Windows, Online Banking, and Phishing

Yesterday I posted a blog about the Director of the FBI claiming to no longer use online banking at all because he almost feel for a phishing attack. A response to the blog suggested not using Windows for online banking and linked to

Brian Krebs http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html

and Michael Horowitz http://blogs.computerworld.com/14806/crimeware_gets_worse_how_to_avoid_being_robbed_by_your_pc

Both of these articles discuss attacks using keystroke loggers and suggest using a bootable Linux CD when doing online banking.

Today an article came across in inbox in which Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit in NSW, Australia offers two pieces of advice for online banking http://www.itnews.com.au/News/157767,nsw-police-dont-use-windows-for-internet-banking.aspx. The first rule is to never click on hyperlinks to your bank’s web site and the second rule is to never use Windows. The detective suggests using an iPhone or a bootable Linux distribution.

The first rule is an essential piece of advice.

RULE #1: NEVER click on a hyperlink to your Bank’s Website.
If you receive an email from your bank, that you are positive, beyond any doubt, came from your bank, do not click on any hyperlinks. The rule is NEVER click on hyperlinks to your bank’s web site.

If banks want to improve consumer security they will never send links at all in email. They can easily have a “Current Newsletter” section on their web site and put all the links they want to have there.

As for using an iPhone… definitely not if you have “jailbroken” yours.

Note that the advice to use a bootable Linux CD specifically does not say “Just use Linux. Linux is perfectly capable of running a keystroke logger, so using a bootable CD makes a lot of sense.

Now, the big “Gotcha”. If you boot from a Linux CD and then use the hyperlink in that phishing email you just received you will still be a victim of a phishing attack. Booting from a Linux CD does nothing at all to protect you from phishing, following RULE #1 is what protects you from the phishing attack.

The logical extension is not to click on hyperlinks in emails from PayPal, MySpace, FaceBook, LinkedIn, and other websites that may ask you to log in.

Don’t be fooled into a false sense of security. Booting from a Linux CD protects you from software based keystroke loggers, but not from phishing or a hardware keystroke logger. If you have a hardware keystroke logger on your computer you have much bigger problems.

Randy Abrams
Director of Technical Education

Author ESET Research, ESET

  • http://blogs.computerworld.com/horowitz Michael Horowitz

    Agreed. The advice to just boot to Linux, in and of itself, is not sufficient. Being safe also means only using Linux for online banking, that is, don’t use it for email. In addition, the safest thing is not to have two tabs open concurrently in your web browser. And for maximum safety, don’t use it to browse to any other websites at all.

  • Randy Abrams

    I’m not sure about the registry entries and I susoect it depends on the malware. This is a great question to pose on the Wilders Forum though. You’ll rach some of the devs there. For a corporate customer with thousands of infected machines, the reaction will depend upon hat the threat is, how it works, and other factors.

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.