Two articles crossed my virtual desk recently that confirmed an existing belief: using Windows for online financial transactions is a mistake.
In the first article, "Cyberheist Smokescreen: Email, Phone, SMS Floods," Brian Krebs describes his experience as a spam-flood victim. In less than a day, his Gmail inbox was flooded with "tens of thousands of emails". Why so many? Krebs says
Many businesses request some kind of confirmation from their bank whenever high-dollar transfers are initiated. These confirmations may be sent via text message or email, or the business may ask their bank to call them to verify requested transfers. The attack that hit my inbox was part of an offering that crooks can hire to flood each medium of communication, thereby preventing a targeted business from ever receiving or finding alerts from their bank.
If the flooding prevents the victim from seeing the important email or text message, or they never get the phone call from their financial instituition, they remain ignorant of what the bad guys are doing with their account.
These flooding services cost money, so it only pays to employ them when malicious software (malware) has already sent the bad guys everything they need to impersonate the victim.
And, we all know, that most malicious software runs on Windows. As I cited here recently, malware expert David Perry said there are at least 200,000 new Windows viruses released every day.
The other item was a press release from security company Trusteer, detailing another banking scheme.
In this case, the end user needs to enter a one-time password the first time they logon from a new computer. Once a machine is infected, the malware modifies the normal banking logon page, adding a request for the one-time password, even though the victim is using their normal, already-approved computer.
Then, armed with the victims normal userid/password and their one-time password, the malware prevents any data transmission to the bank and instead presents the victim with a scam web page saying the banking website is temporarily offline. While the victim is distracted, the bad guys logon from their computer, validating it with the one-time password.
Of course, since this story came from Trusteer, their software would have caught the fraud. The bigger issue, however, is Windows itself. In part because of its design, in part because of its popularity, Windows is the riskiest operating system for financial transactions.
OS X is safer than Windows, and Linux is safer than OS X. But, to my mind, the safest option is Chrome OS, running on either a Chromebook laptop or a Chromebox ultra small desktop. Chrome OS, from Google, is a version of Linux designed to run their Chrome browser and very little else.
The vast majority of Chromebook reviews have focused on the operating system limitations compared to full-featured laptops running legacy operating systems. No Word, Photoshop or TweetDeck for example. But, like every coin, there are two sides to these limitations.
Consider Java, for example. It's not supported on Chrome OS. While this can certainly be viewed as a limitation, from a Defensive Computing perspective, it's a good thing (as long as you don't use a site that requires Java).
Here at Computerworld, JR Raphael spent two weeks living with Chrome OS and although he liked it by and large, he warned that "For all its positives, Chrome OS isn't going to be the right setup for everyone." Certainly not.
But, in large part, Raphael evaluated Chromebooks as a primary computing device for a techie like himself. To me, that's asking the wrong question.
Like Google, Raphael also suggested Chrome OS devices are a good fit for schools and businesses. Perhaps they are, but not being an educator or a large corporation, I approach it from another perspective.
The limitations of Chromebooks are only a limitation to someone looking for a primary computing device, something I am not suggesting.
But even then, Chrome OS limitations are not limitations for the least technically astute users. As one reviewer suggested, Chromebooks offer the first viable version of Linux that your grandmother could use. An impressive feat.
What's left, when we eliminate schools, corporations, grandparents and those looking to use only one device, is online safety.
Chrome OS devices offer the safest platform for online financial transactions.
Perhaps the biggest safety factor that Chrome OS offers is that the end user can't screw things up. Software updates can't be ignored or postponed. Malicious software can't be installed. This is H-U-G-E. Really huge. And, it's above and beyond the advantages that Linux already brings to the table such as kissing antivirus software goodbye.
On top of that, Google has beefed up the Defensive Computing in Chrome OS with features such as sandboxing, verified boot and a recovery mode. In addition, all files stored locally are encrypted and accessible to only one user.
A second generation Samsung Chromebox sells for $330*. A second generation Samsung Chromebook, with Wi-Fi and Ethernet is $450. Adding 3G Internet access bumps the price up to $550.
Slower first generation Chrome OS devices can also be found online. For example, a first generation Samsung Chromebook can be had for $350.
Anyone doing financial transactions online should consider the cost of a Chrome OS device to be insurance. If the two stories at the top of this blog didn't impress, then see some of the horror stories Krebs has written in the Target: Small Businesses section of his website.
In my opinion, Chrome OS users are the safest online users.
Perhaps the closest Chrome OS competitor, when it comes to safety, is a special Linux distribution created and maintained by the U.S. Air Force called Lightweight Portable Security (LPS). But, LPS has its own set of trade-offs.
*All prices are rounded up.