Time to ditch Windows for online banking and shopping [UPDATED] (http://blogs.zdnet.com/hardware/?p=5813&tag=nl.e550)

1. The kinds of reasons he gives here is why I went searching for a safer way, and found [and began using] Puppy Linux. :)
I did it before ever I'd seen such articles.

Really now, phishing has very little to do with the OS and a lot to do with how you use your PC on the Web.

PrntRhd is correct of course and the most relevant, but rather misleading, entry is:-
you also protect yourself from phishing attacks by not using the Live CD for anything other than banking and shopping (no email, no Facebook/MySpace …). You boot into the Live CD, do what you want to do, and close the OS when you’re done
If you go on line at all you will see urls and if you can see them you can click on them and be misdirected. This can happen from Linux and from Windows and from a Mac.

Since eMail and IM are amongst the commoner applications where phishing attacks take place then avoiding using/installing eMail etc on one PC running any OS (used only for surfing at specific websites has something to commend it) but bear in mind that phishing is done in other ways as well.

So if you use email at all (on any PC) and get a bogus request to confirm your banking details (or whatever) and react to the request then it matters not a jot which operating system is running at the time.

I hate to agree with Sylvander, but I must partially. In the US, personal bank accounts are protected. Business accounts are not. If you operate a business, you should do your banking on a Live Linux CD. Please read this article (http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html?wprss=securityf ix) and the entire series in the Washington Post. Brian Krebs is the most plugged in reporter in the lay press. These trojans are scary. Any business that banks on line with a Windows PC is NUTS.

PrntRhd is correct of course and the most relevant, but rather misleading, entry is:-

If you go on line at all you will see urls and if you can see them you can click on them and be misdirected. This can happen from Linux and from Windows and from a Mac.

Since eMail and IM are amongst the commoner applications where phishing attacks take place then avoiding using/installing eMail etc on one PC running any OS (used only for surfing at specific websites has something to commend it) but bear in mind that phishing is done in other ways as well.

So if you use email at all (on any PC) and get a bogus request to confirm your banking details (or whatever) and react to the request then it matters not a jot which operating system is running at the time.

I think the point is to develop the habit of only using the LiveCD for that one particular purpose...and then ignore any baking/c-card stuff anywhere else.

I would probably choose a 'minimalist' distro, customize the setup (browser specifically) then set up the LiveCD...

1. "If you go on line at all you will see urls and if you can see them you can click on them and be misdirected. This can happen from Linux and from Windows and from a Mac"
(a) Not sure of the significance of what you are saying here.
When going to important websites, I always use the URL's stored in my Acerose Password Vault (http://www.dexadine.com/acerose.html) that I know to be good.

(b) Or do you mean during general web browsing?
What would you be misdirected to that would pose a threat to the security of banking and online purchases carried out using the Linux "live" optical disk?
The whole idea proposed is that the live disk only be used for banking and purchasing, not for general browsing.
General browsing would be done elsewhere.

2. "So if you use email at all (on any PC) and get a bogus request to confirm your banking details (or whatever) and react to the request then it matters not a jot which operating system is running at the time"
(a) I get that.
That's why I ALWAYS use either Mailwasher in Windows, or else the FREE SaveMyModem [smm] in Puppy Linux.
I look at the headers, delete those not wanted/needed, then fetch the remaining emails in either Windows or Puppy depending on their content.

(b) smm fetches the email headers, flags almost all of the spam as [SPAM]...
I ignore pretty much all emails that purport to be from my bank or credit card companies.
If one looked like it might be genuine [I know which genuine ones to expect], I'd NEVER click on any link within it.
Instead I'd use the URL [and username & password etc] inside the password vault to visit the website and check out whether the email content was true.
The password vault contents are encrypted.

(c) You may have notice the flaw in using Acrerose Password Vault.
It's a Windows program, and must be run under WINE if doing this using a Puppy Linux.
And WINE has all the vulnerabilities of Windows [so I've heard].
Don't know if I can be bothered to use instead a USB Flash Drive and TrueCrypt [as suggested in the article].

3. "I would probably choose a 'minimalist' distro, customize the setup (browser specifically) then set up the LiveCD"
I need to learn how to remaster a Puppy session to an optical disk so it includes all the configurations and additional packages.
Or is that too risky?
Not a practical necessity to avoid doing this?
Or would it be better just to encrypt the pupsave file?

The one time I remastered a DSL disk it was easier to do from within a Linux environment (tried from within Windows first)...but the major advantage of remastering is that your customized version is now portable. That's easier than requiring to carry around a portable storage device and the disk.

I agree that using such a Live CD is a fantastic way to minimize risks and highly recommended for such activities. The pedantic point was simply that it doesn't specifically avoid phishing as mentioned in the article. Nor does it avoid all hacking possibilities.

A small risk is not the same as no risk and correct habits as well as vigilance are always needed both on and off-line. Identity theft is just as much or more likely to be gleaned from theft or careless disposal of sensitive information, PAC numbers and so forth.

