Fallen down

Bootable CDs for banking, and why they won't work

I've been seeing from a lot of security types that banking from your home PC using Windows is inherently insecure that a solution to this is to use an OS on a bootable CD (the Live CD is usually touted). This is an elegant technical solution to the problem represented by an OS that runs from rewriteable media. For the purposes of the discussion, the specific OS doesn't matter; depending on a specific OS to protect you because it's a small fraction of the installed userbase is depending on a variant of security by obscurity. Ideally, you shouldn't bank online at all, say the extremists.

However, it's a terrible idea outside of the merely technical. Let's start with why online banking exists. Online banking exists because a bank's business model and inventory are both based on bits, not atoms. Banks actively work to reduce the number of atoms that they have to concern themselves with, because they only make money on bits, and atoms are a cost. As customers of a bank, we want them to do this, because the banks' costs are passed on to the customer. Thus, the rise of ATMs (which, while atomic in nature, consist of cheaper atoms than do tellers). Thus the rise of online banking (a server farm is made of cheaper atoms than a bank branch, in addition to having negligible cost for additional operating hours versus a traditional branch). Thus the death of checks enclosed in your statement (since they are converted to bits at the earliest opportunity and the atoms disassociated, rather than being schlepped across country). &c, &c. Online banking is here to stay.

So, on to why bootable OS CDs won't work. First I'll do the consumer side, then the bank side. And then I'll go over why they don't solve the problem anyway.

The consumer side: I have on my desk a multitasking POWERHOUSE undreamed of, say, 20 years ago. Skipping the rest of the hyperbole, it is vanishingly unlikely that I have to close down my other applications to open up an online banking application. Nor would I want to - I balance my checkbook not by pen and paper, but by database. By doing this I don't have to worry about arithmetic errors, puzzling out handwriting, etc. And to avoid data entry issues, I don't hand-type information into the database, I retrieve it via the internet. Likewise, I schedule outgoing payments in my financial management program. There's a positive benefit to doing so, I don't have to give a third-party permission to debit my account, and the timing of doing so is ENTIRELY under my control, across multiple financial institutions and payees. The communications between this application and my banks is encrypted, but essentially (S)HTML. It essentially includes the functionality of a web browser. And you want me to give up the incredible power of automation and communication for security? Fat fricking chance. This gets worse if I'm a business owner, incidentally. As a private person I could manage my finances via paper if I wished, though it would be much harder, and significantly more expensive. It would be essentially impossible to do so as a small business owner, certainly not if I wish to stay on the right side of the tax man and the bar association.

The bank side: A CD is made of atoms, and they are atoms that do not replace other, more expensive atoms. They aren't even passive atoms; the CDs have to be made available to customers, and thus schlepped about the country, inventories have to be managed and refreshed from time to time, technical issues need to be supported (and tech support comes attached to some very pricy atoms indeed, even if they are located on the other side of the world). The bank wants nothing to do with them. All they do is reduce costs; and costs are passed on to the customer. Period - by definition a for-profit company passes all of its costs and a markup on to the customers.

But, let's say you've convinced me; your bootable OS CD also has a financial management program that can write to the local storage device, so I can take advantage of the power of my computer while still keeping an unbreachable wall of security around the OS. Let's say you've convinced the bank that the CD will reduce the costs associated with online bank fraud; the OS booted from the CD is immune to trojans and other malware.

It is still not secure. Lets start with distribution: at some point these CDs must be mastered. That mastering plant is an extremely vulnerable single point of failure. Get your malware on at the source, and you've slipped past every defense; plus it's very expensive to repair the damage. You have to reship EVERY infected CD, doubling your costs. You have to ship the CD. Do I need to go into the kind of man-in-the-middle attacks possible if you ship them directly to the end user via the mail system? It's trivial for Eve to insulate herself from mail fraud by using mules, and not much more trivial to use unwitting mules. I wouldn't count on the high cost of atoms to deter the black hats - ATM skimmers work despite being made of atoms, not bits. But if you ship them to the bank, they have to be kept in a secure location, or the supply of CDs can be tainted by inserting the malicious ones into the supply. Which defeats the purpose of having online banking in the first place, which is reducing the amount of walk-in traffic to branches. And since it must, by definition, be available to the public, you can't secure the data on it from an attacker.

It doesn't stop phishing: even if no bank actually offers downloadable ISO images, the phishers will...

Each bank is vulnerable to the least secure of them. Either the bank requires that only their own secured CD be used to access their online banking, or they cannot enforce use of a CD-booted OS. And they can't actually enforce use of their own CD, the most they can do is enforce use of their own CD or malware CDs targeted at them, since the malware CDs will be able to perfectly mimic the targeted bank's CD. For that matter, who in their right mind is going to reboot their machine each time they want to change banks in the middle of a session?

