Jay McLaughlin has me worried. I do my online banking from the same home computer the rest of the family uses for Web surfing and online games. I have the McAfee security suite loaded and do regular scans so accessing online banking should be protected. Right?
Not really, says McLaughlin, a Certified Information Systems Security Professional and CIO of CNL Bank. Accessing online banking from your everyday PC is just asking for trouble, he says.
In fact, the CIO of the Orlando, Florida-based regional bank would like to see all of his customers - both consumers and businesses - access online banking either from a dedicated machine or from a self-booting CD-ROM running Ubuntu Linux and Firefox.
The Ubuntu option
Recognizing that most consumers don't want to buy a separate computer for online banking, CNL is considering making available free Ubuntu Linux bootable "live CD" discs in its branches and by mail. The discs would boot up Linux, run Firefox and be configured to go directly to CNL Bank's Web site. "Everything you need to do will be sandboxed within that CD," he says. That should protect customers from increasingly common drive-by downloads and other vectors for malicious code that may infect and lurk on PCs, waiting to steal the user account names, passwords and challenge questions normally required to access online banking.
A bootable CD works because it's isolated from the host PC environment. Malware on the host can't touch it - and any malware picked up when running from the CD-ROM goes away once the CD is ejected. "When you eject the CD you have removed everything off the machine," McLaughlin says.
"If you are using online banking you should be using a hardened system that is not used for anything else but online banking," McLaughlin says. While the FDIC, American Banking Association and Federal Financial Institutions Examination Council have come out with similar recommendations for commercial customers, McLaughlin says consumers need to follow them as well.
Raimund Genes, chief technology officer at security software vendor Trend Micro, calls the security measures used for online banking in the U.S. "a joke." Any key logger can grab the user name, password and answers to challenge questions that banks commonly use to authenticate users today, he says.
Going out of band
Genes says using your regular home PC is acceptable for online banking so long as the bank supports two-factor authentication. For example, some banks in Europe use a transaction authentication number, an authentication code that's sent to the user "out of band," such as via SMS to a cell phone. The user then enters the code into the Web browser to complete a transaction online. The code changes every time the user makes a new request. Another alternative is a smart token, such as an RSA token. Barring that, he says, "I would not do online banking at all. Or if I had to I would use a sandboxed browser. I would boot up a mini Linux system from a USB stick."
CNL Bank currently offers out of band authentication when setting up an initial password on a new online account or for password reset requests. The authentication code can be transmitted via SMS, using an automated attendant that calls a phone number that the customer has set up in advance, or through e-mail (although McLaughlin says the e-mail option may be discontinued because a compromised machine may have compromised e-mail as well).
McLaughlin is also considering offering this mechanism as an authentication option each time the user logs in, and CNL may offer an even more granular option that requires out of band authentication for individual transactions - for example, for commercial customers with high risk transactions such as wire transfers.
Flash or CD-ROM?
When accessing online banking, consumers may want to consider using a secure, bootable flash drive running an environment such as U3 or MojoPak, says John Pescatore, analyst with Gartner Inc. But banks like the idea of the Ubuntu distribution because the software is free and the media is much cheaper than a memory stick. The problem with both is that the user now has to carry something to access online banking. "They hate that. That's why this approach has never broken into the mainstream," Pescatore says.
Consumers could also access online banking from a separate, bootable partition on their PC, but that's probably more work than most consumers would put up with. Another alternative, hosting a separate virtual machine (VM), is better than nothing. But McLaughlin cautions that the VM is still not totally isolated from the PC. Malware that targets the hypervisor layer underlying the VM may find its way around those defenses.
Everyone is unanimous on one point, however: Nobody seems to think doing online banking from the machine you use every day for Web surfing and e-mail is a good idea.
McLaughlin thinks the bootable Ubuntu CD option may be the best alternative right now. Regardless of who you bank with, he suggests ordering a copy of the free Ubuntu Desktop Edition selt-booting CD (If you don't want to wait you can download the image and burn it on a CD yourself) and try it for your online banking.
McLaughlin and Genes put a sufficient scare into me that I've decided to give it a go. Yes, it's a hassle to reboot for online banking - until you think of what could happen if someone stole your credentials. On the plus side, I'll be exposed to Linux on a regular basis.
Who knows? I might decide that I like running Linux for more than just online banking.