Windows and Online Banking: A Dangerous Mix: Page 2
The only software installed on the machine would be that necessary for banking. Email, for example, should be avoided. In fact, applications that aren't needed should be un-installed (good-bye Outlook Express) and services that aren't needed should be disabled. If at all possible, the system should be run from a restricted user ID.
In August, Krebs wrote that this approach was suggested the a banking industry group, The Financial Services Information Sharing and Analysis Center. Back in July, Joe Stewart of SecureWorks also suggested this approach for defending against the Clampi Trojan.
To further avoid malware infection, the system could have all changes wiped out every time it shuts down. This is easily done in a virtual machine and can be implemented on a real computer using software such as Deep Freeze or Microsoft's SteadyState.
The problem with backing out all changes is that the anti-malware software can't update itself. Likewise, it will have to be turned off occasionally to allow the operating system and other software to apply patches.
A less intrusive option for avoiding new infections is Sandboxie, which I wrote about last time.
This is certainly a reasonable approach, but it may be unrealistic for many people and businesses. And, even taking all these steps, it's not obviously safer than re-booting to run Linux. Nor is it easier.
Brian Krebs and I are far from the only ones recommending Firefox under Linux for online banking.
Even Joe Stewart said "Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts."
In making his case, Krebs pointed to a 32-page SANS Technology Institute white paper, Protecting Your Business from Online Banking Fraud that says:
"The paper provides a number of possible ways to mitigate these types of attacks. A defense in-depth approach is used to provide multiple mitigation recommendations. The number one recommended mitigation is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions."
In other words, boot Linux off a CD.
The paper discusses additional defensive steps: protecting the email address of the comptroller, network protection, endpoint protection, virtual machines, awareness training, policy changes and monitoring financial transactions. Interestingly, it doesnt mention running as a restricted user. All this recalls my earlier point - keeping a Windows computer secure can be too much work to be realistic.
Just a few days ago, ZDNet blogger Adrian Kingsley-Hughes cited the Krebs recommendation for Linux and concluded: "Im going one step further, and suggesting that no one use Windows for either banking or online shopping. Period."
To someone with a single computer, following this advice means shutting down Windows, booting Linux, doing online banking, then restarting Windows. A hassle for sure. But, to Kingsley-Hughes, "... the risk of using Windows outweighs the convenience."
Over at TechRepublic.com Michael Kassner has been writing about crimeware recently. He started out asking how safe it is, then he offered more details on how online banking crimeware works. His most recent article on the topic examined assorted solutions for safe online banking.
As for himself, he says "I plan on using a LiveCD from now on when I am doing any kind online banking or retail transaction. That way, I know the operating system is not compromised. Its going to be a pain, but I do not see any other recourse at this time."
The articles by Kassner and Kingsley-Hughes generated hundreds of reader comments. One often-discussed solution is to do online banking from inside a Linux virtual machine to isolate it from a possibly infected copy of Windows.p>Perhaps the biggest problem with this approach is keystroke logging. If the host operating system is infected with a keystroke logger, it should still be able to see all the keystrokes, including passwords, as they start out in the host system before being transmitted to the virtual guest system.
Also, some malware sniffs network traffic and thus could see data coming into and out of the virtual machine. And data can go back/forth between the host and guest operating systems, be it by normal file sharing, a special feature of the Virtual Machine software or a bug.
Banking from within a Linux virtual machine is unquestionably safer than from Windows, but it's not as safe as booting Linux from a CD, USB flash drive or SD memory card. And the hassle factor may even be higher.
Phishing and Linux
While Linux, in and of itself, does nothing to protect you from phishing emails, you can be protected by not doing email while running Linux.
Randy Abrams, the Director of Technical Education at ESET (the company behind NOD32) recently said "NEVER click on a hyperlink to your Banks Website. If you receive an email from your bank, that you are positive, beyond any doubt, came from your bank, do not click on any hyperlinks. The rule is NEVER click on hyperlinks to your banks web site."
Why such caution? Better safe than sorry, for one. It can be very hard to determine if an email message is legitimate. The FROM address, for example, is easily forged. Copying images from a bank website into an email message is also trivial.
And the bad guys have lots of experience with scams making things look legit and reasonable is their stock in trade. You can practice detecting scams at the SonicWALL Phishing and Spam IQ Quiz.