Latest trend - Linux Boot CDs for Online Banking

[allen.deryke at hushmail.com (Allen Deryke)]

My technical responce is "grr".

I think that while technically feesible, the live cd is a completly  
absurd control, that would burden most customers.

I would be open to the use of the PSTN for out of band large  
transaction verification. Upon the event of a large transaction a  
predetermined phone number would be called with an automated system  
asking for a verfication PIN. I'de also let the user determine the  
"large transaction size"

You'de have to hedge against some PSTN phishing, maybe the phone  
system could have a code word for each user so the user knows that the  
call came from a ligitimate source.

"Hello John Doe, we Recently received a request for a large  
transaction from your checking account. We'll need you to validate  
this with your phone transaction pin code, your code word is wombat,  
please enter your pin code followed by the pound sign to confirm the  
transaction, or press the star key to cancel the transaction and flag  
it for investigation."

Let us not forget that Live CD's have the same vulnerbilitys as any  
other OS.    It's also important to remember the client side secuirty  
IS the responsibility of the client. I would be pretty pissed at a  
bank who made me use some random live CD over a system I personaly  
hardened.

-- Allen Deryke

On Oct 22, 2009, at 4:10 AM, Jim Halfpenny <jim.halfpenny at gmail.com>  
wrote:

> I reckon this would be a support nightmare. Old PCs, BIOS
> configuration and broken cup holders would hamper adoption and you'd
> end up fielding general support calls.
>
> I'm currently using a chip and pin device to authorise online banking
> transactions. Are there any current malware sophisticated enough to
> counter this? Seems to be a tried and trusted solution.
>
> Jim
>
> On 21/10/2009, PJ McGarvey <pj_mcgarvey at hotmail.com> wrote:
> > I didn't read the whole article, but I wonder if this would be best  
> > suited
> > for large transactions, say over $1000?   The bank could use some  
> > other
> > means to verify the user is using its live cd, before allowing the
> > transaction.  Or what if they integrated some sort of bootable  
> > distro on a
> > usb fob that has a certificate built-in for use with two-factor
> > authentication?  Even combine that with some out-of-band type of
> > authentication, like a PIN sent to your cell phone.
> >
> >
> >
> > Of course, if the banking session were still compromised, and the  
> > Bank
> > states there is no recourse if you use the live CD, then you're  
> > SOL...
> >
> >
> >
> > Bruce Schneier has written some stuff about "authenticating the  
> > transaction"
> >
> >
> >
> > -PJ
> >
> >
> > Date: Mon, 19 Oct 2009 08:49:07 +0100
> > From: jim.halfpenny at gmail.com
> > To: pauldotcom at mail.pauldotcom.com
> > Subject: Re: [Pauldotcom] Latest trend - Linux Boot CDs for Online  
> > Banking
> >
> >
> >
> >
> > 2009/10/18 Dale Stirling <dale at puredistortion.com>
> >
> > This is definatly a short term fix as I this becomes a major trend it
> > will just shift the attackers focus to the OS's on these live CD's.
> >
> > Then we are in the same position that we are now having users that
> > have a false sence of security from a quick fix that had a limited
> > life span.
> >
> > As said before I think a patched system and user education are the  
> > way to
> > go.
> >
> >
> >
> >
> >
> >
> > I can see where the banks are coming from with this, since it may be
> > possible to safely use  a computer infected with current banking  
> > trojans
> > when booting from a live CD. Penetration into the market will  
> > probably be
> > low so malware pushers may not target this platform. However, even  
> > if this
> > were an minimal environment which auto-updated on boot up I reckon  
> > this
> > would be too slow for Joe Blow. I have doubts whether people would  
> > reboot
> > into a different OS in order to gain some additional security.
> >
> > Jim
>
> -- 
> Sent from my mobile device
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com