Thursday, October 15, 2009

Do not bank online from a Windows computer

It's simply not safe, as we see a series of events like this:
A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account.
Why do you rob banks? That's where the money is. And that's where the malware is going.
News reports here and here say $479,247 vanished from a bank account belonging to the Cumberland County Redevelopment Authority after it was hit by Clampi. The trojan gets installed by tricking users into clicking on a file attached to email and then lies in wait for the victim to log in to online financial websites. The authority has so far been able to recover $109,467 of the stolen loot.
Brian Krebs from the Washington Post has been all over this:

Imagine being in charge of your organization's finances, and learning from your bank one morning that thieves had stolen tens of thousands of dollars from company coffers overnight using your online banking credentials. Now imagine your frustration when you go to log in to your PC to assess the damage, only to find that the computer you typically use to access the account has been kneecapped by the bad guys.

This is precisely what happened to Kathy Dake, office manager for St. Isidore Catholic Church in Danville, Calif. Dake had infected her PC with the Zeus Trojan after opening a malicious e-mail disguised as notice from the IRS about "unreported income" (see New IRS Scam Could Be Costly).

It's gotten so bad that Krebs says it's time to throw in the towel: don't ever bank online from a Windows computer:

An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.

The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online.

I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way.

Folks, as someone who's been in the security industry for 20 years, it's time to admit that we're losing the fight.Windows is simply not securable in any meaningful sense against a motivated attacker. Is it good enough to keep yout pictures and music on? Sure. Games? No sweat. Even company word processing and email - not many Bad Guys care enough to look for specific data to steal, although if you have very high value Intellectual Property, you're not safe. But for most business uses, the pain of the Bad Guys getting on your system has so far been less than the cure.

But banking is a different thing. It's not like a credit card, where the card issuer will cover most of the fraudulent transactions. If a anking trojan transfers all your money to the Ukraine, you're the one who will have to prove that it wasn't you. In fact, your bank may be prohibited (by law) of covering your loss.

Krebs has a solution, which is to use a Linux "live boot" CD. Basically, this is a Linux image that you download and burn to a CD (or USB flash drive). You can boot from it, and have a complete Linux system - including Firefox - that you can use to do your banking. When you're done, you remove the CD, and reboot into Windows. If you have Malware (and sadly, you probably do), the malware doesn't ever run while you're at your bank, because it doesn't work under Linux.

Krebs describes how to do this, and I encourage you to co read it. It's a great idea, and IMO one of the most important security reads for a general public that I've ever seen. It's a clever idea, and lets you keep the convenience of banking online (if that's your bag, baby). It also entirely eliminates the danger of banking trojans - at least until a lot more people start using Linux, so that market share makes it worth the Bad Guy's time to target Ubuntu.


wolfwalker said...

Boot from a Linux live CD distro?

That's brilliant! I think I have one around here somewhere, and if I don't, then I can burn one.

NotClauswitz said...

Very interesting. All's I ever do is check my account level?

NotClauswitz said...

Very interesting discussion and comments.

Ian Argent said...

C'mon. By that criteria, no OS running on read/write media is safe. Which is hardly news.

"A word to the wise: Do not click on attachments included in unsolicited e-mails, especially those that encourage you to act quickly or else suffer some scary fate: These are almost universally scams or attempts to plant malicious software on your computer. Also, note that the IRS has stated emphatically that it does not communicate with citizens via e-mail." I can't think of a real-world analogy to this behavior that really holds up, but it's sort of analogous to leaving the keys in the car when you park.

There is no operating system or security system in the world that would have stopped this attack. Not clicking on the link/file (original story uses both terms) would have. It happens that the attack targets Windows machines and IE, because, as our host has noted, "that's where the money is". What happens when everyone takes the advice of switching away? The scammers will retarget.

There is no technical solution for this, IMHO. Use of a OS boot CD is not a technical solution, it's a behavioral change. And it destroys one of the reasons to use a PC instead of a dedicated device. (It turns your machine into a dedicated device, essentially - since you give up your security the minute you open your browser anyway).

Incidentally, using a USB stick is bo safer (conceptually) than just boothing off your HD - the device is still writable and consequently attackable.

I don't have answers either. For a truly gloomy outlook, try reading Bruce Schneier.

WV: vistaggr. The opinion of a lot fo people (but not mine)