Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Can Ubuntu Save Online Banking?

timothy posted more than 4 years ago | from the make-that-virus-throw-an-error dept.

Linux Business 462

CWmike writes with a pointer to this ComputerWorld mention of an interesting application of Live CDs, courtesy of Florida-based regional bank CNL: "Recognizing that most consumers don't want to buy a separate computer for online banking, CNL is seriously considering making available free Ubuntu bootable 'live CD' discs in its branches and by mail. The discs would boot up Linux, run Firefox and be configured to go directly to CNL's Web site. 'Everything you need to do will be sandboxed within that CD,' [CNL CIO Jay McLaughlin] says. That should protect customers from increasingly common drive-by downloads and other vectors for malicious code that may infect and lurk on PCs, waiting to steal the user account names, passwords and challenge questions normally required to access online banking." (But what if someone slips in a stack of doctored disks?)

cancel ×

462 comments

Reply (5, Funny)

Pharmboy (216950) | more than 4 years ago | (#31619830)

(But what if someone slips in a stack of doctored disks?)

What do you mean, like a disk that would boot Microsoft Windows instead?

Re:Reply (4, Interesting)

Cryacin (657549) | more than 4 years ago | (#31619872)

I actually think this is a good idea. Gives the user something physical to insert, that way they understand it. It also reduces the number of variables in the transaction process.

Hence, if you're too lazy, don't have the knowledge or it isn't economically viable to get someone in that can secure and configure your computer system, this seems like a sane alternative that makes it a bit harder for a black hat to come in and pillage your account.

Re:Reply (5, Insightful)

GIL_Dude (850471) | more than 4 years ago | (#31619970)

I guess for those people who shut down their computers more than once a day it would be fine. For those of us who reboot about once a month and use sleep / resume the rest of the time it is a terrible idea to be rebooting all the time to do banking (maybe twice a day sometimes, but at least a couple of times a week). Why would anyone want to put up with that? Even for folks willing to accept it, the bank would inevitably get a smattering of "the wireless doesn't work on my netbook" or something (even though Ubuntu live CD's are pretty good about support they can't manage to support every device). I would be more accepting of a VM or something though than a live CD for my own use.

Re:Reply (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31620050)

I believe you, obviously a technical person, are free to set up a VM.

However, Joe Average won't care to setup or purchase a VM for his current operating system, but will settle for rebooting and losing maybe 30s of productivity for it.

Re:Reply (0)

Gerzel (240421) | more than 4 years ago | (#31620292)

Your average total boot time is more than 30s, more like a minute in my experience with slightly faster shutdown times. Still it isn't much for security.

Re:Reply (2, Informative)

Anonymous Coward | more than 4 years ago | (#31620390)

Then boot the live cd in a VM... Jeez...

Re:Reply (3, Informative)

obarthelemy (160321) | more than 4 years ago | (#31620496)

I'm wondering: If I'm running WIndows, and setup the bank's Linux in a VM, am I still vulnerable to windows's trojans and keyloggers ? I would guess Yes, because keystrokes go WIndows -> VM manager -> Linux VM ? Or not ?

Re:Reply (1)

hedwards (940851) | more than 4 years ago | (#31620590)

You do realize that most if not all Virtual Machines allow you to run physical discs, right? Or that it's trivial to convert said discs into images that any VM package will accept.

It's ultimately probably a better idea to have to boot into it rather than using something else as it makes it more of a deliberate process. A bit of a pain, but more deliberate in nature. Anybody that can't figure out how to work around the reboot limitation shouldn't be doing so anyways.

Re:Reply (5, Insightful)

Khyber (864651) | more than 4 years ago | (#31620108)

"Gives the user something physical to insert"

Except the netbook owners, whom have no optical drive.

Re:Reply (3, Informative)

MaskedSlacker (911878) | more than 4 years ago | (#31620420)

USB drive then?

Re:Reply (2, Funny)

Anonymous Coward | more than 4 years ago | (#31620440)

You replied to that post without a smutty joke.
Congratulations!

Re:Reply (1)

FrankieBaby1986 (1035596) | more than 4 years ago | (#31620574)

If your only computer is a netbook...

You're doin' it wrong!

Re:Reply (0)

Anonymous Coward | more than 4 years ago | (#31620316)

uhm, heh,heh, he said "something physical to insert"

Why use Ubuntu? (1)

dov_0 (1438253) | more than 4 years ago | (#31620318)

The rebooting is a bit of a pain, but probably worth it for those running XP. For Vista or Windows 7 users with adequate security, I think it is possibly less necessary.

Included instructions on how to print statements/receipts to PDF files (say, on a USB stick) would be handy.

Also, why stick with Ubuntu? I find on an increasing amount of machines that the newer versions of Ubuntu do not 'just work' - especially since 9.04 and it takes forever to boot up a liveCD on any older system. I've found that 9.10 in particular tends to fail on anything slower than a dvd-rom, plus who needs all the bloat of a Gnome desktop? Better perhaps to configure Puppy linux with Firefox to boot up in full screen mode with sites limited to the online banking site. Boots up in hardly any time at all and can boot off a thumb drive. Far better solution in my thinking.

Why uses a PC to do banking? (-1)

Anonymous Coward | more than 4 years ago | (#31619916)

Everyone I know here in NYC does banking on their phone with Chase, Bank of America, HSBC, et. al.