PS
Indeed - would dual-booting to a properly configured modern version of windows in which one never uses email and only ever visits one website be significantly more dangerous than using a Live CD?

I agree that using such a Live CD is a fantastic way to minimize risks and highly recommended for such activities. The pedantic point was simply that it doesn't specifically avoid phishing as mentioned in the article. Nor does it avoid all hacking possibilities.

A small risk is not the same as no risk and correct habits as well as vigilance are always needed both on and off-line. Identity theft is just as much or more likely to be gleaned from theft or careless disposal of sensitive information, PAC numbers and so forth.

PS
Indeed - would dual-booting to a properly configured modern version of windows in which one never uses email and only ever visits one website be significantly more dangerous than using a Live CD?

You are 100% correct. The problem presently is the two trojans that are stealing the on-line banking credentials are so sophisticated they are able to defeat ant bank security system in place. This is more of a problem for a person who is doing business banking on line as there is ZERO government protection. If they clean you out, the money is gone....

Business users should control their risk by obtaining paid insurance against criminal loss via this route. If the insurer gives lower rates by using Linux or Unix or other methods of securing the PC that is good for the insurer and the business.
The point of sale terminal at businesses where they buy things may also be as dangerous to their cash accounts and is not something they can control themselves by using Linux.

The point of sale terminal at businesses where they buy things may also be as dangerous to their cash accounts and is not something they can control themselves by using Linux.
I wouldn't worry too much about that. I work on POS systems every day. Those system are locked down pretty well and debit/credit card readers are encrypted and very sensitive to hardware attacks.

The only thing you really need to worry about is the human factor when making transactions. Employees are the problems in this area. ;)

As far as phishing goes you just need to know that your bank or any other such organization is not going to ask for your credentials through an email or similar means. And even if I know 100% that an email is from my bank I never, never, ever click on a link in an email from my financial institution. ;) ;) ;) ;) ;)

Malware is another story. Not using windows is an excellent idea, but unfortunately it isn't going to happen for most people. Lets face it, people aren't going to pop in a Live CD just to do their banking. :( I agree that for businesses they do need to take additional steps to insure their safety. And for standard users that are willing that's great. But probably the best advice I can give beyond AV and all that is to check you accounts daily. That way if something suspicious comes up it can be addressed quickly and the damaged can be minimized.

Something that most people don't think about is their financial accounts other than banking. Most don't realize that retirement and brokerage accounts are in no way protected like a bank account is. If the money is taken it is gone forever. There is no $50 liability, it's just gone. No laws to save you. ;) So it is very possible that grandma who has a million bucks in her retirement account gets a trojan that steals here password (or by some other means), they transfer all her money to an offshore account, and she loses all of her retirement. :eek: It has and does happen. So don't forget to keep tabs on those accounts as well. Depending on how much cash you have in those accounts it could be even more important than your checking and savings account. ;)

A minor point to state is that the law outside the US is not always the same. Another general point is that it is a good general principle, for those that have savings etc, to break them up and not have them all in one or two baskets. Yes one can maybe get better deals and interest rates for large sums but that, I feel, should be tempered by hedging ones bets in other ways. This became more and more obvious over the past year or so where those that had kept all their savings in one failed institution lost, literally, everything. The same principle should apply even more so maybe to electronically accessible funds just because they are accessible in that way.

The credit card/debit card clearing house incidents such as Heartland Systems and POS site incidents such as Office Max and Dave & Busters does not inspire confidence in the security of the systems.
Of course retirement accounts are higher value targets and many times insiders are also tempted to steal the money.
If attempts to divert millions directly from governments have been discovered almost anything is possible and will be tried to find weaknesses in the West's financial controls.

The credit card/debit card clearing house incidents such as Heartland Systems and POS site incidents such as Office Max and Dave & Busters does not inspire confidence in the security of the systems.
That is true. There are those that their systems are lacking in security and have other problems, but for the largest part these transactions are quite safe. For the one I think that had wireless systems that were not encrypted should be jailed in my opinion. Or just simply put to death because they are so stupid we don't want their gene pool floating around anymore. :p

I am no expert on the matter, but from my experience you are more likely to get popped by a skimming device on an ATM than a debit reader getting hacked. But again, the biggest danger in my opinion is employees, both at the store and to be honest to a lesser extent those like me that service the equipment. I say lesser for service persons because most have to go through federal background and credit checks as part of the hiring process. The cashier at your local box-mart making minimum wage does not go through such checks.

Heartland is nothing compared to this. First of all no business can insure for that kind of cash loss. These are massive frauds.

