Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Did A Google Earth Mistake Cause A Couple's Brutal Murder?
Windows not fit for online banking, says Washington Post blog
It would be easy for Linux and Mac users to point to this blog post by Brian Krebs at the Washington Post's Security Fix and feel smug. The post flat out states that the simplest, most cost-effective way to avoid online fraud is: "Don't use Microsoft Windows when accessing your bank account online."
If you're a Windows user, ouch.
But hold on a second. The thing is, Krebs isn't endorsing the Mac or Linux platform in his condemnation of Windows. Rather, he's pointing out that Windows is the most-targeted platform, but that certainly doesn't mean that Macs or Linux machines are invulnerable.
Krebs points out that the safest way to avoid malware and make sure your banking session is secure is to boot your machine from a Live CD that is a pristine, uninfected environment. Live CDs are typically Linux variants, but the OS doesn't really matter -- what matters here is that you are booting an operating system that malware can't infect because its state is not persistent.
This is solid advice, and it leads me to wonder how long it will be before the major OS makers offer a locked-down virtual machine, or better yet a locked-down banking partition that is a fast booting light OS containing only a secure browser with which to do your most sensitive online tasks.
Kind of sounds like a job for Chrome OS, doesn't it?
Comments
28
Subscribe to commentsPC-VIPOct 14th 2009 2:14PM
This is BRILLIANT Analysis
Computers aren't insecure, CORRUPTED computrers are insecure.
We've been training our clients to deal with decisions like this forever. Nice to see a smart answer like this crop up in a big way!
Jeff Yablon
President & CEO
http://answerguy.com
RobOct 14th 2009 3:26PM
This is ridiculous; Windows is the best client os for online banking. One can use Trusteer security software to prevent os APIs from accessing the browser during transactions, as well as provide for encrypted keystrokes that are decrypted at the bank/ website. ING Direct gives it away for free.
RobOct 14th 2009 3:28PM
The Trusteer thing also prevents man-in-the-middle attacks, because in the insanely unlikely event that the SSL connection is compromised, the attacker will just have encrypted gibberish.
http://www.trusteer.com/technology
ToddOct 14th 2009 2:19PM
Back-up a little bit and address the core issue:
Never allow an app to access the OS kernel. Isolate one app from the other. Don't give any app 100% CPU resources.
Is Windows 7 still violating all the above no-brainers?
konOct 14th 2009 2:41PM
Not as far as I can tell (then again, I have a quad core). There's a strict UAC in place - but people choose to turn that off, because it's "annoying". Stupid people should not be allowed to turn that off. Smart people don't get viruses.
sitrucOct 14th 2009 2:46PM
Washington Post computer and technology coverage is a joke.
mcornickmOct 14th 2009 2:48PM
So what they are saying is use an OS that most people dont use and your ok. Great.
Lee MathewsOct 14th 2009 2:49PM
Sure, his suggestion makes sense - to us. But what about the average user (including executive types who read the Post)?
Open question to the readers: do you think the average Joe will care enough to find, download, and burn a LiveCD AND figure out how to use it?
My vote: nope.
If you agree, what's a more workable solution - assuming most of the people won't jump through non-Windows hoops?
Jonathan HarfordOct 14th 2009 2:53PM
Just what I need -- one mor elaborious step keeping me from paying my bills on time. If I'm really concerned, I'll use Firefox in an Ubuntu virtual machine -- I'm sure that'll be locked-down enough, right?
blueruckusOct 14th 2009 3:09PM
In related news, the best way to avoid dying in a plane crash is to not be in a plane.
williamjaywhalen81Oct 14th 2009 3:10PM
I'll use my AS/400.
aircaveOct 14th 2009 3:38PM
option b... regular malware scans, anti-malware (2+), firewall, HIPS, updated software, sandboxed browsers, xp-antispy (or equiv.), opera (no js/java) or firefox (noscript + AbP + WOT + SSLBlacklist)
JordanOct 14th 2009 3:18PM
This is just some douche who has something against Windows and is trying to get recognition for putting it down.
Don't use Windows for online banking? Well then I guess not many people in the world are going to use online banking
DannyOct 14th 2009 3:25PM
It's not all about the OS when it comes to "secure" online banking. Windows would be more secure than linux if the user has never been an admin on the box and the machine is updated regularly. Most malware is written for Windows because most people use Windows. If we all switched to Mac's, I'm sure you'd hear more about the Mac vulnerabilities and the exploits written for those vulnerabilities.
If I told you that people on the golf coast should build all glass houses, because less glass houses were destroyed by Hurricane Katrina than brick houses, you would laugh in my face. That's exactly what Brian Krebs is doing in this article. Just because you live in the glass house of unix doesn't mean you're secure. By default, Ubuntu has no firewall running, firefox has it's own set of vulnerabilities and so does everything else you use.
If you want safe banking, do it yourself. Pencil and Paper and a safe with biometric controls and an unpenetratable outer casing.
whateverOct 14th 2009 3:46PM
Running a "pristine live CD" in a virtual environment makes no sense. The virtual PC is only as secure as it's host. Therefore, if you have a compromised primary machine, putting a virtual PC on top of it does exactly nothing.
RaajOct 14th 2009 4:02PM
This is a knee-jerk reactionary article, from an author that 'plays with five computers and dozens of other chirping blinking devices.'
Sure, booting from a LiveCD will prevent the OS from being infected.. but what about phishing and social engineering attacks? What about SSL compromises? What if the host OS has already been compromised when the user visited teh pr0n sites, or downloaded some shady software from sleazy web sites? Using LiveCD in that case will not completely protect the user.
In the end, the article should have been titled "stupid users are not fit for online banking, or Web surfing altogether." Even if the stupid user hides behind LiveCDs, or *nix based OS for long if s/he continues to use stupid decisions while online.
216Oct 14th 2009 4:11PM
No OS is safe from Phishing attacks
really, the ONLY thing that can save you from a phishing attack is awareness
setOct 14th 2009 4:29PM
Has there been actual theft from online banking exploits? You can't withdraw cash online. The potential for crime is rather overstated, IMO.
setOct 14th 2009 4:33PM
I didn't know people could initiate wire transfers online. All my online banking is good for is checking balances and billpay.
hazardOct 15th 2009 2:24AM
Cash transfer is a pretty common feature though the tracability is rather obvious and trivial.
Best bit of advice for anyone who has been scammed in any way .. go to the police straight away even if the Bank says you don't need to. The Police love investigating Banking fraud and the Banks will usually piss around until the cops get involved.