Additionally, this seems like a solution in search of a problem that has already been solved (by upgrading to Internet Explorer 8 or installing another modern browser).

P.S.: Internet Explorer 8 is the best browser because it supports cross domain XmlHttpRequest()/AJAX, Microsoft's XDR.
--
Listening to: Madonna - Celebration (MADONNA RULEZ! remix)

Re:Why uses a PC to do banking? (1)

Thantik (1207112) | more than 4 years ago | (#31620002)

That doesn't stop local software-based keyloggers from just logging the keys someone punches on their keyboard introduced by some virus/trojan/malware and then later just logging into the account.

Re:Why uses a PC to do banking? (1)

Kryptonian Jor-El (970056) | more than 4 years ago | (#31620180)

It also doesn't allow security update to the Live CD, so if banks start giving these out on a large scale, then "security by obscurity" goes out the window

Re:Why uses a PC to do banking? (1)

icebraining (1313345) | more than 4 years ago | (#31620280)

But if the Live-CD is *only* used to access the "safe" bank site and it's only On ten minutes every couple of days it would be much harder to attack.

Personally, I won't need this: my bank uses SMS confirmation codes.

Re:Why uses a PC to do banking? (1)

Gerzel (240421) | more than 4 years ago | (#31620306)

DVDs are cheap enough that just putting up a message "Please pick up a new DVD." would work.

Re:Why uses a PC to do banking? (4, Informative)

MaskedSlacker (911878) | more than 4 years ago | (#31620446)

The point of the LiveCD is that there it is rather difficult for hackers to compromise (owing to the physical, unalterable nature of the disk image). It has nothing to do with obscurity--the point is that each time they boot a verified, trusted disk image and then go straight to the bank's website--without a keylogger in the motherboard there aren't really any useful attack vectors.

Re:Why uses a PC to do banking? (1)

master5o1 (1068594) | more than 4 years ago | (#31620084)

How is cross-domain XmlHttpRequest() a good thing, although, how is it a bad thing?

Re:Reply (5, Funny)

flyneye (84093) | more than 4 years ago | (#31620188)

(But what if someone slips in a stack of doctored disks?)

Well don't leave 'em layin' around on the floor and no one will slip on them.

Re:Reply - Please mod parent up (0, Troll)

miknix (1047580) | more than 4 years ago | (#31620200)

(But what if someone slips in a stack of doctored disks?)

What do you mean, like a disk that would boot Microsoft Windows instead?

Why Troll? It was a pretty funny observation IMHO.

Re:Reply (3, Funny)

WrongSizeGlass (838941) | more than 4 years ago | (#31620520)

What do you mean, like a disk that would boot Microsoft Windows instead?

I think they meant AOL disks.

Re:Reply (0)

Anonymous Coward | more than 4 years ago | (#31620568)

(But what if someone slips in a stack of doctored disks?)

What do you mean, like a disk that would boot Microsoft Windows instead?

Did you misread the word "doctored" as "f*cked" ?

BIOS (2, Interesting)

sourcerror (1718066) | more than 4 years ago | (#31619834)

What about infecting the BIOS?

Re:BIOS (3, Insightful)

jawtheshark (198669) | more than 4 years ago | (#31619922)

I always keep hearing that claim. I've never found one and actually never heard of one reported in the wild.

As for the article: Online Banking has worked perfectly fine the last years.... At least for me :-) It needs no saving...

Re:BIOS (0, Troll)

quantumplacet (1195335) | more than 4 years ago | (#31620268)

Online Banking has worked perfectly fine the last years.... At least for me :-) It needs no saving...

current cancer prevention methods have worked perfectly fine... At least for me. I don't know why we waste all this money on research...

Re:BIOS (5, Interesting)

Anonymous Coward | more than 4 years ago | (#31619984)

They could ship you a free NetBook w/ CD.

Don't mod me funny, I'm serious. Like maybe a $100 little book running Linux, automatically set to keep itself up to date to eliminate hundreds of millions of dollars in cybercrime. The banks would own it, maybe even lease it to you for a $2 banking fee for having an online account with them. When you don't need it anymore or switch banks, you give it back to them and they would wipe the BIOS and system and reuse it.

In fact, they could probably even make the netbook cheaper by not including a hard drive. Just boot from USB or CD, maybe even a small USB traveldrive installed internally inside the case itself. The USB ports could be removed or completely disabled, no CDROM drive included, no HDD, etc. It becomes more or less a dumb terminal whose only purpose is to connect to the bank on boot. And, in addition, sandboxed to not allow any other applications to run besides the required startup items.

Just checked and it looks like Gateway sells a $49 netbook, found it on CNETs list of netbooks when I sorted by lowest price. And, that's *consumer* price, if the banks bought in bulk they'd even be cheaper than that. If they banks told them they didn't want USB ports (except the internal one), no harddrives, etc. then it would even be cheaper. I bet they could get them for $25 or so apiece in bulk for say 1000 units. That's not much cost to essentially eliminate the wholesale highway robbery of people's accounts that's been going on. The savings would be pretty enormous. Offset that with a small lease fee like I suggested above and its a win/win for everyone involved. Not to mention it would help Gateway out of its slump.