Bullet County Kentucky $415,000.00 (http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html)
Western Beaver School District $700,000.00 (http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html)
Slack Auto Parts $75,000.00+JM Test Systems $100,000.00 (http://voices.washingtonpost.com/securityfix/2009/08/tighter_security_measures_urge.html)
Unique Industrial Product Co $1,200,000.00 (http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272_2.html?sid=ST2009082500907)

This, I am sure is just the tip of the iceberg. This is no longer an inconsequential problem. This is an organized gang of eastern European cyber crooks who are stealing millions of dollars from US and I am sure European business.

Security - running as root (http://murga-linux.com/puppy/viewtopic.php?t=48006).
"Puppy always runs as root and therefore could still be vulnerable to hidden downloaded executables that could read and subsequently re-transmit any sensitive data such as passwords that are resident in RAM during the on-line session.

In order to close down this possibility, it would be better to at least have the option of logging in to Puppy as a non-root user - even while running from live CD, so that rogue applications have no ability to install without appropriate authentication.

Would be a great step-up for Puppy to have this available from now on - maybe starting with the planned 4.4CE version."

This is something of a minority viewpoint at the Puppy Linux forums methinks.

This is something of a minority viewpoint at the Puppy Linux forums methinks.I have never understood a reluctance to run Linux as a normal user and not as root as is normal in most distros. In this case all one would need would be one specific CD for on-line banking. Not only would this stymie rogue executables but along with a user password it would also help prevent any other unauthorised access (via networking or by a physical person) to the PC.

I've seen Barry Kauler [the creator of Puppy who is still working hard and coming up with new stuff all the time] argue in favor of running as root.

He said that not running as root is no great protection [and losing it not worth the dubious gain], and quoted a way in which a hacker could easily wreak havoc [deleting all files I think] even though not running as root.

I guess that's why he provided other protections/methods instead.

The argument for and against has apparently been going on for years, and when it starts up again here and there, people say "oh no, not again".

Notice that so far there has been almost no response to the thread by tronkel.

What's the big deal in having to use a password to gain access to ones otherwise secure online banking access? Use root etc for your experimenting area, downloading area, etc etc by all means.

Project Read Only Puppy (http://murga-linux.com/puppy/viewtopic.php?t=42825).
Alternatives to using a [read-only] "live" optical disk.

Update, Brian Krebs of the Washington Post reports that the FBI admits cyber-criminals have stolen over 40 million dollars for US small & mid size businesses..

Steve Chabinsky, deputy assistant director of the FBI's Cyber Division, said criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and medium-sized businesses, and have successfully made off with about $40 million of that money.
FBI: Cyber Crooks Stole $40M From U.S. Small, Mid-Sized Firms-washingtonpost.com > Technology > Security Fix By Brian Krebs | October 26, 2009; 1:00 PM ET (http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html?wprss=securityfix)

It is entirely possible to have a Windows machine with no malware or viruses on it. I am not sure the bigger argument that any given user would/should use a puppy boot CD, given that they are unsophisticated to the point of putting in their banking credentials based on a phishing email, which would completely bypass the security inherit in using a non-writable boot disk for surfing.

I think the argument has merit if you are unsure of the status of your machine and want to preclude any possible issues by using a non-writable bootable OS for specific transactions. The realities of getting people to do this is questionable. The secondary argument would be that even doing the above would only preclude exploits that are OS based WHILE you are using Puppy...

You could continue to say that even using Puppy full time would not stop email exploits such as phishing scams nor stop a user from sending unencrypted packets over a network medium, etc.

The FBI (http://www.fbi.gov/cyberinvest/escams.htm) chimes in......
From the FBI's Internet Crime Complaint Center (IC3) (http://www.ic3.gov/media/2009/091103-1.aspx)

My credit union has reported that they are getting an unusually high number of fraudulent charges over the last few months. This really doesn't surprise me though. When we are in tough economic times criminals always increase their efforts as well as people getting desperate become more vulnerable to social engineering.

I have been convinced, businesses need to have a terminal that is used for this purpose only and not windows based.

One of Classicsoftware's FBI links do say this is based on "spear phishing" emails and targeting of specific financial institutions.

I have been convinced, businesses need to have a terminal that is used for this purpose only and not windows based.

JL, that will only help if the exploit is through malware installed on a machine. If someone receives and email and then clicks on a link and enters their banking information... using a dedicated terminal provides no protection.

What would work is if you could set up a ipsec or shared key VPN connection to the bank for a terminal and specify that no other connection to the banks online account would be granted by the bank except using this method. This way, even if someone had your username and password they could not connect to the bank online period. Anyone familiar with VPN connections should be familiar with any number of add on features that add multiple levels of security besides a username and password.

These guys are really sophisticated. This whole thing is so encrypted, the AV companies have not been able to reverse engineer it. Second they are going after mid level banks that don't have the most sophisticated security. Finally they are going after small businesses that can't recoup the money from the banks. This is a massive fraud. At this point any small business needs to use a LIVE CD or a linnux or MAC OS PC to do business banking....

They are using automated clearing house attacks to clean out accounts:
http://www.securityfocus.com/brief/1032