Windows, Online Banking, and Phishing

Yesterday I posted a blog about the Director of the FBI claiming to no longer use online banking at all because he almost feel for a phishing attack. A response to the blog suggested not using Windows for online banking and linked to

Brian Krebs http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html

and Michael Horowitz http://blogs.computerworld.com/14806/crimeware_gets_worse_how_to_avoid_being_robbed_by_your_pc

Both of these articles discuss attacks using keystroke loggers and suggest using a bootable Linux CD when doing online banking.

Today an article came across in inbox in which Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit in NSW, Australia offers two pieces of advice for online banking http://www.itnews.com.au/News/157767,nsw-police-dont-use-windows-for-internet-banking.aspx. The first rule is to never click on hyperlinks to your bank’s web site and the second rule is to never use Windows. The detective suggests using an iPhone or a bootable Linux distribution.

The first rule is an essential piece of advice.

RULE #1: NEVER click on a hyperlink to your Bank’s Website.
If you receive an email from your bank, that you are positive, beyond any doubt, came from your bank, do not click on any hyperlinks. The rule is NEVER click on hyperlinks to your bank’s web site.

If banks want to improve consumer security they will never send links at all in email. They can easily have a “Current Newsletter” section on their web site and put all the links they want to have there.

As for using an iPhone… definitely not if you have “jailbroken” yours.

Note that the advice to use a bootable Linux CD specifically does not say “Just use Linux. Linux is perfectly capable of running a keystroke logger, so using a bootable CD makes a lot of sense.

Now, the big “Gotcha”. If you boot from a Linux CD and then use the hyperlink in that phishing email you just received you will still be a victim of a phishing attack. Booting from a Linux CD does nothing at all to protect you from phishing, following RULE #1 is what protects you from the phishing attack.

The logical extension is not to click on hyperlinks in emails from PayPal, MySpace, FaceBook, LinkedIn, and other websites that may ask you to log in.

Don’t be fooled into a false sense of security. Booting from a Linux CD protects you from software based keystroke loggers, but not from phishing or a hardware keystroke logger. If you have a hardware keystroke logger on your computer you have much bigger problems.

Randy Abrams
Director of Technical Education