Gateway LT2016u (Verizon Wireless) Specs: Intel Atom N270 / 1.6 GHz, 1 GB, 160 GB, Microsoft Windows XP Home Edition, 10.1 in TFT active matrix, 3 lbs

Re:BIOS (4, Informative)

hipp5 (1635263) | more than 4 years ago | (#31620100)

One of the major Canadian banks (RBC) was actually giving away netbooks (eeePC 700 I believe) a little while back (to those who switched to them). With that in mind this suggestion doesn't seem that crazy. In reality, you wouldn't even need a full netbook. A small screen, minimal keyboard, network card, and very small SD card would do. Some people might even be willing to pay $100 for them if it meant they could feel safe in their online banking.

Re:BIOS (1)

MaskedSlacker (911878) | more than 4 years ago | (#31620468)

People already do this with their cellphones, though the security of those is somewhat easier to compromise.

Re:BIOS (1)

h4rr4r (612664) | more than 4 years ago | (#31620112)

Link to that $49 netbook?
Last I checked those kinds of prices on atom machine were subsidized and tied to a contract with a 3G provider.

Re:BIOS (4, Insightful)

jawtheshark (198669) | more than 4 years ago | (#31620190)

Gateway sells a $49 netbook

...

Gateway LT2016u (Verizon Wireless)

I think so too, the grandparent has some issues with reading comprehension ;-)

Re:BIOS (1)

Gerzel (240421) | more than 4 years ago | (#31620326)

Exactly, except here in this example the books are subsidized and tied to a contract with a bank.

Re:BIOS (1)

Khyber (864651) | more than 4 years ago | (#31620138)

"They could ship you a free NetBook w/ CD."

How many netbooks actually come with an optical drive?

Re:BIOS (1)

click2005 (921437) | more than 4 years ago | (#31620478)

How about a USB pen drive writing port on the cash machine?
You stick your pen drive into a USB port, type your pin and it
updates your install complete with an optional personal key?

Re:BIOS (0)

Anonymous Coward | more than 4 years ago | (#31620204)

The LT2016u is $149 after $100 mail in rebate and only with a 2 year Verizon subscription. That's actually expensive.

For a price point around $100 without cross financing, you'd have to look at ARM netbooks with 800x480 screens. That would be sufficient for online banking, of course.

Re:BIOS (1)

Sporkinum (655143) | more than 4 years ago | (#31620218)

That would be a subsidized price. You'd have to tack on a $60 a month data plan for at least 2 years in addition. A netbook with those specs is generally around $300.

Re:BIOS - CC sized card with on-board OS (1)

thms (1339227) | more than 4 years ago | (#31620228)

What I have had in mind for a long is something even more mobile - a credit card sized micro computer with a number pad and a simple LCD display. Sortof like a calculator.

The OS on that has the public key of the bank and it has it's own private key for the owner (and the bank the corresponding public key). Thus it could use any medium to communicate with the bank, no matter how insecure. Maybe via a USB-dongle which you attach to the PC you are using. For online banking, you just go onto the bank site, no login there, and when asked for credentials you enter these on the card. Transactions get shown on the display of this unit, "You are about to transmit $349 to someShop.com, enter PIN" etc. As long as customers know to only trust their cards you could use the most malware infested PC in an internet café and nothing would come of it. And even if some phisher convinces the hapless user that their card is broken and they have to enter the PIN on some phishing website, they still don't have the public key and thus can't do anything with it.

You could also use that in your grocery store, and prepare offline packages (with your public key) "pay $56 for this meal to the owner", enter your PIN and the waiter sticks the card somewhere it can communicate with your bank.

Did I just solve online banking security? :)

Re:BIOS - CC sized card with on-board OS (1)

maxume (22995) | more than 4 years ago | (#31620262)

Did the banks adopt your idea?

Re:BIOS (1)

icebraining (1313345) | more than 4 years ago | (#31620314)

Oh god, why? Talk about over-engineering and waste of money and resources.

Just send an SMS for any operation over X dollars and send the netbooks to some poor kids.

Re:BIOS (1)

anarche (1525323) | more than 4 years ago | (#31620406)

OnLine banking user: "Wha? Hey, come back with my netbook you freak!"

OnLine banking user2: "No officer, there doesn't seem to be anything missing, but my door has been broken down, and my netbook moved..."

Seriously, good way to make people easy targets.

Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#31619838)

Uhhhm VMware player anyone?

Re:Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#31620028)

keylogger anyone?

Your official guide to the Jigaboo presidency (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31619846)

Congratulations on your purchase of a brand new nigger! If handled properly, your apeman will give years of valuable, if reluctant, service.

INSTALLING YOUR NIGGER.
You should install your nigger differently according to whether you have purchased the field or house model. Field niggers work best in a serial configuration, i.e. chained together. Chain your nigger to another nigger immediately after unpacking it, and don't even think about taking that chain off, ever. Many niggers start singing as soon as you put a chain on them. This habit can usually be thrashed out of them if nipped in the bud. House niggers work best as standalone units, but should be hobbled or hamstrung to prevent attempts at escape. At this stage, your nigger can also be given a name. Most owners use the same names over and over, since niggers become confused by too much data. Rufus, Rastus, Remus, Toby, Carslisle, Carlton, Hey-You!-Yes-you!, Yeller, Blackstar, and Sambo are all effective names for your new buck nigger. If your nigger is a ho, it should be called Latrelle, L'Tanya, or Jemima. Some owners call their nigger hoes Latrine for a joke. Pearl, Blossom, and Ivory are also righteous names for nigger hoes. These names go straight over your nigger's head, by the way.

