security warning?" The caller replied that he was simply employed by an independent call-centre and was just phoning the numbers provided by the client bank. Anyway, in the end no-one including his manager could advise as to the explicit risk they were seeking to convey. 9. Finally, the banks ought put eight years of your transactions on-line available to you for downloading. The banks have a huge benefit possible if people refused paper statements, yet none of the banks has offered the alternative that people need. Most banks only allow you to see the most-recent 90-days of (say) credit card details, yet for tax reasons, you need seven years of transactions available. They assume you have nothing better to do with your time than to diarise to go in at least every 90 days on each account and download the Comma-Separated Values (CSV) of each account. I've even tried hard, but still have spreadsheet-loadable transaction records with many time gaps in the data. And I don't think it would be any more load on the bank's internet banking system to allow me to look back over 7+ years of history, than forcing me back to constantly download quarterly CSV files. Moreover, if banks are genuine in their desire to have customers keep a keen eye on their own transactions, they need to make those transactions available to the clients (including prior ones for comparison). If you think your telco/ISP/utility is taking too much out of your account, you may need to see what they took out 12 or 24 months ago for comparison. 10. And a plain-vanilla Ubuntu install is far more secure than any Windows environment... but we should not need to prescribe such a radical approach to simply have a secure banking session. Besides, until such time as you make the Account Identifier and Password both easily memorised, going to a separate environment will only encourage people to write down in plain text the fields they need to enter to do internet banking! _________ Btw, Sams, I agree with most of what you say... but worry that you need more of an outdoor life, when I saw that your last comment on cyber security was posted near midnight on a Sat night... or perhaps you came home boozy and thought you'd better set someone straight before collapsing? [Send me your email address directly (see my email address in my forum name) as I may need the services of someone good for checking databases.] Graeme
andys@home Oct 26, 2009 6:56 PM	"ALL banks should use moveable on-screen keyboards for password entry (like Westpac's) as it does defeat simple keyboard loggers." Perhaps Im being pedantic, however lets talk about remote screen viewing etc.....Given that Windows comes with that technology built in, and there are any number of 3rd party apps that offer this, then its reasonable to assume that if your machine has been compromised to the extent that a keylogger is active then to pressume that a remote screen viewer isnt possible is a bridge too far for me. First generation of these (pressuming they dont exist already) is probably only going to send greyscale info, and probably not at full screen resolution. As such the claim that bandwidth required for keylogger data transfer is way smaller than screen capture, will be true, but not beyond that provided by most peoples broadband connection, and if it works in conjunction with a smart app that determines when internet banking is occuring, and it locally caches and then uses a low priority trickle transfer (BITS??) then most wont even know its there.....
andys@home Oct 26, 2009 7:08 PM	Murt, perhaps the most important part of security is the one that nobody has yet covered with your specific scenario. And that is that once you know your PC has been compromised then after that point the only time you can be relatively sure its still not compromised is when you reformat the HDD and reload the OS. Despite what the antimalware providers will tell you, the only value in antivirus, to my black and white view, is to keep malware off your machine and even then only as a last resort, with the first line of defence being a good understanding of the dangers and how to mitigate them. If what Ive said doesnt ring true with you google "+hijakthis +log" and pick any of teh millions of results where a forum post covers removal processes for malware. The vast majority require more than one action/vist, and many cases require multiple (many more than 2) revists with technologists where in most cases no one can guarentee at the end that the problem is 100% resolved..
Sams Oct 26, 2009 10:51 PM	Graeme Harrison (prof at-symbol post.harvard.edu) wrote: Btw, Sams, I agree with most of what you say... but worry that you need more of an outdoor life, when I saw that your last comment on cyber security was posted near midnight on a Sat night... or perhaps you came home boozy and thought you'd better set someone straight before collapsing? Graeme Ah, perhaps I don't get out enough, but I do live out in the Queensland countryside. I also tend to work a six day week, but with lots of family time as I'm working from my home office mostly. You have some good suggestions, but as andys@home says, the on-screen keyboards cease to be useful if trojans change their focus from keylogging. I wouldn't rely on them. Also, any form of simplistic encryption beyond SSL, such as shifting key codes, is unlikely to add any further protection if SSL can be breached. If SSL can be broken, then man-in-the-middle attacks are possible, so the on-screen keyboard you see might not be coming from the bank's end but from an a malicious party (or trojan listening on your post) intercepting traffic.
Sams Oct 26, 2009 10:56 PM	Oops; (or trojan listening on your post) -> (or trojan listening on your port)
135boom Oct 31, 2009 11:45 AM	Sorry, this person in the article is a complete farse and has no clue. Windows and Explorer are just fine for security and online banking. The encryption is a bear to break unless you a) have a supercomputer, b) your good and cracking algorithms, or c) you have the persons password. Also, the fact that this person in the article states that the iPhone is more secure tells me he is as smart/dumb as the average MAC user. He needs to stop watching Apple TV commercials and talk with real security experts, and I don't mean the computer magazine writers. Here's some clues... Guess why businesses are slow to go to the iPhone? Guess why the US military has not gone to the iPhone? Guess why Governments haven't gone to iPhone? It is not secure and Apple knows it. In fact, they don't want to increase security in fear of limiting the iPhone too much. Hey, I have an iPhone, but I don't store secure info on it. As for OSX, it's as secure as the person driving it. If an unsuspecting person takes the wrong program and approves loading it they can loose control of their OS to the bad guys. Hmm, sounds just like a Windows system doesn't it? An operating system is as secure as the operator's use practices. If your dumb you get bit. It's the nature of the beast. Hey I have an idea, instead of being mad at Microsoft why don't we get mad at the people stealing our information and punish them severely? So those that buy into this security story, try doing your own homework and not rely on the hype of Apple's TV commercials. A little research into programming and computer security goes a long way.
Graeme Harrison (prof at-symbol post.harvard.edu) Nov 2, 2009 3:42 PM	'135boom' is worried about people being misled by Apple's TV ads, but in fact it is Microsoft's most recent ads (wall of fire around model castle promoting Win7' security) that reeks of over-statement (unjustified claims). Now Microsoft may claim that this is just a typical dumb user expressing an opinion that nothing will get in with Win7 to a man's home ('his castle'). The claim is that, even without virus protection or any third-party software, Win7 will repel every threat. But the fact that Microsoft is publishing the ad means it is the corporation making the claim at law, not the idiot in front of the camera. And the prevalence of malware is not purely a function of "the operator's use practices" (as claimed by 135boom), as there is just a lot more malware exploiting holes in Windows compared to that exploiting holes in other operating systems. And at the opposite end of the spectrum, an Ubuntu user only gets prompted to install updates supplied by Ubuntu, so not much risk there.... and otherwise the executables portion of your Linux hard disk partition is well protected from non-approved interference, which is the antithesis of the Windows approach from 1985 till just recently (when Microsoft started to copy the Linux approach). And just because the iPhone is not super-secure to store data upon, does not mean that it is compromised when doing secure end-to-end encryption for an SSL web-based banking session. Indeed, the fact that the iPhone uses a single-task operating system 'kinda ensures' (for the time being) that no other app can interfere with your banking session. So I think the cop who made the statements was RIGHT to bring the issues out, and to suggest the alternatives of iPhone or Ubuntu to those worried about being easily compromised.... besides these sorts of pronouncements act as a 'kick up the backside' to the promoters of mainstream operating systems, and their big-bank customers!
Sams Nov 2, 2009 7:57 PM	135boom: "The encryption is a bear to break" On-the-wire encryption is irrelevant if your PC is already compromised by a trojan. That whooshing sound was the point of the article going over your head. 135boom: "A little research into programming and computer security goes a long way." You didn't manage to get that far I assume. "An operating system is as secure as the operator's use practices." You cant absolve the OS maker of their part of the responsibility. It would be like saying a door with no lock is just as secure as one with a lock, because some people never lock their doors. That is patently stupid. Microsoft is negligent when it comes to protecting its users from making security mistakes. "Hey I have an idea, instead of being mad at Microsoft why don't we get mad at the people stealing our information and punish them severely?" They call that a 'false dichotomy'. The third option is that you can do both.
