maravis.com Exploring Information Security

Saturday, October 25, 2014

  • Oct 2009
    14

    Email This Post  Print This Post

    Using a LiveCD/USB for safe online banking

    I came across an article on some website that mentioned using a Linux LiveCD/USB for online banking. The idea at first glance seems good. But there are a few things to keep in mind.

    The problem that the LiveCD/USB is trying to solve is that a lot of regular people who bank online use Windows on their computers. Attackers are able to steal credentials and compromise accounts using malware and botnets. Finding and cleaning malware from computers is easier said than done. Enter a Linux LiveCD/USB and Windows malware problems are bypassed.

    The biggest problem with this solution is that the majority of users will not want to use a LiveCD/USB for various reasons:

    1. A lot of people cannot or do not want to use something new. And even with the popularity of Ubuntu and some other Linux distros, Linux is still something new to most people.
    2. Every time you need to do online banking, the computer will need to be shut down and re-booted with the LiveCD/USB. If someone forgot to do something and wants to go back, the entire shutdown and re-boot sequence has to be repeated.
    3. Since nothing is saved when a LiveCD/USB is shut down, all the network connections have to be set up again. At least that is the case with the PCLinuxOS distro that I have used. Ubuntu or other distros may be able to self configure connections.
    4. Web browsers that come with LiveCDs do not usually have the latest patches. So, every time you boot up with the LiveCD/USB, you will have to apply all the latest patches and updates. Otherwise, there is the risk of using an insecure web browser.

    Some of these problems can be taken care of with some modifications to the idea:

    1. Use a Virtual Machine (VM) that loads the Linux distro. VirtualBox and VMPlayer allow you to load a Linux instance directly from a LiveCD/USB. This will not require you to shut down your computer. Once the Linux instance is loaded, you can just use the web browser within the VM to do your online banking.
    2. You can also get around the problem of re-booting Linux by just saving the VM’s state. This way, you can apply patches and updates to the web browser and keep adding without having to apply the same patches and updates again and again. But the risk with this is that instead of leaving internet tracks in Windows, you will be doing it in Linux.

    Please note that this or any other method will not prevent compromises resulting from carelessness and stupidity. If you click on links in every email, download email attachments or click on links to unfamiliar websites you need to be prepared for the worst.


    by Siva Ram, CISA, PCI-QSA, PA-QSA
    ©www.maravis.com. The use of this content on other websites without permission breaches copyright.