CONFIGURING YOUR NIGGER
Owing to a design error, your nigger comes equipped with a tongue and vocal chords. Most niggers can master only a few basic human phrases with this apparatus - "muh dick" being the most popular. However, others make barking, yelping, yapping noises and appear to be in some pain, so you should probably call a vet and have him remove your nigger's tongue. Once de-tongued your nigger will be a lot happier - at least, you won't hear it complaining anywhere near as much. Niggers have nothing interesting to say, anyway. Many owners also castrate their niggers for health reasons (yours, mine, and that of women, not the nigger's). This is strongly recommended, and frankly, it's a mystery why this is not done on the boat

HOUSING YOUR NIGGER.
Your nigger can be accommodated in cages with stout iron bars. Make sure, however, that the bars are wide enough to push pieces of nigger food through. The rule of thumb is, four niggers per square yard of cage. So a fifteen foot by thirty foot nigger cage can accommodate two hundred niggers. You can site a nigger cage anywhere, even on soft ground. Don't worry about your nigger fashioning makeshift shovels out of odd pieces of wood and digging an escape tunnel under the bars of the cage. Niggers never invented the shovel before and they're not about to now. In any case, your nigger is certainly too lazy to attempt escape. As long as the free food holds out, your nigger is living better than it did in Africa, so it will stay put. Buck niggers and hoe niggers can be safely accommodated in the same cage, as bucks never attempt sex with black hoes.

FEEDING YOUR NIGGER.
Your Nigger likes fried chicken, corn bread, and watermelon. You should therefore give it none of these things because its lazy ass almost certainly doesn't deserve it. Instead, feed it on porridge with salt, and creek water. Your nigger will supplement its diet with whatever it finds in the fields, other niggers, etc. Experienced nigger owners sometimes push watermelon slices through the bars of the nigger cage at the end of the day as a treat, but only if all niggers have worked well and nothing has been stolen that day. Mike of the Old Ranch Plantation reports that this last one is a killer, since all niggers steal something almost every single day of their lives. He reports he doesn't have to spend much on free watermelon for his niggers as a result. You should never allow your nigger meal breaks while at work, since if it stops work for more than ten minutes it will need to be retrained. You would be surprised how long it takes to teach a nigger to pick cotton. You really would. Coffee beans? Don't ask. You have no idea.

MAKING YOUR NIGGER WORK.
Niggers are very, very averse to work of any kind. The nigger's most prominent anatomical feature, after all, its oversized buttocks, which have evolved to make it more comfortable for your nigger to sit around all day doing nothing for its entire life. Niggers are often good runners, too, to enable them to sprint quickly in the opposite direction if they see work heading their way. The solution to this is to *dupe* your nigger into working. After installation, encourage it towards the cotton field with blows of a wooden club, fence post, baseball bat, etc., and then tell it that all that cotton belongs to a white man, who won't be back until tomorrow. Your nigger will then frantically compete with the other field niggers to steal as much of that cotton as it can before the white man returns. At the end of the day, return your nigger to its cage and laugh at its stupidity, then repeat the same trick every day indefinitely. Your nigger comes equipped with the standard nigger IQ of 75 and a memory to match, so it will forget this trick overnight. Niggers can start work at around 5am. You should then return to bed and come back at around 10am. Your niggers can then work through until around 10pm or whenever the light fades.

ENTERTAINING YOUR NIGGER.
Your nigger enjoys play, like most animals, so you should play with it regularly. A happy smiling nigger works best. Games niggers enjoy include: 1) A good thrashing: every few days, take your nigger's pants down, hang it up by its heels, and have some of your other niggers thrash it with a club or whip. Your nigger will signal its intense enjoyment by shrieking and sobbing. 2) Lynch the nigger: niggers are cheap and there are millions more where yours came from. So every now and then, push the boat out a bit and lynch a nigger.

Lynchings are best done with a rope over the branch of a tree, and niggers just love to be lynched. It makes them feel special. Make your other niggers watch. They'll be so grateful, they'll work harder for a day or two (and then you can lynch another one). 3) Nigger dragging: Tie your nigger by one wrist to the tow bar on the back of suitable vehicle, then drive away at approximately 50mph. Your nigger's shrieks of enjoyment will be heard for miles. It will shriek until it falls apart. To prolong the fun for the nigger, do *NOT* drag him by his feet, as his head comes off too soon. This is painless for the nigger, but spoils the fun. Always wear a seatbelt and never exceed the speed limit. 4) Playing on the PNL: a variation on (2), except you can lynch your nigger out in the fields, thus saving work time. Niggers enjoy this game best if the PNL is operated by a man in a tall white hood. 5) Hunt the nigger: a variation of Hunt the Slipper, but played outdoors, with Dobermans. WARNING: do not let your Dobermans bite a nigger, as they are highly toxic.

DISPOSAL OF DEAD NIGGERS.
Niggers die on average at around 40, which some might say is 40 years too late, but there you go. Most people prefer their niggers dead, in fact. When yours dies, report the license number of the car that did the drive-by shooting of your nigger. The police will collect the nigger and dispose of it for you.

COMMON PROBLEMS WITH NIGGERS - MY NIGGER IS VERY AGGRESIVE
Have it put down, for god's sake. Who needs an uppity nigger? What are we, short of niggers or something?