@Comments Nov 11, 2009 6:04 PM	Having just stumbled on the comments above, we use a system that I think you will all find most interesting as it addresses considerations like OTP (one time passwords), man in the middle, verifying the “actual” owner and not just someone who is carrying the token or mobile being sent the message, high levels of data encryption, and so much more. I see a lot of comments mention that Bank should make more of an effort and I have to agree. There does need to be more pressure put on the banks by the community, else they will simply crawl along with sms and onscreen keyboards, which are a step above passwords for sure, but not significantly. Anyway they do not confirm the owner of the transaction was the one making the transaction. If as seen on ACA several nights ago, person X can send an sms to person A from appearing as it is coming from person B, without there being any indication at all that X is involved – then what does that say for the banking industries investment in sms being secure ? That application by the way is available freely off the internet, anyone can do this. Take a look at a system we use for User Verification called Ardeun http://www.ardeun.com which fully integrates easily into a web site. The sister version called ArdeunVerified http://www.ardeunverified.com is a similar process but operates out-of-band. Ardeun uses Face or Voice or Finger verification all built into one clean and simple interface so the user just scans using a web cam or finger scanner for example, and they are identified as who they are. Now why don’t banks use this and simply eliminate all the ongoing drama I wonder ? Perhaps because they want the customers to carry the load and bear the responsibility. ?
Rixstep Mar 14, 2010 6:08 AM	@affinity I don't care if you or anyone suggests it's been mentioned already, but it's still impossible to 'overrate' a platform that's never been the victim of a single nontrivial attack. I wouldn't trust the iPhone either as they're using the Unix in there with the equivalent security configuration of Windows. But their computer OS? It's silly to disparage that - or anything when Windows suffers from hundreds of thousands of malware strains and Windows users lose billions yearly.
Mordd Mar 14, 2010 7:59 PM	Nice gravedig there Rixstep.
Drummo Mar 16, 2010 8:08 AM	The facilities need to be available for the secure access of online banking. A lot of you are arguing this point. I agree with you, but stop passing the buck and take some responsibility for your selves. They are available. even if not all are provided by the bank but unless the bank provides it, and denies access without it, people will still manage to give their money away. You cannot educate those who do not wish to be educated. "What's a token?" "I shouldn't have to pay for that!" "How do I use the disk?" Yes the last one Sams already answered, and it IS as simple as putting in the disk and turning the computer on, but people will ask the question which means people will need to be there to answer it. Even with proper documentation being supplied people will STILL ask the question. You tell people that smoking kills. They continue to smoke. You tell teenagers to use condoms. They become parents at 15. You tell people not to drink and drive. They pass out at the wheel and wrap themselves around a tree. You tell people not to click on links, or follow directions in emails they receive from their 'bank'. They hand over their account details to complete strangers. Foolproof is a misconception, any fool can tell you that.
mkotadia Mar 16, 2010 10:10 AM	Thanks for all your comments. In case you hadn't realised, NSW Police recently contacted me about whether this story was 'fair'. You can read all abotu it here: http://bit.ly/c9LHTp Also, i am going to meet a company this afternoon that has a product designed specifically for secure communications on a suspect computer. watch this space!
Graeme Harrison (prof at-symbol post.harvard.edu) Mar 19, 2010 3:55 PM	Yes, and the new super-secure device in the new article on ITnews in March 2010 is.... a clean Ubuntu boot off a thumb drive (miniature USB stick). The fact that the security experts decided to go that way should be taken on board by some who (in other articles' posts) have claimed that Open Source operating systems and software do not help with security. But it is far easier to lock-down a small Linux boot, than to ensure a Windows OS is clean. So when you boot up, you have an un-interfered-with browser session, with no chance of a keystroke logging or screen-wiping app sitting in the background. You sort of get this with the iPhone app, but as they are about to release a multi-tasking version of the iPhone OS, it won't be long before you'll have to worry about malware looking at what you are entering into an SSL internet-banking session!