Commentary: Is it safe to use Windows for internet banking?

By Munir Kotadia on Mar 5, 2010 4:03 PM
Filed under Security

NSW Police follows up on our October story.

In October 2009, I was at NSW Parliament House whilst Detective Inspector Bruce van der Graaf gave evidence to the public hearing into Cybercrime on behalf of the NSW Government.

He told the hearing that to safely conduct internet banking, consumers should use a clean boot Linux or an iPhone.

His statements caused quite a bit of a stir.

"If you are using the internet for a commercial transaction, use a Linux boot up disk - such as Ubuntu or some of the other flavours. Puppy Linux is a nice small distribution that boots up fairly quickly," van der Graaf said at the time.

"It gives you an operating system which is perfectly clean and operates only in the memory of the computer and is a perfectly safe way of doing internet banking."

Shortly after the story was published, the NSW Police Media Unit called me and questioned the accuracy of the story. I told them I attended the session and that the story was accurate. I thought that was the end of the matter.

So I was surprised to receive an email from van der Graaf this week, six months on, again questioning if my story - which was titled "NSW Police: Don't use Windows for internet banking" - was 'fair'.

In his email, van der Graf says he objected to me mentioning Microsoft Windows in the story.

We have since spoken on the phone, and he told me that he "deliberately avoided" saying the words 'Microsoft' or 'Windows' on public record to avoid offending his "friends in the Windows world".

"I have got to be really careful about what I say at these public forums," he said.

According to van der Graf, what he actually meant was that consumers should use a boot disk even if they were running Linux, Mac OS X or any other operating system - including Windows.

"The advice I gave was good but it could have been 'don't use Linux if you are not booting from a clean disk, and don't use a dirty Mac either'," he said.

I can see how this might be possible if it wasn't for the fact that Microsoft Windows is by far the most popular desktop operating system on the planet and has been so for many, many, years. When someone starts talking about 'alternative' operating systems, as he was, they are talking about an alternative to Windows.

I'm guessing that this call was an attempt to smooth things over with friends at Microsoft (or did he mean a different Windows world?) but I am standing by my inference.

Bruce, you did tell the committee, indirectly or not, to avoid Microsoft Windows for not just internet banking, but for any "commercial transaction".

It was good advice and you should stick to it.

What do you think? Did I cross the line by assuming he was referring to Windows?

Commentary: Is it safe to use Windows for internet banking?

8 comments in this discussion

"hsvandrew: "A proper virus scanner protects against all threats: including those inside Internet Explorer." How magical of them. No, they might attempt to, but they are not always going to be ..."

By Sams

Tags

linux, banking, cybercrime, police, windows, microsoft, security, nsw, government

