ADVISE : SME Must Do Online Banking from Dedicated Computers US FBI and the American Bankers Association recommend using dedicated computers for online banking By Lucian Constantin, Web News Editor 4 January 2010 http://news.softpedia.com/news/Small-Businesses-Should-Conduct-Online-Banking-from-Dedicated-Computers-131086.shtml Following a flurry of incidents where hundreds of thousands of dollars have been siphoned from the bank accounts of small businesses and public institutions, the Federal Bureau of Investigation (FBI) and the American Bankers Association (ABA) advise using dedicated computers for online banking operations. This unusual security model should severely limit the exposure to malware threats for the PCs in question. The level of Automated Clearing House (ACH) transfers fraud rose significantly during last year prompting serious concerns from the authorities. These fraudulent schemes are complex and usually leave little evidence behind to help investigators or the victims looking to recover their losses. Such attacks usually start with a computer trojan infecting a computer used for online banking at an institution. Thousands of different versions of these trojans are released every month in order to bypass the detection mechanisms of antivirus software. Once on the computer, the malware watches for browsing sessions to known online banking websites and information such as authentication credentials or account balance is captured. Subsequently, the attackers direct the trojan to initiate batches of fraudulent transfers to bank accounts belonging to various U.S. residents that have been tricked to work for them. The latter are known as "money mules" and are usually recruited by fake foreign companies under the promise of a profitable work-from-home job. Their task is to receive money allegedly coming from customers of the company and wire them out of the country, while keeping a commission for themselves. Unfortunately for companies, they are not protected by the same laws as general consumers. While banks will reimburse the losses caused by fraud when personal accounts are involved, they are not required to do so for business accounts. They can recall transfers as long as the money has not been withdrawn and wired, but if the later happens, it is almost certainly lost. USA Today reports that the feds' recommendation regarding the use of a dedicated PC for online tasks is based on reducing possible infection vectors, since apparently browsing to unrelated websites or checking email from it should be banned. The companies are also advised to request receiving out of bank payment confirmation. We'll go even further and suggest that the dedicated computer use Linux, FreeBSD, or even Mac OS X, if that suits you better. We're not trying to start a controversy over which operating system is better or more secure. In fact, this has nothing to do with the security of the operating system itself, but the fact that 99.9% of these trojans were constructed for Windows and will fail to run on anything else. The easiest approach is downloading a Linux live CD, booting from it, performing the online banking tasks, then removing it and restarting back into Windows. Need to open an excel spreadsheet, browse, check email or access a network storage? The Ubuntu Linux live CD will allow you to run Firefox, OpenOffice and perform most of the basic tasks without installing anything on the local disk.
Regards Suman Le e-mail provenienti dalla Sella Synergy India Private Ltd sono trasmesse in buona fede e non comportano alcun vincolo ne' creano obblighi per la Sella Synergy India Private Ltd stessa, salvo che cio' non sia espressamente previsto da un precedente accordo. Questa e-mail e' confidenziale. Qualora l'avesse ricevuta per errore, La preghiamo di comunicarne via e-mail la ricezione al mittente e di distruggerne il contenuto. La informiamo inoltre che l'utilizzo non autorizzato del messaggio o dei suoi allegati potrebbe costituire reato. Grazie per la collaborazione. E-mails from Sella Synergy India Private Ltd are sent in good faith but they are neither binding on the Sella Synergy India Private Ltd nor to be understood as creating any obligation on its part except where provided for an agreement. This e-mail is confidential. If you have received it by mistake, please inform the sender by reply e-mail and delete it from your system. Please also note that the unauthorized disclosure or use of the message or any attachments could be an offence. Thank you for your cooperation.
_______________________________________________ Owasp-delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi
