Windows unsafe for online banking

Take a look for yourself here.

What a load of crap.  That’s like saying people die wearing seat belts, thus it must be the seat belt’s fault so you shouldn’t wear your seat belt.  The reason there are so many viruses and malware for Windows is because it is such a big “prize” for hackers.  MS owns the desktop OS market, thus making them the biggest target.  If you were going to rob a bank, wouldn’t you pick the branch that had the most money in it?  It doesn’t make much sense to write a virus for Linux because it owns such a small portion of the market that the payoff would be nothing.

The FFIEC guidelines for multi-factor authentication are a pain.  But the concept behind MFA is a must.  There are three ways to identify someone online: something they know (Q&A), something they are (bio-metrics or computer ID), and something they have (cell phone or email).  If an FI really, truly applies 2 of those factors, it will make it nearly impossible to directly hack a person’s account.  The article speaks of the proverbial “man in the middle” attack in which a hacker somehow manages to gain access to the user’s password, either through a keylogger or a fictitious webpage made to look like the real thing.  Both of these are easy to stop:

  1. Don’t download anything from anyone you don’t know.
  2. Don’t install anything from anyone you don’t know.
  3. Don’t follow a link to an FI website, type it in or bookmark it yourself.
  4. Look at the url of the webpage you are on and make sure it says mycu.com.

Now some will argue that most people aren’t smart enough to figure that out on their own.  True, it is possible to build such a great phishing site that even an employee couldn’t tell the difference, but it is highly unlikely.  This is where the FI has to step in.  Companies like Trusteer have built a glorified browser add-on, but it works.  It prevents any type of keylogging software from detecting what is being typed into the webpages that the browser is serving up.  They’ve done the right thing and they count on the users machine already being infected.  Additionally, FI’s could help with 3 and 4 by offering other security measures like RSA keys.  Make it optional for users if they want it or if a member has had fraud on their account, make it mandatory.

However FI’s and online banking companies handle their security, two things need to happen: The users have to take some responsibility for their actions (don’t log into phishing sites or download shady applications) and FI’s have to offer appropriate security measures to make unauthorized access to someone’s account extremely difficult.

3 thoughts on “Windows unsafe for online banking”

  1. In the article referenced it talks about the ability of these thieves to trick the FI into thinking it is a customer’s usual computer/IP address. If that is one of the three lines of defense(something they are [computer identification]), and a keylogger can pick up either/or the second or third piece (something they know or something they have), then apparently it isn’t all that ‘nearly impossible’ because people are out there doing it.
    I would have to argue that the responsibility for security lies in the hands of the FI, not the consumer. The point of a FI is to keep peoples money safe, that is why we pay them. Otherwise, I’d put my money in a shoebox under my bed. It would be cheaper, anyway. (And apparently safer than online banking) I know its tough, but FI’s need to stay one step ahead of the online security game, no matter the cost. Its their job.

  2. Matt, thanks for the comment. Most current multi-factor authentication mechanisms taken into account both IP and MAC address spoofing and thus do not rely solely on those identifications as a factor. Generally, some type of encrypted cookie is placed on the hard drive instructing the FI to “remember” their computer. Any security designed for online banking, e-trading, or anything else similar should make the assumption that the consumer’s computer has already been compromised, by a key logger for example, and take that into account when designing their system. Since MFA is still in “generation 1”, we’re still learning many things. Most MFA Q&A’s have questions that can be answered on Facebook or by looking through public records. Personally, I believe for MFA to be truly secure, you have to have some other out-of-band technique for authenticate the person logging on. I like the Verisign VIP program with either the key fob, or their iPhone and/or Blackberry app. And yes, it is absolutely the job of the FI to take care of the security for their members, but members can also do things to dramatically decrease their likelihood of being compromised.

  3. As someone just passing through, I wanted to say that Windows attacks aren’t just a function of Windows being popular. Linux is fundamentally more secure. Being open source means there’s more eyes looking for problems, and when a problem is discovered the fact that antagonists can also see the code provides an incentive to fix the problem immediately.

    Of course that doesn’t mean it’s practical to tell clients, “Don’t use windows!” If they’re not careful enough to avoid viruses/phishing then they’re not going to be inconvenienced by using a live CD. Assume your users will mess up.

Leave a Reply

Your email address will not be published. Required fields are marked *