Challenges ahead for Windows 8's built-in antivirus

1000 days left for Windows XP support

Govt agencies fatten Linux, Unix server environments

Kinect for 500m Windows 7 PCs due February

Breaking Stories

BigPond emails will be stored overseas

Google shapes as digital dividend dark horse

Oracle buys Taleo for $1.76 billion

Scientists tout super-fast hard drives

Alstom Transport eyes single project system

Comments: 8

Gregory67 Mar 5, 2010 5:47 PM	Thanks for the update. Although I do like your reporting and this article back in October especially as it helped me to help customers with their conserns. I would like to see a little humble pie being consumed regarding this article, I pass on information usually as you report it and try not to accidently mislead my costomers, but I have to agree with van der Graf as he has to be 'extremely' professional when dealing with the public and to be mis-quoted or misunderstood just makes the job so much harder. Your points made in today's article are valid but it reminds me of the toomstone which reads, 'I was in the right'. Thanks and please keep up the good work.
wjc Mar 5, 2010 6:24 PM	No worries! Go for it! After all - everyone agrees that Microsoft Inc.'s "Windows" operating system has a de-facto monopoly position in the home/SME PC based market and environment on a global scale. Just ask the USA and EU/EC...well- UBUNTU, Google Chrome, etc. has not yet made any inroads. Now, supporting that alleged NSW police statement was actually an interesting Microsoft presentation - made in 2005 at a Stanford University INDUSTRY workshop - that outlined how necessary it was to move to an external unit, such as a PINPad or the like - to verify PC originated transactions via the accepted security practice of trusted, separate channel. No worries - Microsoft agreed in 2005! Moreover, just read the original Microsoft "Palladium/ NGSCB" project outline of 8 years ago or so and the important background statement of need - that project clearly made the point that again a separate channel was needed for identification and authentification purposes and that far better security was needed for the Windows OS - but not much really happened except the adoption of the associated TPM hardware security module for PC motherboards, phones, etc. and the VISTA access control stuff. (Remember Microsoft also offered UNIX for many, many years as its XENIX system which is still a trademark of Microsoft!! AND there was an excellent high security version of it for really secure server needs - "TrustedXENIX" that even met US military/government needs.) Just one look at the reports re the Mariposa botnet activity has to convince anyone that far better security is needed to enable full trust of any sort to be had in performing valued transactions via the Internet and a home PC - and that means a Windows XP/Vista/7 base operating system. A LINUX/BDOS etc based bootable CD or a protected USB "stick" (only if it can be made read-only after setup)is still one good way to go - a PINPad for home would be better! The REAL PROBLEM - that alleged fear of offending Microsoft and/or its product users? Now that needs some investigative reporting! Could you honestly imagine a "Choice" magazine that never mentioned any company or product by real name?
hsvandrew Mar 6, 2010 8:22 PM	It may be unsafe to go to a branch to get money or an ATM. Just think you could have a car accident, get killed crossing the road, get mugged at the branch or ATM and drop your money down a drain on the way back to the car where you get hit by lightning as you open the door. Considering most users use Windows to access their Internet banking, and considering (and this information comes from my partner that works from one of Australia’s biggest banks) most fraud and money lost comes from users sending their banking details to third parties from random emails they get or not having proper (i.e. not AVG free) and up-to-date virus scanners on their computers then really the problem is user stupidity not Windows or anything else related to computers. In the real world the odd “followed all the rules of safety” person will get mugged. The same applies to the computer world. However in the real world if you had a random stranger come up to you and ask you for your bank account details and password almost everyone wouldn’t oblige. Why it happens on a computer is beyond me. I think if this problem was actually worked on instead of the rubbish discussed above people might actually be safer.
Sams Mar 8, 2010 11:57 AM	hsvandrew: "really the problem is user stupidity not Windows or anything else related to computers: And now something for protecting smart computer users: gaping flaws in IE have been left unpatched by Microsoft, long after it was made aware of active exploits, and have been the source of many a breach on home PCs. No amount of anti-virus or Windows update is going to protect against that. So one of the real problems ("stupidity" bashing aside) is the indifference and arrogance of certain IT companies and personnel.
hsvandrew Mar 8, 2010 9:59 PM	Sams this isn't true at all. A proper virus scanner protects against all threats: including those inside Internet Explorer. And if you were fair u'd accept all browsers have security flaws. The reality is this isn't the main way people get infected and this isn't the main reason people have money stolen. Microsoft does do a pretty decent job now days of getting fixes out quickly - in the real world people installing them is again a bigger issue. So how about you update your thinking and put reality back into the equation. Browser security problems exist, but everyone is guilty of that and the number of attacks is fairly low. You will actually find Internet Explorer 8 is the best at detecting bad sites/content out of any browser. I know we all love to bag Microsoft but sometimes they do get things right and we need to ack them when they do, just as we ack others when they do a better job.
Ace Mar 9, 2010 1:42 AM	Detecting bad sites is one thing. It really only protects, or at least tries to protect 'stupid users' (as you put it). Flaws in a internet client application can provides a tunnel through to your PC OS, no matter what browser you use, or what anti-virus/firewall you have installed. The fact is, if you want to sell complex software to home users, you shouldn't expect them to be able to defend themselves against hackers hidden behind technicalities of internet protocols and redirection. You need to help the home user defend themselves. MS Windows and IE are the worlds most popular for OS/browser (according to stats), and as such, the level of responsibility borne by Microsoft to provide a safe and secure environment for home computer users is elevated. The fact that the NSW Police consider this type of security to be important enough to make public comments about should provide a clue to the level of complaints/reports the police get about such attacks. It's obviously not trivial.
Graeme Harrison (prof at-symbol post.harvard.edu) Mar 9, 2010 9:56 AM	I agree that the original advice and original article was good. Only by having such people come out and comment that the Emperor is indeed wearing no clothes does it keep pressure up on the "Windows community" and others to keep addressing security holes, for which the primary home computer operating system is well-known. There are now some 256-bit Bluefish encryption apps for the iPhone, which means you can keep your log-in details for internet banking within a secure password "wallet" but to be sure, to be sure, one should still only provide a "hint" as to the actual password. As I have written elsewhere on ITnews, the banks actually work to defeat security by having so many long, complex and non-user-selected fields to log-in for a session, that people HAVE to write it all down. It would be better to be like a blog or web-site, where people chose their own identifier (not a client-number supplied by a bank), and then the banks should simply insist on long/complex passwords (again chosen by the user). If you insist on a 8+ character password (maybe forcing the inclusion of digits if not longer than 10 characters), then this 'beats' a 10-digit customer number (which is shown on bank documents) plus a four-digit PIN. One of my banks requires four separate fields to be entered. But frankly, this is a nonsense, as all you need is an ID and a password, and encryption fundamentals dictate that if three of the four are 'known fields' then the real security still only sits with the password. So the banks should allow people to do an internet banking session using their primary email field as ID (provided it passed the unique test at time of registering) and then a 8-10 character password chosen by the user. And reserve the entirely-separate hand-held or SMS verification for larger amounts or new payees. And the banks should 'come clean' with real data on scams, including if your card was used at a site where skimming was deployed. Currently banks never disclose such data, even to those affected, preferring to put things only in the hypothetical "your account MAY have been compromised".
Sams Mar 10, 2010 12:49 PM	hsvandrew: "A proper virus scanner protects against all threats: including those inside Internet Explorer." How magical of them. No, they might attempt to, but they are not always going to be successful. They haven't been in the past. "And if you were fair u'd accept all browsers have security flaws." Where did I say that they didn't? However, flaws in IE are are almost exclusively the ones targeted, which is why I used it as an example. "Microsoft does do a pretty decent job now days of getting fixes out quickly" Heh, is that a joke there? "The reality is this isn't the main way people get infected and this isn't the main reason people have money stolen." If you have surefire away to prevent users from being negligent and uninformed about PC security, all the better - let's hear it rather than just kicking them. I'm more interested in strategies for protecting all of the other users with good habits and knowledge, as I have already stated. "You will actually find Internet Explorer 8 is the best at detecting bad sites/content out of any browser." I find that statement hard to believe as anything other than MS marketing hyperbole, because it would be incredibly hard to quantify what is "best" - show us the (non-MS backed) research then ..