2 replies to this topic

[AplusWebMaster]

FYI...

Banking online - Erosion of trust...
- http://sunbeltblog.b...ne-banking.html
October 13, 2009 - "Two very influential people have made public comments recently that could lead to widespread distrust of the Windows operating system for online banking. Last week, FBI Director Robert Mueller related in a speech in San Francisco that he had received a phishing email that tried to steal his banking credentials and nearly fell for it. As a consequence, he is not doing his banking on line... This week, Washington Post columnist Brian Krebs, who writes the “Security Fix” column and is among the most influential writers in the computer security space, wrote* that businesses should simply stop doing their banking online from machines with the Windows operating system. He wrote:
“The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online”... “…regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer,” he wrote. “While there are multiple layers of protection that businesses and banks could put in place, the cheapest and most foolproof solution is to use a read-only, bootable operating system, such as Knoppix, or Ubuntu”...
* http://voices.washin...rnet_banki.html
Krebs has done a series of columns recently about small and medium-size businesses, non-profit organizations and schools losing tens of thousands of dollars to cyber thieves using banking Trojans to provide access to their bank accounts and transfer funds to money mules. The implications of this loss of trust have been mentioned by other significant observers in the computer security world. David Kennedy, Manager of Risk Analysis at Verizon Business, wrote in his weekly intelligence summary** for his company’s customers: “Reports the FBI director’s spouse refuses to allow on-line banking is a serious indictment of on-line trust and we will be tracking related reports of trust erosion, especially by high-profile individuals, groups and companies.”
** http://securityblog....ary-2009-10-09/
"...we agree with ScanSafe’s assessment*** they were probably the result of malcode infections and not phishing. The scale of this infection/breach is more significant to enterprise security than the web e-mail accounts that were compromised..."
*** http://blog.scansafe...data-theft.html

[Doug]

Thank you AplusWebMaster,

Will you please expand on this concern, as a courtesy to our Members who may wonder what exactly is being recommended.

For instance, for these purposes I dual-boot XP and OpenSuSE 11.1.
I conduct my online banking while booted in the SuSE operating system.

I simply use Firefox as my browser in SuSE.
I do not allow username or passwords to be remembered.
I do not allow "Do you want us to remember this computer, so you can avoid answering your challenge question next time you sign in?"
I'm also careful to "Sign Out" before browsing to the next website in my online work.
In fact, I always close the tab I had been using, and begin my new browsing with a fresh blank tab.

In your own opinion, and from the resources that you cite, is that sufficient precaution.

Thanks for any extra attention you may provide in this topic.

Doug

[AplusWebMaster]

From the Krebs article:

- http://voices.washin...rnet_banki.html
October 8, 2009 - "... As a consumer, having your online banking account credentials stolen -- either via phishing or through password-stealing malicious software -- can be a harrowing experience, but it is usually not a costly one. The federal Electronic Funds Transfer Act ("Regulation E"), limits consumer liability for unauthorized transactions to $50, provided notice is given within 10 business days, or to $500 provided notice is given within 60 business days. Even so, retail banks often will work to make whole those customers who are victims of cyber fraud.
On the other hand, business that bank online enjoy hardly any such protection. The precise obligations of a commercial bank and their business customers are spelled out in the agreement that those companies sign, but generally business customers agree to notify their bank of any suspicious or unauthorized transactions on the same day that the transaction in question occurs. Even then, there is no guarantee that the bank will be able to block or reverse any fraudulent transfers..."

... so, keeping in mind that NOTHING on the web is 100% safe (as has been mentioned many times by others for years), I'm not certain "... what exactly is being recommended". This is just another -risk- that has to be dealt with. So, IMHO, I see it as an individual's judgment call deciding how to proceed, measuring "Risk -vs- reward". I posted it to get the information out in the open. I wish there were a better answer, but I don't see one, yet.

.