Online Banking Security

Agree 100%. I've been watching from the sidelines for years and enjoying the paranoia show... I have yet to ever see anything actually happen on any of my machines, linux or Win, and I doubt I ever will...

 

The problem with the LiveCD approach is that it doesn't have all the latest security patches on it. Sure, even without them, your chances of being exploited are very slim, but you're better off with the updates.

The best solution is just to install Ubuntu inside a virtual machine so you can keep it updated.

 

Hungry man,

I am interested in security, but my approach is different than most people.
And CVE are meaningless. They do not translate into problems. They just tell you that some code is buggy. No different than any bugzilla report.

Mrk

 

There are different levels of security requirements. Many of the measures discussed are of interest in certain situations and may not apply to the "average" user.

From my personal experience, a few basic (commonsense) precautions are enough to conduct financial transactions online from my daily use OS (when it was Win XP for several years and now Ubuntu) and my daily use browser. I buy and sell shares and mutual funds online, transfer funds from one bank account to another or to my broker online, receive payments from my broker and mutual funds online, and pay various utility bills online.

This is not to deny the possibility that, one day, something could go horribly wrong. But that applies to so many other things in life.

One of the suggestions I'd like to make is that it may be "safer" to stick with one OS and one browser and understand both thoroughly.

 

i guess OLD fashion way was more healthy

ie. use only self cheque when money needed

here we say no to credit card no to debit card in india there no such thing like greencard

in india with 1.2 billion we are like living ghosts LOOL

moral of the story: less technlogy less information on computer = great sleep

 

old one but funny and still what happen

how the most secure OS of the world get cracked

https://www.wilderssecurity.com/showpost.php?p=1958844&postcount=36

 

They're not meaningless... they're vulnerabilities - this is what they directly translate into, you take one and you make an exploit from it. There are practical exploits there all the time (even though often they are more theoretical.) You can probably find some metasploit proof of concepts too. Recently I've been reading many from Brad Spengler who has disclosed quite a few escalation bypasses etc. I think Brandi linked a few as well.

I understand preaching not to stack on too much security in terms of ease of use/ attack surface/ it being useless. But if there are legitimate holes to cover and the end goal is to secure the system... it seems a bit contradictory.

I mean, hey, I can run WinXP without any firewall. I might never get attacked! Is this secure at all?

It seems like this methodology is to hope for the best and play the odds because you don't want to come off as paranoid.

 

i agree some what security is needed on clint site but if your bank server DNS server or ISP server which is loggin on you...........etc is already compromised that what


now you give me go for VPN etc

now let say i go for paranoid mode now i have VPN ....etc still i need to trust that VPN server what is that server is internet honey trap what is hacker has access to my ISP or i have internet sharing cable network which with some nerdy tools can sniff all my data.....?

even i make my system as secure like so called zero-day vulnerabile and let say it cant be hacked with today technology even thoe i still on internet i am still relaying on others sources thats main point

if gmail compromise and i have gmail account then what my paranoid security do in this case to protect my gmail you tell me ??

 

maybe reset your gmail password?

 

Vulnerabilities do not automatically translate into problems; they might. Again, I'm asking for a practical example so we can debate this without philosophy. One example that holds true.

Finally, if your system is patched, then there are no holes, end of story. I never said run with a 10-year old unpatched os. Therefore, all talk about insecure systems is IRRELEVANT to browsing to your bank.

And in my reality:

The user opens his browser, say firefox.
The user connects to his bank; he has it bookmarked.
The user does what he needs while the connection is https.
The user closes the browser.

So what's there to protect from? Nothing.

You may say: the browser/os might be compromised - how/when/why?
You may say: clickjacking and cross-site scripting - how/when/why?
What about driveby-downloads? Again, in my scenario, how?

I want one of you to illustrate how it happens. Not just theory how someone executes 4 assembly instructions, you access out-of-region memory and run code stored there and then this code that something. That's all nice. I want a real life scenario that applies to normal people and not just to excite fun with security enthusiasts in security forums.

And let's not forget, the topic at hand is linux. We can deviate to windows if you want.

Cheers,
Mrk

 

What are you defining as a practical example if not remote code execution vulnerabilities that crop up time and time again?

Do I really need to Google "Linux remote code execution vulnerability" to prove that they exist? That they've been used?

um

no

If your system is patched there are a million other holes that haven't been patched/ discovered/ reported. Do you not believe this? All vulnerabilities start out unpatched...

Fixed that for you.

Well Gosh, if you and I can't hack into Linux I guess no one can!

I mean, ****, if Google's not turning up specific vulnerabilities for hacking linux boxes or bank websites I guess no one can do it and we should just all sit back and relax.

This logic seems flawed. I can't hack it right now and you can't hack it right now thereofr no one can and/or it's not worth dealing with.

The fact is that I probably could with a few google searches. "Firefox remote code execution. Local privilege escalation. LSM rootkit." I could likely string together enough vulnerabilties (and if I were really motivated I could likely get metasploit code etc) to show what should be obvious is possible.

It's just entirely pointless because saying "Oh it's just theory" is ridiculous. The vulnerabiltiies exist, they will always exist, and I see 0 reason to spend the time Googling CVEs to explain this. Saying "Yeah, there are gaping and obvious holes, but no one's gonna notice me anyway" isn't really security.

Like I said, it's about turning the situation from a hacker not noticing you to a hacker not having the skill to break your system.

Anything said is pretty much OS independent. They're all vulnerable.

 

What rootkit? Kernel-based one? You do know that intercepting info in user space from within the kernel is extremely difficult. You need a userland component of some sort. And how did that rootkit get there in the first place? That's the whole thing. You base your story on a fictional piece of info.

BTW, my hack skills are irrelevant. I can demonstrate all sorts of things. I don't want to, because it's irrelevant to home user setup.