MY NIGGER KEEPS RAPING WHITE WOMEN
They all do this. Shorten your nigger's chain so it can't reach any white women, and arm heavily any white women who might go near it.

WILL MY NIGGER ATTACK ME?
Not unless it outnumbers you 20 to 1, and even then, it's not likely. If niggers successfully overthrew their owners, they'd have to sort out their own food. This is probably why nigger uprisings were nonexistent (until some fool gave them rights).

MY NIGGER BITCHES ABOUT ITS "RIGHTS" AND "RACISM".
Yeah, well, it would. Tell it to shut the fuck up.

MY NIGGER'S HIDE IS A FUNNY COLOR. - WHAT IS THE CORRECT SHADE FOR A NIGGER?
A nigger's skin is actually more or less transparent. That brown color you can see is the shit your nigger is full of. This is why some models of nigger are sold as "The Shitskin".

MY NIGGER ACTS LIKE A NIGGER, BUT IS WHITE.
What you have there is a "wigger". Rough crowd. WOW!

IS THAT LIKE AN ALBINO? ARE THEY RARE?
They're as common as dog shit and about as valuable. In fact, one of them was President between 1992 and 2000. Put your wigger in a cage with a few hundred genuine niggers and you'll soon find it stops acting like a nigger. However, leave it in the cage and let the niggers dispose of it. The best thing for any wigger is a dose of TNB.

MY NIGGER SMELLS REALLY BAD
And you were expecting what?

SHOULD I STORE MY DEAD NIGGER?
When you came in here, did you see a sign that said "Dead nigger storage"? .That's because there ain't no goddamn sign.

Re:Your official guide to the Jigaboo presidency (0, Offtopic)

Al's Hat (1765456) | more than 4 years ago | (#31619890)

Do you think anyone even reads your pathetic screed?

There, I've finished feeding the troll...

Convenience? (5, Insightful)

rschuetzler (1735324) | more than 4 years ago | (#31619848)

Isn't the point of online banking that it is convenient? And easy? For me, booting from a Live CD may be a piece of cake, but for a lot of people, it's far from that.

Even if it is a great idea, 98% of the population won't latch on to something like this, and the 2% who might are probably already running linux

Re:Convenience? (1)

FrozenGeek (1219968) | more than 4 years ago | (#31619878)

If they do the live CD right, it should not be terribly inconvenient. Nonetheless, I think you're correct that most people won't do this - they simply won't understand the need for it. Personally, I've been doing on-line banking using a live CD for a couple of years. But then again, I'm somewhat paranoid (but only because everyone is against me 8^).

Re:Convenience? (1)

sl149q (1537343) | more than 4 years ago | (#31620104)

Presumably it would also be easy to boot into VMware or similar. Although possibly not as secure as booting on the real hardware (unless the real hardware is compromised via BIOS etc. etc. etc.)

Re:Convenience? (1)

Martin Blank (154261) | more than 4 years ago | (#31620202)

It will be inconvenient, both for the user and for the bank. Many people do not have their systems set to boot off of the optical drive by default, so the bank would be expected by the user to provide technical support for that change. In addition, users are not going to happily accept the idea that they have to stop their music, save their work in various applications, and close down their browsing sessions to reboot (a process which for many people is not a short experience) just to check their bank balance.

Re:Convenience? (0)

Anonymous Coward | more than 4 years ago | (#31620226)

Not terribly inconvenient? I track my finances on my computer. My credit union does online statements. Rebooting to access my statements means I lose access to the ability to reconcile my records.

Re:Convenience? (1)

pushing-robot (1037830) | more than 4 years ago | (#31620296)

Loading Ubuntu could be easy, but have you ever tried teaching someone over the phone how to use their BIOS?

Methinks the set of people who are clueless about security doesn't overlap much with the set who know how to boot their machine to an alternate device and log in to their wireless network in Linux.

Re:Convenience? (1)

sourcerror (1718066) | more than 4 years ago | (#31619880)

It's more convenient than standing in lines. People who have burnt themselves are likely to try it. All you need is fast booting.

Re:Convenience? (2, Insightful)

HeavyD14 (898751) | more than 4 years ago | (#31619934)

I don't think its a question of difficulty. It would be a total pain in the rear if I had to reboot every time I wanted to get on my bank's website. Or do I keep a dedicated bank terminal ready to got at any instant?

How to really advocate FOSS ... (2, Interesting)

perpenso (1613749) | more than 4 years ago | (#31620078)

I don't think its a question of difficulty. It would be a total pain in the rear if I had to reboot every time I wanted to get on my bank's website. Or do I keep a dedicated bank terminal ready to got at any instant?

Actually, yes, you could have a "dedicated bank terminal". Take the old PC that is getting replaced, boot from the Linux cd-rom, use it for banking, and let the family screw up the new computer with trojans and malware while you enjoy relative peace of mind. I know a few families that have gone this route. They could care less about FOSS and its philosophies or politics, they just like the practicality of the solution. This is how FOSS can make inroads to the public, through practicality, not through ideological conversion.

Re:Convenience? (0)

Jazz-Masta (240659) | more than 4 years ago | (#31619968)

This seems like an overly complex way of ensuring security. And it's not like Ubuntu is 100% secure - if there is a market for malware, it will be done. If, all of a sudden, all banking is done on Ubuntu and FF, I'm pretty sure they will find a way to attack that setup too.

It is inconvenient to have to drop everything you are doing, restart your computer and insert a disc and wait 5 minutes or so to load Ubuntu into memory just to check your online banking.

A simpler alternative would be to call a 1-800 number for your bank, have it authenticate against your verbal password and telephone #, and then issue a temporary password to you that will work for X minutes in Windows. It would probably only take 30 seconds to do it that way. Sounds complicated, right? But any more complicated to the user than running a LiveCD?

Even easier would be to partner with VMWare and Ubuntu to issue a customized virtual machine that you could USE on Windows. Have it locked down so it can only visit one site, etc.

Re:Convenience? (1)

MichaelSmith (789609) | more than 4 years ago | (#31620046)

But if all banking is done on a live CD which is only used for that purpose then attacking it will be quite difficult.

Re:Convenience? (1)

h4rr4r (612664) | more than 4 years ago | (#31620062)

If the vmware host is infected the guest is not safe. A virtual machine is useless for security from the host.

Re:Convenience? (1)

h4rr4r (612664) | more than 4 years ago | (#31620124)

Temporary password is pointless, if the PC is infected it could use the bank website after you login for it.

Re:Convenience? (1)

chronosan (1109639) | more than 4 years ago | (#31620144)

The whole point of a Live CD is that the software isn't really soft. A VM could be hacked, since the code is in changeable memory and is executed in an environment that can't be guaranteed to be secure.

Re:Convenience? (5, Insightful)

tpstigers (1075021) | more than 4 years ago | (#31620122)

Actually, 98% of the population will only shy away from something like this is they're told what the process actually is. If they are told rather that it's their "Personal Online Banking Disc", and are then given instructions to walk them through the process, most people will happily buy into it. Most people wouldn't hesitate to install an app for this purpose, so the Live CD just needs to be marketed properly.

Re:Convenience? (0)

Anonymous Coward | more than 4 years ago | (#31620148)

Just some practical problems:

  * What keyboard layout do I have? Man, I just want to send my mate $10!
  * What the was that automatically generated secure WPA2-PSK code?!
  * It hasn't remembered my username, it knew my username before! Gack, the rent is already overdue!

And I guess people would rather complain to their bank about these issues then help resolve them, participating in the friendly Ubuntu community. Of course they shouldn't have to and most probably won't, but we probably won't see any bank fixing bugs on Launchpad either.

Re:Convenience? (1)

rm999 (775449) | more than 4 years ago | (#31620250)

Not to mention that many people don't have CD players in their computers anymore.

Re:Convenience? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31620386)

Well, yah know what? Convenience isn't a right. There is no constitutional amendment, clause, or condition guaranteeing you convenience. Convenience is earned. You earn convenience by being diligent. Are you interested enough in your own self-preservation to bother browsing the web in a secure way? Then you get convenience. Are you the other 80% who insist on throwing yourself off a cliff and expecting others to plunge to their possible death just to save you? Then you don't get convenience. You get a rubber suit and a leash.

That was my first thought, but. (1)

dreamchaser (49529) | more than 4 years ago | (#31620400)

That was my first thought, but I'm also old enough to remember having to drive to the bank and wait in line. It's far more convenient to reboot with a CD in your PC than it is to go to even an ATM machine. With the proper marketing this could go a long way towards reducing online fraud.

fp -- custom os distro for banking?? (1)

8282now (583198) | more than 4 years ago | (#31619854)

This isn't a bad idea....

I do something like this for some of my clients that are concerned with security. ... that is unless I can convert them to Linux on a permanent basis :)

Interesting, but what about users? (3, Interesting)

ricebowl (999467) | more than 4 years ago | (#31619866)

The majority of users I have contact with resent having to enter passwords/user-verification at all. With banks they do, often at least, appreciate the value of the process. But they still take every opportunity to minimise the process, so what're these users to do when they can't have Firefox (et al) save their username/passwords?

Personally, I'm thinking they'll go back to using Windows, which can't be reasonably prevented by the institution, without cutting off a large user-base. Still, a nice -and, to me, novel- idea.

How about an USB key? (1)

Alwin Henseler (640539) | more than 4 years ago | (#31620162)

The majority of users I have contact with resent having to enter passwords/user-verification at all.

Yeah, personally I'd prefer to use a custom-built USB key for this purpose. An USB key provided by the bank, that doubles as a crypto device to proof you are who you say you are (because you have that particular device). Perhaps in combination with something simple like a PIN number that people use anyway. Built-in software maintained by the bank over secure connection, read-only when running, perhaps a small user-area that's only writeable after authentication.

Problems come when people want to use it for more than just banking. What if you want to do online shopping with it? Find your deal, reboot, make payment, then reboot again to continue shopping? That wouldn't work. So the bank-provided USB key would have to support basic web browsing. Add some more use scenario's, and you need a lot of things that users have on their computer anyway - and many of the same maintenance headaches (for the bank, in updating that USB key).

So if you can limit the functionality enough to minimize maintenance headaches & still be practical at the same time, it just may work. If included functionality would keep ballooning: dead end.

The disk is a token? and etc. vs et al. (4, Informative)

gumbi west (610122) | more than 4 years ago | (#31620606)

You could use token authentication and just allow the disk to keep a cookie that logs them in with minimal interaction (either nothing or a short password like their pin).

