2010 will, I predict, be the year that banks must change how they do business online. Each day there are new reports of the dramatic increase in cyber crime. Increasingly, the various anti-virus products are unable to detect and protect against mal-ware called “trojans,” and law enforcement is unable to even identify many of the perpetrators, much less bring them to justice.
As with many of today’s issues, it will require a dramatic event to raise awareness of the seriousness of this problem, and that will just be a matter of time. But this means that, once again, many consumers will be blithely unaware of the issues until it is too late for them.
Fortunately there are journalists and security experts who are working to alert the public to both the problems and some interim solutions that are fairly simple to implement. First I will outline the problem and solutions that have not worked, then I will describe a reasonably simple solution that does work, and finally I will provide references that give many more details.
Microsoft Windows
Ever since the concept of a computer virus was first discovered, computer crackers have been attempting to subvert the Windows operating system. At first it was just socially inept kids who were responsible for the majority of the problems, but those days are long since past. Today, well organized gangs of sophisticated criminals, mostly in Russia, Eastern Europe, and China, are focused on vulnerabilities in Web Browser applications and current banking systems.
While most efforts are directed towards Internet Explorer, today no browser is safe including Firefox, Safari, Opera, and the rest. In addition, while Apple Macintosh and Linux users have smugly claimed that their systems were safe and secure, this is no longer true. Any person who uses a computer with a Web Browser to access a financial Web site is vulnerable to attack.
Over one million unique computer viruses are detected each and every month, and others remain unseen even when using the best anti-virus software. The vast majority of these attacks are designed for Microsoft Windows and Internet Explorer, but every computer, operating system, and Web Browsers is at risk.
Let’s look at some specifics reported by Brian Krebs of the Washington Post: In July, 2009, cyber criminals based in Ukraine stole $415,000 from the coffers of Bullitt County, Kentucky. David Johnston, owner of Modesto, Calif. based Sign Designs, lost nearly $100,000 on July 23, 2009, due to Windows-based malware. Thieves used the same approach to steal $447,000 from Ferma Corp., a demolition firm in Santa Maria, Calif. In each of these cases, the criminals were able to bypass both password security and a second-level of security employing the popular “security tokens” which generate one-time passwords and were designed to prevent these types of attacks.
How is this possible? Talented hackers have developed sophisticated “trojan development kits” that allow other, less sophisticated criminals the ability to mount large-scale attacks and control tens of thousands of infected PCs from one location. These kits, with names such as Clampi, Mebroot, URLzone, Silentbanker, and Zeus, have been around for years, but are only now becoming widely known.
Innocuous sites are being targeted to spread infections including Facebook and other social gathering places. As many as 1 out of every 15 people who frequent these sites may become infected. Once infected, the thieves watch and wait, sometimes for up to 18 months, timing their attacks to steal larger amounts of cash.
The key thing to remember is that, once you’re infected, the criminals are inside your browser and and can control your PC. Once this happens, nothing can stop them from making or altering transactions while you are logged into a secure Web site.
Attempts are being made to create so-called “hardened” browsers that take control of a PC before any criminal software can take control. However, given the fundamentally insecure nature of the Windows operating system, products such as Authentium’s SafeCentral can be defeated as demonstrated by a person at digit-labs who’s motivation appeared to be a dislike of the company’s claims of invulnerability.
The only safe computer is one that is unplugged, disassembled, and not usable. Any usable computer has at least some level of risk when being used. This has always been true, but never more so then today and especially when banking online.
Some experts are saying that one way to avoid these risks is to purchase a second PC that is used only to access financial Web sites and no others. Other than the cost of this approach it should become immediately obvious that, at some point, the temptation to “just browse a bit” after banking will defeat this strategy especially if for some reason the primary PC is not available.
While the problems are indeed serious, there are some ways to minimize the risks without having to stop using all Web browsers, and only bank face-to-face with a teller that you know better than a family member.
A Reasonably Simple Solution
It is possible, without giving up Windows or Web Browsers, to use a version of the Linux operating system in such a way that the chances of being attacked online are reduced to almost nothing. Without going into a lot of technical detail, I will briefly describe the solution. For those who are interested in pursuing this, I will write a follow up article giving specific details of how this is done.
If you have ever installed a program or application onto a computer, you will remember that this is a process of copying software—from either a CD-ROM or from a Web site on the Internet—to the hard disk inside your computer. After this you can access the new software whenever you start your PC.
What you may not know is that it’s also possible to install a program into your computer’s memory without it ever being copied to the internal hard disk. This way, it is only possible to access the new software while the PC continues to run. As soon as the machine is turned off, the software disappears and is no longer accessible the next time you turn on your computer.
It is also possible to install a complete working copy of the Linux operating system directly into memory in this same way, bypassing the hard disk completely. Why would anyone ever do this? It was originally found to be a great way to quickly demonstrate how Linux worked to people with Windows-based computers who would otherwise not want to spend the time and trouble installing a second operating system onto their computer.
Another reason to do this today is that, as was mentioned above, one good way to ensure banking safely online is to use a dedicated computer that is used for nothing else. However, in this case, you are actually re-installing the operating system each-and-every time that you use it, and installing it from a known source that you control. If for some strange reason the browser is compromised, simply turning off the computer will guarantee that any problem is deleted along with everything else that was in memory.
If that sounds like a lot of trouble and complexity just to do online banking, it is not. It actually takes less time to install and configure Linux than it takes just to start up your Windows PC. In addition Linux is free, and you can carry around your “new Linux PC” on a tiny USB Stick attached to your car keys, and use it at any Internet café free from fear of attack.
This way you have the best of both worlds. Installing Linux into memory will not harm or alter your Windows-based PC and, once you become familiar with the speed and elegance of Linux, you may find that you don’t use Windows as much any more.
Stay tuned for specific details about obtaining “Puppy Linux” on a “Live CD” or a “Live USB,” and how you can start using this for self protection online.
[Update 05-Mar-2010: Here's a quick Getting Started guide.]
References
These particular problems with online banking have existed for years, but only in the last year or two have they started to become widely known and understood.
- Avoid Windows Malware: Bank on a Live CD, Brian Krebs, The Washington Post, October, 2009
- Concepts against Man-in-the-Browser Attacks, Philipp Gühring, June, 2006 (PDF Document)
- Consider Linux for Secure Online Banking, Michael Horowitz, August, 2009
- E-Banking on a Locked Down (Non-Microsoft) PC, Brian Krebs, The Washington Post, October, 2009
- Major Financial Services Firms Call Online Banking Dangerous, Gartner Research, August, 2009
- New Banking Trojan Horses Gain Polish, Robert Vamosi, PC World, November, 2009
- Top 8 Security Threats of 2010, Linda McGlasson, January, 2010
- URLZone – a disaster waiting to happen, Andreas Baumhof, Trust Defender Labs, October, 2009
- URLzone Trojan rewrites bank statements, Robert McMillan, Computerworld US, October, 2009
- URLZone touted as most sophisticated banking trojan yet, Angela Moscaritolo, September, 2009
- Where Strong Authentication Fails and What You Can Do About It, Gartner Research, December, 2009
- Windows and Online Banking: A Dangerous Mix, Michael Horowitz, October, 2009
