Windows unsafe for online banking

Take a look for yourself here.

What a load of crap.  That’s like saying people die wearing seat belts, thus it must be the seat belt’s fault so you shouldn’t wear your seat belt.  The reason there are so many viruses and malware for Windows is because it is such a big “prize” for hackers.  MS owns the desktop OS market, thus making them the biggest target.  If you were going to rob a bank, wouldn’t you pick the branch that had the most money in it?  It doesn’t make much sense to write a virus for Linux because it owns such a small portion of the market that the payoff would be nothing.

The FFIEC guidelines for multi-factor authentication are a pain.  But the concept behind MFA is a must.  There are three ways to identify someone online: something they know (Q&A), something they are (bio-metrics or computer ID), and something they have (cell phone or email).  If an FI really, truly applies 2 of those factors, it will make it nearly impossible to directly hack a person’s account.  The article speaks of the proverbial “man in the middle” attack in which a hacker somehow manages to gain access to the user’s password, either through a keylogger or a fictitious webpage made to look like the real thing.  Both of these are easy to stop:

  1. Don’t download anything from anyone you don’t know.
  2. Don’t install anything from anyone you don’t know.
  3. Don’t follow a link to an FI website, type it in or bookmark it yourself.
  4. Look at the url of the webpage you are on and make sure it says

Now some will argue that most people aren’t smart enough to figure that out on their own.  True, it is possible to build such a great phishing site that even an employee couldn’t tell the difference, but it is highly unlikely.  This is where the FI has to step in.  Companies like Trusteer have built a glorified browser add-on, but it works.  It prevents any type of keylogging software from detecting what is being typed into the webpages that the browser is serving up.  They’ve done the right thing and they count on the users machine already being infected.  Additionally, FI’s could help with 3 and 4 by offering other security measures like RSA keys.  Make it optional for users if they want it or if a member has had fraud on their account, make it mandatory.

However FI’s and online banking companies handle their security, two things need to happen: The users have to take some responsibility for their actions (don’t log into phishing sites or download shady applications) and FI’s have to offer appropriate security measures to make unauthorized access to someone’s account extremely difficult.