[LINK] PCs bad for banking: expert

[Craig Sanders]

On Wed, Mar 16, 2005 at 05:51:01PM +1100, rchirgwin at ozemail.com.au wrote:
> > it seems to me that there's a niche market for a live linux CD or
> > USB memory stick distribution with only the bare minimum required
> > to run a browser to access online banking sites (base system,
> > networking, X, gnome and/or kde, firefox etc). perhaps each bank
> > could distribute their own customised version.
>
> Except ... I have tried the Damn Small Linux on USB. Boot up time
> is close to 10 minutes. Applications load so slowly that it's easy
> to think the application isn't loading at all; so about 1/2 hour
> later, you find yourself trying to close down the extra six browser
> windows...

ok, maybe flash disk are too slow. i don't know, i havent tried to boot
linux from one, i only know that it's possible.

CD-ROMs, however, are not too slow. i've booted linux CDs hundreds of
times (mostly to install debian). in my experience, getting through the
BIOS tests and hardware scans takes a lot longer than booting linux from
CD. with any reasonably modern (that is, non-ancient), CD drive, the
boot time is not much different to booting from hard disk.


> > if bank customers only accessed online banking after rebooting to
> > this linux CD/USB stick then it wouldn't matter if their MS Windows
> > system was completely infested with viruses and trojans.
>
> It would be no harder for the banks to revert to using their own      
> signed applications to access 'Net banking instead of the browser. As 
> long as the concern of creating three clients (Windows, Mac, *nix)    
> was addressed, it would be much better than the current,              

that would be even worse than the current situation because they would
only bother writing the app for MS windows. maybe for Mac OSX too, but
probably not....thus forcing all internet banking users (even those who
know better) to use insecure garbage as the operating system.

> wilfully stupid reliance on the browser as the bank interface.

browser-based web sites are not the problem, they are NOT inherently too
insecure to use for banking.

the problem is the insecure operating systems (i.e. Microsoft Windows)
that browsers are often run on, and the insecure browser implementations
(i.e. IE) that many people use.

> Specs:
> - use a cross platform environment (Java perhaps?)
> - distribute the software
> - require users to authenticate the application offline (the 
> inconvenient but functional Advance Bank application, in which you got 
> the authentication key over the phone, for example)
> - do not accept login from an application which cannot verify itself.
> 
> Those are minima, I would fully expect better brains than mine to add to 
> the list.

this does not solve the problem. if the OS is compromised with
a keystroke logger, it doesnt matter at all whether the banking
application is a browser, a compiled C/C++ app, or a java app. the
keylogger will grab the login & password details anyway.

even if the bank tightly controls distribution of the app software, how
difficult do you think it would be for a virus/trojan to steal a copy of
the app (along with any config files, certificates, regiustry entries,
etc) at the same time as it logs the keystrokes? not hard at all, and if
there's money in it, some thief will do it.

the right fix is to reboot into a virus-free environment.....it's not
like rebooting is an unusual experience for windows users.


> It's not "Internet banking" as such. It's "browser banking" - which in
> the first instance was invented to make things more convenient at the
> cost of security. People warned about this at least five years ago;
> they were laughed at; they were right.

they were partly right, but mostly wrong.  it's not the browser in general,
it's specific browsers and specific operating systems that are the problem.

craig

PS: IMO, java is basically crap. it's slow and clumsy and completely
failed to live up to it's promise of "write once, run anywhere".


-- 
craig sanders <cas at taz.net.au>           (part time cyborg)