Also, just thought you might like to know... Et al. is short for et alii and translates literally as, "with others." etc. is short for et cetera and translates roughly as, "with other objects". There is a people/things distinction. So if the other stuff is people, "et al." and if the other stuff is things, "etc.".

Important question (1)

RichardJenkins (1362463) | more than 4 years ago | (#31619940)

(But what if someone slips in a stack of doctored disks?)

The important question is will the entire endeavour decrease the amount lost through fraudulent OLB transactions, and if the cost (producing the disc, customer dissatisfaction of having to use them etc.) is worth it for the expected decrease in fraudulent OLB transactions. In order to understand this you'll have to analyse a whole bunch of 'what if' questions, and the one above should certainly be one of them.

(OK, sure in reality the bank might expect to see a benefit from appearing to go out of their way to protect customers from fraud, even if the solution has no net value)

Here good Sir, (0)

Anonymous Coward | more than 4 years ago | (#31619966)

Bank Anywhere!

Take this CD and bank safely from any computer with an optical drive and internet connection. Oh and don't worry about them there viruses, they're kind of a windows thing.

And if you like this, you can use it when wever you wish.

Oh and don't forget, The year of Linux is before us.

But I saved it to . . . (1)

gohsthb (1692342) | more than 4 years ago | (#31620004)

The desktop and when I restarted my computer the file was gone. Where did it go?

What about security patches? (1)

GreyLurk (35139) | more than 4 years ago | (#31620040)

So it sounds like some of the point of this is that it's on a static iso9660 filesystem, and so viruses/malware cannot be downloaded to it, but what about security upgrades? With the news about webkit hacks today, and the Firefox security bugs recently, I'm not sure I'd trust my online banking to an unpatched OS from months ago.

I suppose a quarterly release by mail might alleviate some of the concern, but how much damage could a botnet owner do to a few million identical unpatched systems in 3 months?

Re:What about security patches? (1)

h4rr4r (612664) | more than 4 years ago | (#31620086)

Actually you can install apps in and update an ubuntu live session, they just all disappear on reboot when using a cd.

Re:What about security patches? (2, Insightful)

GreyLurk (35139) | more than 4 years ago | (#31620230)

Sure, but who's likely to sit down and download 100mb worth of patches each time they want to check their BofA account balance?

Re:What about security patches? (1)

WD (96061) | more than 4 years ago | (#31620130)

If the only site you are visiting is the bank, I'd say the chances of getting compromised by a drive-by attack are greatly reduced.

Re:What about security patches? (1)

ricebowl (999467) | more than 4 years ago | (#31620150)

Very few people will visit 'only the bank,' especially if they're just quickly checking email (or whatever), and don't want to have to reboot and log in first to do so.

Re:What about security patches? (1)

icebraining (1313345) | more than 4 years ago | (#31620404)

They could issue the CDs with a small proxy (e.g. polipo) configured to just allow access to the bank.

Utah does this... (4, Interesting)

gandhi_2 (1108023) | more than 4 years ago | (#31620054)

Lots of Utah state government employees who work from home (for example, people who do data entry for Dept. of Workforce Services). It's worked pretty well, bypasses a lot of problems.

Re:Utah does this... (1)

GreyLurk (35139) | more than 4 years ago | (#31620266)

Seems a lot easier to do with employees than with customers. It's easy enough to just lock your employees out of your VPN if they have an insecure version, and force them to go get a new one, and you can mail them a new CD with their paycheck if security patches are necessary.

Why Ubuntu? (1)

Budenny (888916) | more than 4 years ago | (#31620102)

Surely if its a one shot thing, a customer version of webconverger or maybe slitaz?

Re:Why Ubuntu? (1)

Kitkoan (1719118) | more than 4 years ago | (#31620284)

Why Ubuntu? My guess is because it's the (at the moment) most popular version of Linux (which might help the adoption of using it since many have heard the name) and tends to have great (albet not perfect) hardware driver recognition. People want to use products by names they know and even if they've never used Ubuntu there is a semi-chance they've heard of it. And calling it just plain Linux which most have heard might bring to mind the old stereotype 'Linux = Ungodly complex geek thingy'.

Wrong problem (1)

Un pobre guey (593801) | more than 4 years ago | (#31620126)

The problem isn't online banking per se, it is the ease with which even savvy users can be duped into fraudulent online transactions. The solution must be much more general. Also, if every place we need to do a secure online transaction requires the booting up of a LiveCD or similar, gods help us. To say the least, that is not a scalable or generalizable solution.

mailing them out is no good (0)

Anonymous Coward | more than 4 years ago | (#31620168)

Bad guys will start mailing out hacked Ubuntu CDs.

Or swap the pile of CDs down at the bank, that's even easier.

This defeats the purpose of an OS (1)

mugurel (1424497) | more than 4 years ago | (#31620178)

What if, after the banks discover this as a way to increase security, software companies start to use this approach to provide a dedicated environment to make their software run even better? We'll spend half our lives waiting for live-cd's to boot.

