Windows and Online Banking: A Dangerous Mix: Page 3
Links in email messages can appear to go one place, but actually take you somewhere else. Long ago I documented some of the technical tricks employed to do this on the Links that Lie page on my personal website.
For online banking, the safest approach is to start out at your banks website by typing in the home page address manually.
Even FBI Director Robert Mueller recently admitted that he almost fell for a phishing scam after reading an email message that appeared to come from his bank. As he put it "They had mimicked the e-mails that the bank would ordinarily send out to its customers; they'd mimicked them very well." He came clean to his wife and tried to pass it off as a "teachable moment." She would have none of that and no longer lets him do online banking with their money.
Online Banking Protections
Lets assume the worst has happened: an online banking account is victimized by fraud and funds are transferred out of the account by malicious software and/or people.
The rules for who gets left holding the bag, are different for businesses and consumers. Brian Krebs wrote about companies that suffered real, substantial losses. In some cases, banks agreed to cover some of the losses, but they didn't have to.
If you do online banking, you would be well served to read the fine print.
Consumers that bank with Chase, for example, are covered for unauthorized online use of a deposit account, if they inform Chase within two days of discovering the usage. What if you get a bank statement in the mail on Monday, open it on Friday and call Chase on Friday? Is that the same day you discovered it or does the clock start ticking on Monday?
Chase will not cover losses resulting from "Failing to completely exit the service when you're done with your session or away from your computer" or if you are "negligent handling of your User ID and Password."
Anyone can download a copy of Linux for free and burn it to a CD. In fact, Canonical, the company behind Ubuntu, will go so far as to ship you a CD for free.
You can also make your own bootable copy of Linux on a USB flash drive or memory card. But, if you'd rather not, you can order many different Linux distributions on either a CD, USB flash drive, CF card or SD card at On-Disk.com.
But which Linux? There are more distributions than grains of sand on a beach (in Linux lingo a distribution is a version or an edition). I suggest Ubuntu simply because its mainstream. The SANS white paper argued for Xubuntu. The most important thing you need to know is that not all distributions include Firefox. Both Ubuntu and Xubuntu ship with Firefox pre-installed.
Nothing is Perfect
Even if you bank exclusively from Linux, setting up alerts offers an extra level of safety. Check if your bank can automatically send you an email or text message whenever money over a certain amount leaves your account or when your account falls below a certain dollar amount.
Randy Abrams points out that booting Linux from a CD will not protect you from hardware based keystroke loggers. But, then he says "If you have a hardware keystroke logger on your computer you have much bigger problems." Indeed.
And Firefox is still Firefox, even running under Linux. For maximum safety, only access one website at a time. With multiple tabs open, there's always a chance that one site can peek into activity in another tab.
Firefox under Linux is also vulnerable to malicious DNS servers. The best defense against this is changing the password in your router to foil automated software that exploits the default router password. I also suggest configuring your router to use DNS servers from OpenDNS rather than the DNS servers from your ISP. OpenDNS offers assorted enhanced protections.
When Linux is running from bootable media (CD, USB flash drive, memory card) it may be able to see the files on the internal hard drive (depending on the distribution). For maximum safety, you can logically dis-mount the hard drive from within Linux, making it invisible to any malicious or compromised websites.
In conclusion, let me point out that software can only do so much. I've been blogging for a while on Defensive Computing and have always felt that education was a big part of it. Forced to summarize Defensive Computing in as few words as possible, it would be "always be skeptical."