There are minor issues as well - what if bank a doesn't offer the financial software customer b wants to use? The CD must be updated from time to time as additional featuers (including security) are added, not to mention drivers for hardware etc.

Bootable CDs are a terrible solution that is being pushed (in large part) by the anti-Microsoft crowd for the purposes of gaining a beachhead for non-microsoft OS. I'm not going to trivialize the problem; I suspect it's overblown. To the individual, compromize of the bank account is horrific, but I wonder how much per bank customer, or (more appropriately) per banked dollar, is lost annually. I suspect that systemically available fraud insurance would be a better approach (though you run into some moral hazard issues there).

Fallen down

Should severability clauses be constitutional?

There is a common dodge in federal legislation where a clause is inserted that hilds that, should any part of the legislation be found unconstitutional, the rest of the legislation is still in force. I think this is a bit of a violation of the federal oath to "uphold the constitution"; in that it presumes that a law may be found unconstitutional, and thus that the legislature may pass an unconstitutional law...
Fallen down

Epic security fail

I see that they've found the guy who shut down Newark Liberty Airport for hours while they searched for him (he'd long since left, of course. Charging him with Defiant Trespass (which can carry a fine of $500 and 30 days in jail). And Senator Lautenberg (D - Undead) wants him more harshly punished, for the crime of shutting the airport down. But he didn't do that - that's the fault of the people who designed and implemented the system. That's the fail - that a guy can cross the rope unnoticed, be noticed by a passer-by, and all the security bosses can do is use their nuclear option. This guy should have been quietly intercepted, checked out, and been told to "move along". Instead, we get the bureaucratic equivalent of hand-waving freakoutery.
The crime here isn't that a man ducked under a guide rope to smooch with his sweetie in a secure area, nor even that a security guard was away from his post to monitor this. It's that the missing security guard (called away for another purpose apparently, not absent from his post without reason) was a point failure and there was NO backup (security monitors weren't working, and there was no deense in depth).
It looks like the scapegoats are going to be Jiang and the guard Hernandez; given that Jiang is a foreign national and he has a US Senator pissed at him, he's in for a world of hurt. Hernandez is being backed by his union - while I'm not the world's biggest fan of unions, this is a case where I'm glad there is one, for his sake.
Security Theatre will claim 2 more victims (possibly destroying one person's life - there's ALL KINDS of ways Senator Lautenberg can influence the system to screw up Jiang's ability to live and work in the US by picking up the phone to Immigration); and I doubt the systemic failures will be addressed.
Hope Jiang knows enough to get a lawyer and can afford a good one...

Fallen down

Short update - I aten't ded

Though I was a terrible threat to some innocent pieces of paper; and may end up the week with another boomstick.

Today's total was not quite 200 rounds of 9mm and uncounted rounds of .22 expended, 3 entries for November's e-postal submitted (among other #20 paper perforated), one new shooter introduced to the hobby, and 4 sets of recoil-therapy-induced smiles.
Fallen down

Fun & Freedom

I had today off; and I haven't gotten to the range in a while. It's still not a good idea to go down to the range in Lakewood (Shore Shot) due to the summer traffic; so I went out to the Bullet Hole in Belleville.

I left 350 rounds or so in their backstop and brought a big old grin back home with me. While my marksmanship could use some work, I hit near to my point of aim each time. I gotta scan in and submit my e-postal target now.

And I need to get a self-loading airsoft. Despite saying to myself "I don't need to cock this each time", I loaded up, racked the slide, pulled the trigger, and racked the slide again. Whoops. After that I settled down. I blame the springfired airsoft I picked up. It's a fun toy, nice to be able to plink in the basement safely and legally; but bad muscle memory to develop.

Shockingly enough, I was in a smallish store - wall to wall guns everywhere; and people shooting their own guns(!); and no-one was hurt. Not one gun went off by itself, and no-one was influenced by the inanimate objects to commit a crime. (Well, I can't say that entirely - in NJ there are so many different ways to screw up and inadvertently commit a victimless crime of circumstance with a firearm... The default assumption is, after all, that posession of a firearm is a felony, and only if you fall into one of the exceptions is it graciously allowed. Some freedom).
Fallen down

Bruce Schneier and co engages in PSH

Bruce Schneier is a reasonably level-headed individual when it comes to most security-related issues. But, apparently, gunz r scawwy. Even in the hands of Boston’s PD (notorious for overreacting) they’re just another semiautomatic rifle. Whether the beat cops need a rifle is a question worth asking, but Schneier just panics that they’re getting “automatic weapons”.

LiveJournal Tags: