Tuesday, July 20, 2010

A different take on online banking

Long-time readers will recall that I've pronounced a fatwa against banking from your home computer, because of all the malware targeting financial password capture. Basically, if the malware can get your password, the Bad Guy can clean out your bank account. This is Bad Juju, and since most of the malware targets Windows computers (because most people have Windows computers), I've been quite vocal in saying just don't do it.

Except I did point out - approvingly - how some banks are giving their customers Linux CDs to use when they want to bank online. These are usually "Live CDs", meaning you can boot from them: they have an entire self-contained operating system that will get you Internet with Firefox, straight to your bank, nuthin' but 'Net.

It's cool, and since you're (temporarily) not running Windows, you don't have the malware worry. It got pretty close to getting the coveted Borepatch Seal of Security Approval™.

Well long time commenter and now blogger Ian Argent posts about how this only sounds like a good idea. In reality, he says, it's a Very Bad Idea Indeed:
This is an elegant technical solution to the problem represented by an OS that runs from rewriteable media. ...

However, it's a terrible idea outside of the merely technical. Let's start with why online banking exists.
He then goes on to look at just what it is that's driving online banking, both from the point of view of the bank and the point of view of the bank's customers. He makes some really good points:
I have on my desk a multitasking POWERHOUSE undreamed of, say, 20 years ago. Skipping the rest of the hyperbole, it is vanishingly unlikely that I have to close down my other applications to open up an online banking application. Nor would I want to - I balance my checkbook not by pen and paper, but by database. By doing this I don't have to worry about arithmetic errors, puzzling out handwriting, etc. And to avoid data entry issues, I don't hand-type information into the database, I retrieve it via the internet. Likewise, I schedule outgoing payments in my financial management program. There's a positive benefit to doing so, I don't have to give a third-party permission to debit my account, and the timing of doing so is ENTIRELY under my control, across multiple financial institutions and payees.
Now Ian is different from me here - I don't do any of this, because I'm paranoid (I was, in fact, trained to be paranoid by the Finest Minds in the Free World). But he's right - if you dig this sort of thing, it's simply impossible to do it using the LiveCD approach. Oh, foo.

But Ian's not done. Suppose, he says, that you could tweak the liveCD technology to let you do all this. How about then? Do you have a working, secure system? In a word, no:

But, let's say you've convinced me; your bootable OS CD also has a financial management program that can write to the local storage device, so I can take advantage of the power of my computer while still keeping an unbreachable wall of security around the OS. Let's say you've convinced the bank that the CD will reduce the costs associated with online bank fraud; the OS booted from the CD is immune to trojans and other malware.

It is still not secure.
And he goes on to explain why. If you like the idea of online banking, Ian's post is a must-read.

As for me, I find myself able to resist the siren song of my Bank's web site. Everyone has to do a risk/reward calculation, and for me I find the risk high and the reward low. Actually, for me I don't find the risk high, because I can do everything that Ian describes from Linux, with a much lower risk (and I know how to make my Linux OS even extra super crazy secure, and do). I just don't find the reward compelling.

But I'm an old stick-in-the-mud*. Your mileage may vary, void where prohibited, do not remove tag under penalty of law. Make up your own mind. But read Ian's post first.

* But you knew that already.

6 comments:

Carteach said...

My banking institution offers the same interest as most banks to entice me into leaving my money with them..... in other words, none at all.

My cash resides someplace other than a bank account that can be accessed on-line.

Having reduced my 'risk' from on-line banking to a level lower than the reward (in my opinion) I now bank on-line.

SiGraybeard said...

To be honest, I've always been put off by the idea to use *nix because not enough people use it to warrant attacks. That seems true today, but if large numbers of dollars start moving in that world, it will attract black hats.

If it's true they outspend the good guys by a factor of thousands, how can it be any other way? It's the old "rob banks because that's where the money is" argument. So you pay some guy to hack that system, and you have access to a group of people who think they are safe.

Anonymous said...

Speaking of sticks, you can put a bootable - and non-volatile-writable - linux partition on a USB stick.

Just sayin'.

Jim

Borepatch said...

Carteach0, you win the Internetz. You've grokked that it isn't the tech, it's the risk analysis and management.

Graybeard, too true. Mac is becoming a target for precisely this reason. A somewhat harder target to be sure, but not a lot. Windows security is a lot better than 5 years ago.

Jim, my problem is that I go through several USB sticks looking for the most up to date distro. ;-)

Anonymous said...

I have a simple solution: Lose them frequently. :P

Jim

Ian Argent said...

If someone hacked my machine and cleared out my bank account today, I would still be ahead of the game as far as late fees, overdraft, interest, cost of checks, postage, etc that I've saved over the years by banking electronically, particularly in paying bills electronically. And if they do, I'll know about it sooner than if I wait for my mortgage check to bounce or my statement to get to me in the mail. And I don't have to worry about someone ELSE setting up an online account at my bank.

Admittedly, my primary bank account is a petty cash account, I don't keep a lot in it. My savings are in a 401 or my house. I'm *not* as financially savvy as I ought to be.

In the end though, in the future, all banks will be Taco Bell^W^W online - for the primary reason the banks don't do Live CDs. Atoms vs bits.

Incidentally, as of Check2000, if not earlier, I'd say everyone banks online, some people just use a pen and paper interface, and some people use web sites other than their banks (online shopping).