Ultimately, banks will have to provide clean boot disks on CD/DVD - that is the only way to make online banking secure.

And on the subject of security, all card-based transactions should require a photograph of the user if present - that would limit card-based fraud to online transactions. If delivery of goods is then limited to the card-holder's address, that should take care of some online fraud too - much of the remainder could be taken care of by requiring a photograph when collecting goods or services paid for online.

However, the banks aren't really bothered by fraud - they just pass the cost on to the customers. Therefore, such actions are unlikely to happen without legislation requiring them.

Kaled.

@readie, nothing is unbeatable if your computer is compromised. Biometrics would not help with this type of attack either.

@kaled, a bit pessimistic. I can currently get a fair degree of certainty of security and privacy by using Linux plus multiple browsers for different purposes.

Next up would come using Tomoyo (or Apparmor, or whatever the other alternatives are)

Next up would be using VMs.

Finally comes using separate boot CDs or even separate devices, as a last resort if all the above are insufficient. As I still feel no need to move past the first step, that seems a distant prospect.

I can currently get a fair degree of certainty of security and privacy by using Linux...

But you are in a smallish minority.

Most computer users are not experts. Many let kids play games on them, download stuff, etc. and all with admin privileges. They may have antivirus software and maybe firewall software but they will still click ok/yes in response to almost everything. That is the reality and the only way banks can fix this situation is to supply boot disks and make their use absolutely mandatory. This would render trojans, etc largely useless and would have a huge impact on security.

Kaled.

Using a computer without learning how to use separate logins for different users and without separating admin from day to day use it like driving a car without learning to use the brakes.

I thought all modern OSes (AFAIK including Win Vista) require you to re-enter the admin password when doing something that requires privileges.

The average user is not going to be keen on boot disks, and will be confused by them, and blame the supplier for anything that happens after using one (say the next boot fails). It would also be very inconvenient.

What media and hardware compatibility will your boot disks use? Will they work with an ARM netbook without a CD drive? Will the hardware detection be good enough to cope any device? What about PCs that have been set not to boot of external devices (average users cannot change BIOS settings)? What about people who do their banking from work?

Separate, pocketable deviecs might work, but are still too expensive.

I thought all modern OSes (AFAIK including Win Vista) require you to re-enter the admin password when doing something that requires privileges.

No - in Vista/Win7, all you need to do is click Yes/Ok provided you are logged on as an administrator.

Will they work with an ARM netbook without a CD drive?

Running without a CD drive should be possible via a bootable USB rom.
Running on different CPUs should be possible by recompiling.
Running on wide range of Intel/AMD architectured hardware should be straightforward - I haven't tried Knoppix, but it claims to work on a variety of hardware.

Would this be convenient? NO.
Would this be secure? YES.
Would this defeat hackers and make hacking a time-wasting exercise? Largely, YES.

What about people who do their banking from work?

If it's a small office then they'll be fine - they'll just have to reboot.
If it's a large office, possible with monitoring software and other spyware/security stuff installed, then they should not be doing their banking from work anyway!

average users cannot change BIOS settings

In many cases, they won't have to. Certainly, if banks were to announce their intentions, manufactures would quickly adapt. For existing hardware - that's what online/internet help, technical support phone-lines and written (paper) instructions are for. And those people that still can't figure it out probably have computers that have already been compromised!

Kaled.

Kaled, I've been a proponent of photographs on credit cards for a long time, it's very effective at reducing the chances of a thief using the card in a face to face transaction. I consider the practicalities of chip & PIN for cardholder-present transactions is a retrograde step from signatures. If I observe you entering your PIN and manage to steal the card, I can now use it in most shops with no other checks on it.

I do agree that controlling the OS and drivers that are loaded would improve security, but if I were a criminal, I'd look at the possibilities of compromising the the CD before being burnt - that has been done before. I'd also consider trying to compromise common routers.

I've been a proponent of photographs on credit cards for a long time

That's not what I meant - I meant that a photograph of the user should be taken whenever a card transaction takes place. That way, even without any sort of face recognition, clear evidence of the perpetrator would exist. With cash withdrawal machines it's a little trickier since a mask might be used, even with facial recognition software, but a fingerprint could also be taken.

if I were a criminal, I'd look at the possibilities of compromising the the CD before being burnt

Sure, criminals might try this, but it's going to be a lot more difficult than getting people to download infected software. For instance, if you bank with Barclays and get a disk in the post purporting to be from Lloyds (or a disk addressed to "the occupier") you'll know it's a scam immediately. There would also be a large outlay for a scam of this sort and real-world breadcrumbs for the police to follow.

If the banks got their act together, a single generic disk could serve all their needs.

I'd also consider trying to compromise common routers.

Completely pointless - that's what encryption is for - to prevent intermediary devices reading transaction details.

Kaled.

@Kaled, a single generic disk would not solve the problem of different architectures, media. You would have to distribute multiple versions.

A bug in this single generic disk could mean every bank would have its customers accounts compromised. It is less likely, but the results could be worse than the Windows monoculture.

I think the measures I suggest are more practical, although they would need to be wrapped in better GUIs to be accessible to the average user.

One more thing, Windows does need to ask for a password each time (sudo style), or discourage people from running as admin (some linux distros default to a red desktop and pop up warning messages if you login as admin)

Knoppix and othr live CDs have worked on almost all the hardware I have tried them on, but even a small proportion of customers being unable to use a service could be a huge problem.

That's not what I meant - I meant that a photograph of the user should be taken whenever a card transaction takes place. That way, even without any sort of face recognition, clear evidence of the perpetrator would exist.

funnily enough, i do this for all high value sales now (obviously in a face to face environment - not online) some customers have been amused by the request, but none have refused to have their photo taken.

A bug in this single generic disk could mean every bank would have its customers accounts compromised. It is less likely, but the results could be worse than the Windows monoculture.

What sort of bug? Assuming the disk was used only for banking (i.e. you were locked out of general browsing) then it would not even be possible to temporarily install something nasty into the current session.

It's also worth noting that this sort of security would kill off all phishing attacks aimed directly at banking (but not attacks against Paypal, etc).

So far as convenience is concerned, it should be possible to devise a hibernate-into-banking method (this would require bios support) so that it would not be necessary to perform a full reboot of the main operating system.

Kaled.

The "man in the browser" attack on banks is being used for quite a while now.
E.g. a ISC SANS post from 2007: [isc.sans.org...]

The trick is to do authentication and signing differently and to have the signing sign destination and amounts, keeping the user informed and not hiding it behind a "go through the motions" instructional explanation. But many banks, even those in areas where two factor authentication is done properly still make these errors.