Windows and Online Banking: A Dangerous Mix
This security expert uses Windows for most functions, yet feels its not safe enough for the average user to trust for online banking.
In August I wrote an article here that suggested that rather than doing online banking from a Windows computer, a much safer approach is to re-boot using Linux (either from a CD, USB flash drive or a memory card) and running Firefox under Linux to access banking websites.
Now, a consensus seems to be forming behind this idea.
For months, Brian Krebs has been writing in the Washington Post about companies, municipalities and school districts that suffered large losses due to online banking fraud. The impetus for my article came from one of his first stories.
After interviewing businesses that suffered these losses, Krebs would inevitably be asked by the owners of the business about protecting themselves going forward. Addressing this in a recent column, he said:
"The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online. I do not offer this recommendation lightly ... But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way ... all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer."
The rest of the column goes on to discuss security measures taken by assorted banks and how the bad guys breached every one of them.
Antivirus and Anti-spyware Software
If you think anti-virus and/or anti-spyware software will protect a Windows computer, think again. You are certainly safer running anti-malware software but you are not safe. As Randy Abrams of ESET put it recently, "There was a day that anti-virus software could protect you against almost all of the viruses in the world, but that day was significantly more than a decade ago."
Anti-malware software is only one line of defense, and it cannot be your only defense. Whether anti-malware software protects you 10% of the time or 90% of the time, everyone agrees that it cannot protect you 100% of the time.
In one case that Krebs wrote about, the malware that drained the bank account first infected the computer a year earlier, despite antivirus software. When I'm called on to clean up an infected computer, I always run a handful of anti-virus and anti-spyware programs. Normally, the third, fourth and fifth scans find malware that the first few products missed.
The amount of malware targeting Windows is staggering.
Just days after my previous article on online banking was published, Trend Micro reported that "... in the first six months of 2008 ... 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million." The same blog posting says that AV-Test.org is finding more than a million new malware samples every month. In the good old days of 2007, they only had 5,490,000 samples of malware.
This is not scare mongering designed to push Linux (certainly Trend Micro didn't offer those numbers to promote Linux). I have no stake in promoting or knocking any particular operating system. I have used Windows XP for years and will continue to do so. But Linux strikes me, and others, as a perfect environment for running Firefox to do online banking.
Windows computers can certainly be run safely and securely. However, in my opinion, doing so takes too much work and requires too much technical experience. Non-techies don't have a fighting chance.
A few months ago, the Clampi Trojan was getting a lot of press coverage. At the time, I wrote Defending against the Clampi Trojan, showing various techniques to protect a Windows computer from Clampi. It's a long list, too long, and it's far from complete. Just one item on the list, keeping all the installed software up to date is, in and of itself, all but impossible for non-techies.
Along these lines, see my blog posting - Are you competent to run Windows safely? Even if you pass the test, think of everyone you know that runs Windows. Would they pass?
Man In The Browser
If you think the concern about Windows security is overdone, consider the hidden programs running inside Internet Explorer.
From IE7, go to Tools -> Manage Add-ons -> Enable or Disable Add-ons, and then look at the four sub-categories of add-ons. From IE8, go to Tools -> Manage Add-ons and review the various add-ons of each type (for Toolbars and Extensions, be sure to show all).
Chances are you won't know what most of these add-on programs are, or what they do. Yet they run inside Internet Explorer. Even if you trust Microsoft, many of these programs come from third parties. You are implicitly trusting these programs every time you visit a website.
Dangerous software inside your web browser is not limited to Internet Explorer. Just today, I was running Firefox on a Windows XP machine when the browser popped up a warning about an unsafe plug-in. In this case, Firefox was smart enough to disable the vulnerable software on its own - very impressive. The vulnerable, buggy software had been installed by Microsoft during an update to the .NET framework component of Windows.
According to Finjan, the URLZone Trojan does its nastiness after burrowing its way into your web browser (it attacks IE, Firefox and other browsers). This gives it total access to web pages coming and going. For example, after transferring money out of an account, it will modify the returned web page from the bank to show a larger balance, thus hiding the outbound transfer(s) it generated.
It's not just the browser, it's Windows itself that can't be trusted.
Someone wanting no part of Linux can instead opt for a dedicated banking computer. Whether real or virtual, this would be an instance of Windows that starts out with a fresh, clean, full installation of the operating system followed by its service packs and subsequent patches. Then anti-malware software would be installed and a two-way firewall.