[LINK] PCs bad for banking: expert

rchirgwin at ozemail.com.au rchirgwin at ozemail.com.au
Wed Mar 16 17:51:01 EST 2005 

Craig Sanders wrote:

>On Wed, Mar 16, 2005 at 11:23:04AM +1100, rchirgwin at ozemail.com.au wrote:
>  
>
>>So the banks are merely lying, absolutely through their teeth;
>>moreover, they know they are lying. But they want to say "anything
>>that happens now is your own fault".
>>    
>>
>
>as long as the banks are recommending MS Windows or IE, the banks are
>at least partially at fault. if they are requiring MS Windows or IE,
>then they are 100% at fault (i don't know if any still do that, but at
>one time many did...and many still develop their banking sites to use
>non-standard IE features).
>  
>
Let's see. Firefox works on SGB but it still generates "non standard 
browser" warnings.

>even running firefox on MS Windows doesn't help if a keylogging virus or
>trojan has already installed itself onto the OS.
>
>
>it seems to me that there's a niche market for a live linux CD or USB
>memory stick distribution with only the bare minimum required to run
>a browser to access online banking sites (base system, networking, X,
>gnome and/or kde, firefox etc). perhaps each bank could distribute their
>own customised version.
>  
>
Except ... I have tried the Damn Small Linux on USB. Boot up time is 
close to 10 minutes. Applications load so slowly that it's easy to think 
the application isn't loading at all; so about 1/2 hour later, you find 
yourself trying to close down the extra six browser windows...

>a 128MB USB flash drive would be more than enough for this. it should
>even be possible to fit on a 64MB drive, which are slightly cheaper.
>
>linux CDs like gnoppix, knoppix, ubuntu and others are already capable
>of booting and auto-detecting graphics hardware and networking, and
>they have already been squeezed onto a USB stick. there are other live
>CDs which can use CD multi-session features to store configuration
>data (e.g. ppp logon details, optional ssl certificate[*], optional
>encryption keys for sending encrypted mail). it wouldn't be difficult to
>merge all of these ideas into one linux CD targetted at secure banking.
>  
>
Yes, the USB boot Linux worked, just extremely badly ... not a fault of 
Linux, but of the unbelievable slowness of the USB key.

>if bank customers only accessed online banking after rebooting to this
>linux CD/USB stick then it wouldn't matter if their MS Windows system
>was completely infested with viruses and trojans.
>  
>
It would be no harder for the banks to revert to using their own signed 
applications to access 'Net banking instead of the browser. As long as 
the concern of creating three clients (Windows, Mac, *nix) was 
addressed, it would be much better than the current, wilfully stupid 
reliance on the browser as the bank interface.

Specs:
- use a cross platform environment (Java perhaps?)
- distribute the software
- require users to authenticate the application offline (the 
inconvenient but functional Advance Bank application, in which you got 
the authentication key over the phone, for example)
- do not accept login from an application which cannot verify itself.

Those are minima, I would fully expect better brains than mine to add to 
the list.

It's not "Internet banking" as such. It's "browser banking" - which in 
the first instance was invented to make things more convenient at the 
cost of security. People warned about this at least five years ago; they 
were laughed at; they were right.

RC

>
>
>craig
>
>[*] i've often wondered why online banks don't have a "generate
>certificate" option to allow the user to generate a personal certificate
>signed by the bank.....and another option to require the certificate for
>login (with passphrase, in addition to login name & PIN and optional
>hardware security device).
>
>this wouldn't be much extra protection on MS Windows (a virus can steal
>a certificate and passphrase just as easily as it can log keystrokes),
>but it would be very useful in conjunction with a linux banking CD.
>
>
>in fact, i've also wondered why banks haven't got into the personal
>certificate business. they have to go through the process of verifying
>identity anyway, they're perfectly positioned to do it.
>
>
>  
>

More information about the Link mailing list