[LINK] PCs bad for banking: expert
cas at taz.net.au
Wed Mar 16 17:12:04 EST 2005
On Wed, Mar 16, 2005 at 11:23:04AM +1100, rchirgwin at ozemail.com.au wrote:
> So the banks are merely lying, absolutely through their teeth;
> moreover, they know they are lying. But they want to say "anything
> that happens now is your own fault".
as long as the banks are recommending MS Windows or IE, the banks are
at least partially at fault. if they are requiring MS Windows or IE,
then they are 100% at fault (i don't know if any still do that, but at
one time many did...and many still develop their banking sites to use
non-standard IE features).
even running firefox on MS Windows doesn't help if a keylogging virus or
trojan has already installed itself onto the OS.
it seems to me that there's a niche market for a live linux CD or USB
memory stick distribution with only the bare minimum required to run
a browser to access online banking sites (base system, networking, X,
gnome and/or kde, firefox etc). perhaps each bank could distribute their
own customised version.
a 128MB USB flash drive would be more than enough for this. it should
even be possible to fit on a 64MB drive, which are slightly cheaper.
linux CDs like gnoppix, knoppix, ubuntu and others are already capable
of booting and auto-detecting graphics hardware and networking, and
they have already been squeezed onto a USB stick. there are other live
CDs which can use CD multi-session features to store configuration
data (e.g. ppp logon details, optional ssl certificate[*], optional
encryption keys for sending encrypted mail). it wouldn't be difficult to
merge all of these ideas into one linux CD targetted at secure banking.
if bank customers only accessed online banking after rebooting to this
linux CD/USB stick then it wouldn't matter if their MS Windows system
was completely infested with viruses and trojans.
[*] i've often wondered why online banks don't have a "generate
certificate" option to allow the user to generate a personal certificate
signed by the bank.....and another option to require the certificate for
login (with passphrase, in addition to login name & PIN and optional
hardware security device).
this wouldn't be much extra protection on MS Windows (a virus can steal
a certificate and passphrase just as easily as it can log keystrokes),
but it would be very useful in conjunction with a linux banking CD.
in fact, i've also wondered why banks haven't got into the personal
certificate business. they have to go through the process of verifying
identity anyway, they're perfectly positioned to do it.
craig sanders <cas at taz.net.au> (part time cyborg)
More information about the Link