Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases

[Valdis.Kletnieks () vt edu]

On Thu, 28 Jun 2007 07:44:32 CDT, Dennis Henderson said:

> So tell me what steps do you take to make sure your online banking
> experience is a safe one? If you don't do online banking, then please don't
> comment further in this thread.

Actually, I do quite a bit of it - recognizing that it's not 100% safe, but
that there's tradeoffs.  My software and hardware config is such that there's
reasonably low risk involved - I'm quite frankly usually more worried about
what that Applebee's employee is doing with my card while I'm paying for lunch.

>                                 Is it so beneath you to provide positive
> advice or commentary on *any* topic?

OK. Here you go, I'll add a few just for you...

> Dont download every free tool and software you can get your hands on.
> Read the EULA's when you do. These are basic bits of information that can
> help people stay out of trouble.
> Make Fergie happy, run TrendsAV.
> Patch to the hilt.
> Run a firewall.
> Learn how to tell if your actually on your bank's site. Its really not that
> hard given all the resources that browsers come with these days.
> Dont click on any and all links in emails especially if they're from your
> bank or financial institution.
> If your bank sends you emails with links, find another bank.

Don't visit *any* web site that includes material (banner ads, linked images,
and so on) from a third-party site, or that could possibly have been compromised
since your last visit.

Employ methods to prevent unpatched holes in your favorite browser from being
used to exploit your machine.

Unfortunately, neither of these is something that is easily doable by
Joe Sixpack.

> These are basic bits of information that can help people stay out of
> trouble.
> Sounds clueless? Well to clueless people these things are probably sage
> advice.
>
> Wont remove the risk, but it can reduce it dramatically.

Yes, it *helps*, but it certainly does *not* make the risk low enough that one
should judge that it *must* have been the user's fault somehow, for actually
using the machine for what the operating system vendor and the bank both
advertised as a reasonably safe activity - using the computer to surf the web
and do electronic business and financial transactions.

> 0days are still a minor vector compared to what's keeping the online banking
> fraud cartels alive.

Again, the fact that unpatched holes that people don't know about and can't
easily defend themselves against may be 5% of the total doesn't mean that
it's 0% and you can readily assign blame to the consumer.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.