When I recently wrote about online banking, I mentioned how dangerous Man in the Browser attacks can be. This theme was recently picked up by the BBC in an article by Spencer Kelly, Hackers outwit online banking identity security systems. It's great to see coverage of this topic seep out to the general public.
Both the article, and a separate audio interview with Mr. Kelly, go into detail on Man in the Browser attacks, specifically to point out how the two factor authentication hardware that some British banks are using offers no defense from this type of attack. Kelly writes
Criminal hackers have found a way round the latest generation of online banking security devices given out by banks ... Devices like PINSentry from Barclays and SecureKey from HSBC ... ask users to insert a card or a code to create a unique key at each login, valid for around 30 seconds, that cannot be used again ... While these chip and pin devices make the hackers' job more difficult, the hackers themselves have raised their game.
Apparently, anti-malware software doesn't offer a great defense either. The BBC commissioned the writing of new malicious Man in the Browser software and tested a number of un-named anti-malware products against it. The results were generally good news for the bad guys.
Sadly, just like the New York Times editorial that prompted my previous blog on online banking, the BBC story has its head buried in the sand in that it fails to mention the elephant in the room: Windows, host to almost all the malicious software in the world. Switching to Linux or a Mac makes you safer. Not perfectly safe, but significantly safer.
The focus on Windows, without even mentioning the operating system by name, is all the more curious considering the popularity of tablets and smartphones. The computing world now has three operating systems on full sized personal computers, at least two on tablets and three or four popular systems on smartphones. Yet, both the New York Times and BBC act as if Windows was the only choice.
That said, let me offer a suggestion for Windows users that insist on online banking: go portable.
Portable Windows applications are completely self contained and don't need to be installed. Although typically thought of as running from a USB flash drive, they run just as well from the C drive.
A portable web browser is harder for malware to infect because it's harder to find. The software resides in a different folder on every computer, and, there should be no trace of it in the registry.
To be even safer, use the portable browser exclusively for online financial transactions.
The only downside is that a portable version of a browser can not run concurrently with a normally installed copy. Also, the portable browser needs to be kept up to date on patches, just like any normally installed browser.
The portableapps.com website offers portable versions of Firefox, Chrome, Opera and other browsers.
I frequently use the portable versions of Firefox and Chrome. There is no portable version of Internet Explorer, but we shouldn't care as I've already mentioned twelve Defensive Computing reasons to avoid Internet Explorer.
For online banking, I suggest Firefox because it is more resistant to proxy hijacking than Chrome.
In Firefox 10, do Tools -> Options -> Advanced -> Network tab -> Settings button and set it to not use a proxy*. This way, even if malicious software reconfigures Windows to use a proxy server, Firefox will bypass the proxy.
In a corporate environment, the use of a proxy server may be mandatory. Outside of corporations however, a proxy is likely to be malicious.
Still, the best advice for Windows users is not to do online banking at all.
*If Firefox 10 is not configured to show the menu bar, then the path is different. That is, in a copy of Firefox that has the orange button in the top left corner with the word Firefox in it, the path to this option starts with Options -> Options rather than Tools -> Options.