Filed under: Security, News, Windows, Macintosh, Linux, Apple, Google, Microsoft
Windows not fit for online banking, says Washington Post blog
by Jason Clarke Oct 14th 2009 at 2:00PM
It would be easy for Linux and Mac users to point to this blog post by Brian Krebs at the Washington Post's Security Fix and feel smug. The post flat out states that the simplest, most cost-effective way to avoid online fraud is: "Don't use Microsoft Windows when accessing your bank account online."
If you're a Windows user, ouch.
But hold on a second. The thing is, Krebs isn't endorsing the Mac or Linux platform in his condemnation of Windows. Rather, he's pointing out that Windows is the most-targeted platform, but that certainly doesn't mean that Macs or Linux machines are invulnerable.
Krebs points out that the safest way to avoid malware and make sure your banking session is secure is to boot your machine from a Live CD that is a pristine, uninfected environment. Live CDs are typically Linux variants, but the OS doesn't really matter -- what matters here is that you are booting an operating system that malware can't infect because its state is not persistent.
This is solid advice, and it leads me to wonder how long it will be before the major OS makers offer a locked-down virtual machine, or better yet a locked-down banking partition that is a fast booting light OS containing only a secure browser with which to do your most sensitive online tasks.
Kind of sounds like a job for Chrome OS, doesn't it?
So, just how good at time waster games are you? Think you've got the stuff? Well, The World's Hardest Game 2.0 doesn't think you do.
Yes, amazingly, it's possible to have a sequel to a game called "The World's Hardest Game". It doesn't seem logically possible, since if the first one was actually the world's hardest, how could another one come along and share the moniker? It made me doubt the name in the first place. That is, until I tried the game.
The mechanics of the game are very simple. You are a small red square, ...
Reader Comments (Page 1 of 2)
PC-VIP said 2:14PM on 10-14-2009
This is BRILLIANT Analysis
Computers aren't insecure, CORRUPTED computrers are insecure.
We've been training our clients to deal with decisions like this forever. Nice to see a smart answer like this crop up in a big way!
Jeff Yablon
President & CEO
http://answerguy.com
Reply
Rob said 3:26PM on 10-14-2009
This is ridiculous; Windows is the best client os for online banking. One can use Trusteer security software to prevent os APIs from accessing the browser during transactions, as well as provide for encrypted keystrokes that are decrypted at the bank/ website. ING Direct gives it away for free.
Rob said 3:28PM on 10-14-2009
The Trusteer thing also prevents man-in-the-middle attacks, because in the insanely unlikely event that the SSL connection is compromised, the attacker will just have encrypted gibberish.
http://www.trusteer.com/technology
Todd said 2:19PM on 10-14-2009
Back-up a little bit and address the core issue:
Never allow an app to access the OS kernel. Isolate one app from the other. Don't give any app 100% CPU resources.
Is Windows 7 still violating all the above no-brainers?
Reply
kon said 2:41PM on 10-14-2009
Not as far as I can tell (then again, I have a quad core). There's a strict UAC in place - but people choose to turn that off, because it's "annoying". Stupid people should not be allowed to turn that off. Smart people don't get viruses.
sitruc said 2:46PM on 10-14-2009
Washington Post computer and technology coverage is a joke.
Reply
mcornickm said 2:48PM on 10-14-2009
So what they are saying is use an OS that most people dont use and your ok. Great.
Reply
Lee Mathews said 2:49PM on 10-14-2009
Sure, his suggestion makes sense - to us. But what about the average user (including executive types who read the Post)?
Open question to the readers: do you think the average Joe will care enough to find, download, and burn a LiveCD AND figure out how to use it?
My vote: nope.
If you agree, what's a more workable solution - assuming most of the people won't jump through non-Windows hoops?
Reply
Jonathan Harford said 2:53PM on 10-14-2009
Just what I need -- one mor elaborious step keeping me from paying my bills on time. If I'm really concerned, I'll use Firefox in an Ubuntu virtual machine -- I'm sure that'll be locked-down enough, right?
Reply
blueruckus said 3:09PM on 10-14-2009
In related news, the best way to avoid dying in a plane crash is to not be in a plane.
Reply
williamjaywhalen81 said 3:10PM on 10-14-2009
I'll use my AS/400.
Reply
aircave said 3:38PM on 10-14-2009
option b... regular malware scans, anti-malware (2+), firewall, HIPS, updated software, sandboxed browsers, xp-antispy (or equiv.), opera (no js/java) or firefox (noscript + AbP + WOT + SSLBlacklist)
Reply
Jordan said 3:18PM on 10-14-2009
This is just some douche who has something against Windows and is trying to get recognition for putting it down.
Don't use Windows for online banking? Well then I guess not many people in the world are going to use online banking
Reply
Danny said 3:25PM on 10-14-2009
It's not all about the OS when it comes to "secure" online banking. Windows would be more secure than linux if the user has never been an admin on the box and the machine is updated regularly. Most malware is written for Windows because most people use Windows. If we all switched to Mac's, I'm sure you'd hear more about the Mac vulnerabilities and the exploits written for those vulnerabilities.
If I told you that people on the golf coast should build all glass houses, because less glass houses were destroyed by Hurricane Katrina than brick houses, you would laugh in my face. That's exactly what Brian Krebs is doing in this article. Just because you live in the glass house of unix doesn't mean you're secure. By default, Ubuntu has no firewall running, firefox has it's own set of vulnerabilities and so does everything else you use.
If you want safe banking, do it yourself. Pencil and Paper and a safe with biometric controls and an unpenetratable outer casing.
Reply
whatever said 3:46PM on 10-14-2009
Running a "pristine live CD" in a virtual environment makes no sense. The virtual PC is only as secure as it's host. Therefore, if you have a compromised primary machine, putting a virtual PC on top of it does exactly nothing.
Reply
Raaj said 4:02PM on 10-14-2009
This is a knee-jerk reactionary article, from an author that 'plays with five computers and dozens of other chirping blinking devices.'
Sure, booting from a LiveCD will prevent the OS from being infected.. but what about phishing and social engineering attacks? What about SSL compromises? What if the host OS has already been compromised when the user visited teh pr0n sites, or downloaded some shady software from sleazy web sites? Using LiveCD in that case will not completely protect the user.
In the end, the article should have been titled "stupid users are not fit for online banking, or Web surfing altogether." Even if the stupid user hides behind LiveCDs, or *nix based OS for long if s/he continues to use stupid decisions while online.
Reply
216 said 4:11PM on 10-14-2009
No OS is safe from Phishing attacks
really, the ONLY thing that can save you from a phishing attack is awareness
Reply
NyaR said 4:26PM on 10-14-2009
USERS not fit for online banking
FTFY
Reply
set said 4:29PM on 10-14-2009
Has there been actual theft from online banking exploits? You can't withdraw cash online. The potential for crime is rather overstated, IMO.
Reply
set said 4:33PM on 10-14-2009
I didn't know people could initiate wire transfers online. All my online banking is good for is checking balances and billpay.