My technical responce is "grr". I think that while technically feesible, the live cd is a completly absurd control, that would burden most customers.
I would be open to the use of the PSTN for out of band large transaction verification. Upon the event of a large transaction a predetermined phone number would be called with an automated system asking for a verfication PIN. I'de also let the user determine the "large transaction size" You'de have to hedge against some PSTN phishing, maybe the phone system could have a code word for each user so the user knows that the call came from a ligitimate source. "Hello John Doe, we Recently received a request for a large transaction from your checking account. We'll need you to validate this with your phone transaction pin code, your code word is wombat, please enter your pin code followed by the pound sign to confirm the transaction, or press the star key to cancel the transaction and flag it for investigation." Let us not forget that Live CD's have the same vulnerbilitys as any other OS. It's also important to remember the client side secuirty IS the responsibility of the client. I would be pretty pissed at a bank who made me use some random live CD over a system I personaly hardened. -- Allen Deryke On Oct 22, 2009, at 4:10 AM, Jim Halfpenny <[email protected]> wrote: > I reckon this would be a support nightmare. Old PCs, BIOS > configuration and broken cup holders would hamper adoption and you'd > end up fielding general support calls. > > I'm currently using a chip and pin device to authorise online banking > transactions. Are there any current malware sophisticated enough to > counter this? Seems to be a tried and trusted solution. > > Jim > > On 21/10/2009, PJ McGarvey <[email protected]> wrote: >> >> I didn't read the whole article, but I wonder if this would be best >> suited >> for large transactions, say over $1000? The bank could use some >> other >> means to verify the user is using its live cd, before allowing the >> transaction. Or what if they integrated some sort of bootable >> distro on a >> usb fob that has a certificate built-in for use with two-factor >> authentication? Even combine that with some out-of-band type of >> authentication, like a PIN sent to your cell phone. >> >> >> >> Of course, if the banking session were still compromised, and the >> Bank >> states there is no recourse if you use the live CD, then you're >> SOL... >> >> >> >> Bruce Schneier has written some stuff about "authenticating the >> transaction" >> >> >> >> -PJ >> >> >> Date: Mon, 19 Oct 2009 08:49:07 +0100 >> From: [email protected] >> To: [email protected] >> Subject: Re: [Pauldotcom] Latest trend - Linux Boot CDs for Online >> Banking >> >> >> >> >> 2009/10/18 Dale Stirling <[email protected]> >> >> This is definatly a short term fix as I this becomes a major trend it >> will just shift the attackers focus to the OS's on these live CD's. >> >> Then we are in the same position that we are now having users that >> have a false sence of security from a quick fix that had a limited >> life span. >> >> As said before I think a patched system and user education are the >> way to >> go. >> >> >> >> >> >> >> I can see where the banks are coming from with this, since it may be >> possible to safely use a computer infected with current banking >> trojans >> when booting from a live CD. Penetration into the market will >> probably be >> low so malware pushers may not target this platform. However, even >> if this >> were an minimal environment which auto-updated on boot up I reckon >> this >> would be too slow for Joe Blow. I have doubts whether people would >> reboot >> into a different OS in order to gain some additional security. >> >> Jim >> > > -- > Sent from my mobile device > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
