Tuesday, June 1, 2010

One more time: Online banking is entirely unsafe

I know that I sound like a broken record, but it's easy as 1-2-3:

1. Hacking and malware used to be about fun and games, "capture the flag", and gaining the reputation as the H4x0R Messiah. Boys will be boys, and all that.

2. It's now shifted to online fraud and theft, where the proceeds likely total in the Trillions of dollars a year, and so the malware creation industry is better funded than the security defense industry.

3. Guess where the money comes from? Hint: Why do you rob banks? It's where the money is:

Federal prosecutors have filed charges against five people accused of trying to swipe more than $450,000 from a California city using stolen login credentials associated with its bank account.

The five individuals used online bank accounts to launder the stolen loot shortly after it was siphoned out of an account belonging to the city of Carson in May 2007, according to an indictment. They then allegedly withdrew, or attempted to withdraw, money from the accounts and funnel it to unnamed co-conspirators. The city bank account was breached using keylogging software that was installed on an official's laptop. [my emphasis - Borepatch]

Look, I know that Carson, CA is probably a nice place, and all that, but riddle me this: don't you think that a Ukranian/Estonian/Russian hacker thinks it's nowheresville? And riddle me this, too: as long as he can get malware on the computer to steal the online banking password, do you think he cares?

It's gotten so bad that security professionals think that maybe we've simply lost the security war. Banks are (slowly) starting to smarten up, like CNL Bank in Orlando, FL, who is giving out Ubuntu linux live CDs to customers:
This is so full of awesome that it could almost collapse into a Black Hole of awesomeness. Here's why:
  • The big money in online crime is in attacking online banking. That's where transactions are authorized, so it's where the smart Bad Guy wants to be. CNL is focused on the right threat scenario.
  • The Bad Guys are quite rational, and so attack the Operating System that the bulk of their customers run at home. That's Windows. CNL is focused on the right vulnerability scenario.
  • There's a lot of inertia in moving to Linux, and so most people simply won't. By creating the bootable CDs and offering them to their customers, CNL is reducing the friction their customers would encounter.
So if you bank online from a Windows computer, you're living your life in Condition White. Good luck proving to your banker that you didn't actually authorize those transfers to Belorus.

Get Unubtu, if only for banking. Or use an ATM.

9 comments:

Angry Patriot said...

And why not a MAC running Leopard? WinBlows executables don't function on a MAC...

Just Sayin....

bluesun said...

And here I am, about to access my account online...

Sometimes I really hate the electronic world.

Anonymous said...

Get what now? :P

I saw a bank around here advertising its mobile banking app. I don't know whether to laugh or cry.

Jim

wolfwalker said...

I used an Ubuntu LiveCD for a couple of months ... then my bank locked my online access because their safety systems didn't like the fact that I kept logging on from a blank browser, with no stored cookies. Which of course is the whole friggin' point of using a LiveCD.

Right now, for "secure" browsing I use Firefox on a secondary machine that has very little installed on it, and is never used for anything online besides banking. And I run MalwareBytes before doing anything online with it.

Atom Smasher said...

Hmm. I've been wondering what to do with my dad's old (6 years) laptop. Maybe it can run Ubuntu?

Hmmmm....

Anonymous said...

Smasher - I'd be more surprised if it couldn't.

Jim

New Jovian Thunderbolt said...

ATM? Are you insane?! With the card reader the bad guys are putting/gluing OVER the normal slot and a mini camera to watch what PIN number you punch in, after an hour or so they retrieve their gear and have captured the card data and credentials to make up a dozen spoof cards. A few grand, cash, for a couple hours work.

NotClauswitz said...

Carson is in SoCal so...it's probably NOT a nice place, not as nice as Norcal anyhow. ;-)
My bank's ATM uses PS/2 (on a Pentium III) as OS. I watched it boot-up a week ago or so, making beeping sounds worthy of Lost in Space, with the doors clanking open and shut like C3PO's slack jaw.

Devid said...
This comment has been removed by the author.