Theory vs. Reality (4, Insightful)

DaMattster (977781) | more than 4 years ago | (#31620186)

In theory it is a fantastic idea to promote security and virtually prevent problems. In reality, here is what you face: 1. User inertia to do this because it removes some of the convenience of online banking. Maybe Joe and Jane Smith who would be using this would be less savvy than your average computer user and still find a way to bungle things up despite this being totally sandboxed. 2. The fact that this is openly downloadable - Criminal networks can now simply obtain CNL's distro and systematically look for a weakness. A weakness with Linux is generally in order of magnitudes harder to find than Windows. It might work if, you have a system where you must be a customer of the bank and the distro you download comes with a unique certificate tied to your identity. But the reality of online banking is that it is an inherrent security risk. But even then, it is not quite perfect.

Re:Theory vs. Reality (0)

Anonymous Coward | more than 4 years ago | (#31620248)

3. CD drives are on their way out... Then what?

VMWare alternative (1)

oldhack (1037484) | more than 4 years ago | (#31620196)

Similarly, you could build an customized VMWare image and package it with free VMWare player offering.

But you'd need a Windows license if you want a Windows image.

This has been done before... (0)

Anonymous Coward | more than 4 years ago | (#31620246)

Online banking? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31620282)

Since when does online banking need saving?

Great idea! (1)

CoolGopher (142933) | more than 4 years ago | (#31620288)

If I was into phishing I'd build such a CD (pre-set to my spoofed bank site of course) right away and mass-mail it out to everyone with instructions on how to use it. Pick a big bank and you should get enough hits to make it worthwhile the CD printing cost!

Or, how about let's not do this? Technical "solution", social problem. Good luck...

Technical problem (1)

rsilvergun (571051) | more than 4 years ago | (#31620572)

There's a ton of unpatched vulnerabilities in IE. There's even some in Firefox (and if you start adding plug ins, which you have to do to use the web, there's lots). I've gotten viruses from embedded PDFs in youtube comments.

Behavior change (1)

thesaurus (1220706) | more than 4 years ago | (#31620304)

If this works (and it is at least creative) it will have little to do with the security of linux or of a live CD. It will be in getting customers to change their online banking behavior, being willing to take an extra, obtrusive step, reducing convenience in the name of security. Which is quite the opposite direction that banking has been going for a while (ATMs, online banking, mobile banking). Which then begs the question, what about mobile banking?

Re:Behavior change (2, Informative)

anarche (1525323) | more than 4 years ago | (#31620462)

Yep, security could be enforced if we made people walk into a bank with two forms of photo-id before they could do anything....

Boot live cd!! OK! (0)

Anonymous Coward | more than 4 years ago | (#31620334)

I don't know about you guys but I actually work in "THE WILD"...what I want to know is who is going to show all of these people how to boot to a CD... ;>\ WOW!!!

Brillant! (1)

Minwee (522556) | more than 4 years ago | (#31620452)

That's a great idea.

Especially since the technology for building your own pre-owned version of Ubuntu, writing it to a CD-ROM and then printing a bank logo on it is very complicated and expensive and thus completely out of reach of all but the most well funded banks and governments, so we won't ever see anyone tampering with this process.

Simply brillant.

Authenticator (1)

BinaryX01 (1609025) | more than 4 years ago | (#31620460)

This might be a cheaper method by far, but wouldn't it make more sense to send your customers an authenticator (fast one time key to enter along with your user name and password). It would be far less technical than the live CD and filter out the majority of key loggers. I don't know how well the live CD idea would stop phishing attacks, most users will simply click on the link in the email to "confirm" their account information rather than booting into the secure operating system only to find out that that there is no area of the site asking them to confirm all the information that was in the email.

Meanwhile....back at the ranch (1)

westlake (615356) | more than 4 years ago | (#31620492)

Microsoft has cut a deal with China Construction Bank, [wikipedia.org] the second largest bank in the world [by market capitalization.]

Microsoft China on March 23 inked a MoU with China Construction Bank, the nation's biggest real estate and mortgage lender, on strategic cooperation.

Under the MoU, both sides will build a new generation online banking IE browser on the base of Windows Internet Explorer. In addition, they will jointly solve problems regarding to certificate management, browser safety monitor system allocation, multi-language version and etc. The new generation USB Key will own non-clink consumer installment function.

CCB expects to top China's online banking market and the cooperation with Microsoft will help improve its online banking service further, said Fan Yifei, vice president of the bank. Microsoft will continue boosting China's online banking market, pointed out Simon L. K. Leung, chairman and president of the company for the Greater China region.

Actually, it is not the first time for the Chinese bank to cooperate with Microsoft. In order to promote online banking software, Microsoft cooperated with a list of commercial banks in China before the launch of Windows 7 and CCB is one of the latter.

Microsoft, CCB to Build Special IE Browser [tradingmarkets.com]

CCB has 16,000 domestic branches, and has expanded overseas to Singapore, Frankfurt, Johannesburg, Tokyo and Seoul. In June 2009, CCB opened its New York Branch and a wholly-owned subsidiary in London.
 

Security updates / patches (1)

poor_boi (548340) | more than 4 years ago | (#31620522)

What about OS and application security updates? It's kind of hard to patch a read-only CDROM :P

Unpatched Firefox for online banking? No thanks! (1)

supremebob (574732) | more than 4 years ago | (#31620566)

Unless they plan on sending you a new Live CD every time a new Firefox or Linux kernel security bug is patched, many users would be vulnerable to attacks within a few months of this CD being released. A smart phisher will eventually construct an effective "man in the middle" style style attack using whatever security holes are discovered, and the bank would probably take at least a week to develop, test, and ship new CD's that have the issue patched.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...