Comments on: Windows unsafe for online banking http://cuinnovators.com/blog/windows-unsafe-for-online-banking/ At CU Innovators, we help credit unions, CUSO's, and service providers create meaningful products and services for their members and clients. Mon, 14 Mar 2011 17:53:41 +0000 hourly 1 By: Greg http://cuinnovators.com/blog/windows-unsafe-for-online-banking/comment-page-1/#comment-662 Greg Mon, 16 Nov 2009 16:23:07 +0000 http://blog.cuemployee.com/?p=408#comment-662 As someone just passing through, I wanted to say that Windows attacks aren't just a function of Windows being popular. Linux is fundamentally more secure. Being open source means there's more eyes looking for problems, and when a problem is discovered the fact that antagonists can also see the code provides an incentive to fix the problem immediately. Of course that doesn't mean it's practical to tell clients, "Don't use windows!" If they're not careful enough to avoid viruses/phishing then they're not going to be inconvenienced by using a live CD. Assume your users will mess up. As someone just passing through, I wanted to say that Windows attacks aren’t just a function of Windows being popular. Linux is fundamentally more secure. Being open source means there’s more eyes looking for problems, and when a problem is discovered the fact that antagonists can also see the code provides an incentive to fix the problem immediately.

Of course that doesn’t mean it’s practical to tell clients, “Don’t use windows!” If they’re not careful enough to avoid viruses/phishing then they’re not going to be inconvenienced by using a live CD. Assume your users will mess up.

]]> By: Robbie Wright http://cuinnovators.com/blog/windows-unsafe-for-online-banking/comment-page-1/#comment-661 Robbie Wright Thu, 12 Nov 2009 20:11:35 +0000 http://blog.cuemployee.com/?p=408#comment-661 Matt, thanks for the comment. Most current multi-factor authentication mechanisms taken into account both IP and MAC address spoofing and thus do not rely solely on those identifications as a factor. Generally, some type of encrypted cookie is placed on the hard drive instructing the FI to "remember" their computer. Any security designed for online banking, e-trading, or anything else similar should make the assumption that the consumer's computer has already been compromised, by a key logger for example, and take that into account when designing their system. Since MFA is still in "generation 1", we're still learning many things. Most MFA Q&A's have questions that can be answered on Facebook or by looking through public records. Personally, I believe for MFA to be truly secure, you have to have some other out-of-band technique for authenticate the person logging on. I like the Verisign VIP program with either the key fob, or their iPhone and/or Blackberry app. And yes, it is absolutely the job of the FI to take care of the security for their members, but members can also do things to dramatically decrease their likelihood of being compromised. Matt, thanks for the comment. Most current multi-factor authentication mechanisms taken into account both IP and MAC address spoofing and thus do not rely solely on those identifications as a factor. Generally, some type of encrypted cookie is placed on the hard drive instructing the FI to “remember” their computer. Any security designed for online banking, e-trading, or anything else similar should make the assumption that the consumer’s computer has already been compromised, by a key logger for example, and take that into account when designing their system. Since MFA is still in “generation 1″, we’re still learning many things. Most MFA Q&A’s have questions that can be answered on Facebook or by looking through public records. Personally, I believe for MFA to be truly secure, you have to have some other out-of-band technique for authenticate the person logging on. I like the Verisign VIP program with either the key fob, or their iPhone and/or Blackberry app. And yes, it is absolutely the job of the FI to take care of the security for their members, but members can also do things to dramatically decrease their likelihood of being compromised.

]]> By: matt http://cuinnovators.com/blog/windows-unsafe-for-online-banking/comment-page-1/#comment-660 matt Wed, 11 Nov 2009 21:00:09 +0000 http://blog.cuemployee.com/?p=408#comment-660 In the article referenced it talks about the ability of these thieves to trick the FI into thinking it is a customer's usual computer/IP address. If that is one of the three lines of defense(something they are [computer identification]), and a keylogger can pick up either/or the second or third piece (something they know or something they have), then apparently it isn't all that 'nearly impossible' because people are out there doing it. I would have to argue that the responsibility for security lies in the hands of the FI, not the consumer. The point of a FI is to keep peoples money safe, that is why we pay them. Otherwise, I'd put my money in a shoebox under my bed. It would be cheaper, anyway. (And apparently safer than online banking) I know its tough, but FI's need to stay one step ahead of the online security game, no matter the cost. Its their job. In the article referenced it talks about the ability of these thieves to trick the FI into thinking it is a customer’s usual computer/IP address. If that is one of the three lines of defense(something they are [computer identification]), and a keylogger can pick up either/or the second or third piece (something they know or something they have), then apparently it isn’t all that ‘nearly impossible’ because people are out there doing it.
I would have to argue that the responsibility for security lies in the hands of the FI, not the consumer. The point of a FI is to keep peoples money safe, that is why we pay them. Otherwise, I’d put my money in a shoebox under my bed. It would be cheaper, anyway. (And apparently safer than online banking) I know its tough, but FI’s need to stay one step ahead of the online security game, no matter the cost. Its their job.

]]>