Mrk

 

I gave you a link full of 100 or so practical examples.
I posted one example to illustrate how it happens. Not theory.
That XSS script I posted is a real life scenario that applies to normal people.

Again, I'm talking about malicious stuff entirely inside the browser.

Please tell me why XSS is just a theory or philosophy, why it doesn't happen every day. Give me a source. Something. Because every word I have read on the subject indicates that it's real, it happens, it's easy to fix (on the web developer's side) and easy to avoid (on the user's side).

If a website has a vulnerability that does not mean that it will automatically be exploited every time in every way possible. If (at a conservative estimate) 50% of all websites are vulnerable to XSS, what percentage actually gets exploited? Are you saying the answer is 0%?

OK, you've got something there. Previously you indicated that nothing needed to be done for security when browsing to banks from any LInux computer. That's what I took issue with. But I can get behind this statement in quotes above. Yes, use a dedicated browser session to log onto your bank. When you're done, close the browser. It would be best to delete the history & cookies upon closure (or never remember it in the first place). That way there's nothing stored in the browser to get stolen when you surf to the next website.

 

I don't recall where it was, but I've watched a video sometime ago about XSS. In it, a security researcher demonstrated a vulnerability in a certain on-line service, that allowed him to get access to another user's credentials. In the example, he owned both accounts, but that's beside the point, because if I still recall it, the other "user" only had to log in into his account, and click one of the service's links. Something that would be natural to happen - click in any of the service's links.

This means, it wouldn't matter which O.S it was, inability to install rookits or whatever; all within the web browser.

Do I bother with it? No. Is it a security threat to me? No. Why? I don't access my bank account over the Internet; I prefer the good old fashioned way.

The questions are: Can it be a security threat to others? Am I in a position to say 'Yes' or 'No'?

 

How is what you're describing not the basis of LSM (and uh... operating systems) ie: the kernel interacting with userspace/ LSM interrupting system calls and generally interacting with user programs.

My fictional story is based on fictional information? Well... uh... yeah no kidding. Like I said, I could google a bunch of CVEs and chain them together but that doesn't mean any more or less than me saying "It's possible."

http://www.linux-magazine.com/Online/News/Brad-Spengler-Exposes-Exploit-in-Linux-Kernel-2.6.31

Here's a youtube channel showing a ton of exploits actually being used against linux:
https://www.youtube.com/user/spendergrsec
That one was pretty big/ famous.

There are obviously rootkits. Are you asking these questions because you legitimately want to know which random rootkit I'm going to get from Google or do you not believe that linux rootkits exist?

Like Brandi said and I referenced in my post, there's a ton of practical exploits etc in her earlier post.

As I said in my first post, if your goal is to avoid attackers you can run pretty much any OS that isn't Windows. You can run (as I stated earlier) a linux version that's pre-NX/ASLR. It's an insecure POS but you'll be fine - you're playing luck. Or you can take measures to secure the system (patching, making use of apparmor, making use of secure programs - all easy; or even more extreme measures like switching up the kernel) and know that your security is no longer dictated by luck (ie: not secure) but in fact by the skill of the hacker (ie: actual security.)

If you're looking for a setup that is secure for banking I would certainly hope that your interests are to dictate security through the hackers skill rather than the hackers interest.

 

Who exactly is this addressed to in the universe of people using the internet?

 

Sorry but that is also another bad idea.

You appear to have no intention of staying away from this matter or doing the "right" thing. Like a moth to the candle flame.

I fear I can't help you.

Good luck.

 

Hungry, there's a big difference between setting up a bank service and accessing one. No one here was talking about securing a system to become an online service. We were talking about opening your browser to access your bank site, no matter how secure. Let's not confuse things.

Not Mrk setting up bank.
But Mrk accessing a bank.

Okay?

Rootkits exists. Nothing special. You mentioned system calls. Sure you need to intercept them, you need to form useful data structs, you need to call a userland app to send collected data somewhere. See? Not so simple anymore. And it works the other way around, btw - apps accessing kernel, not the other way around. Kernel is there to schedule, not to be the wise butler. A great example - autofs and automounter.

None of the stories are relevant to a home user doing what I mentioned.

Cross-site scripting, where exactly. You access your bank site and then what? C'mon guys, walk me through a scenario step by step so I can tell you why it's irrelevant.

Want to click a random link somewhere that leads to a "bank" site? That has nothing to do with what browser you have or os or what security.

Mrk

 

Holy Crap! I think you're the first one in this thread to understand what I'm saying! Thank you for that.

I bolded the important part. You won't even know it happened. This isn't limited to bank websites, that's a very important point. MrKvonic said you can bank from any computer anywhere. So let's say you visit another crappy website where a bad guy uses any of a number of vulnerabilities to steal your credentials from your browser. If your bank credentials were also in the browser then they've got your bank creds. Or if you use the same username & password all over the place, then if they get your facebook creds, they've got all your creds including the bank.

Right. Exactly. However, it's important to know that a large percentage (I've heard figures between 40% and 70%- in the links I posted previously that no one read) of all website have vulnerabilities. So it ends up affecting the end user.

Because I'm a glutton for punishment, I'm going to throw two more links out there for everyone to not read:

http://www.marketwatch.com/story/ne...ence-of-new-hybrid-vulnerabilities-2012-04-12

http://www.baselinemag.com/c/a/Security/Web-Apps-Create-New-Security-Risks-367935/

But no one will read 'em (come on... I dare you), so I'll spoon-feed you the important thing:

That affects you- they guy sitting right there reading this post, right now. You can't choose to be affected. Well, you can if you unplug your computer right now & melt it down. But as long as you've got that bad boy plugged in, you can be affected.

 

@BrandiCandi: I read your links, really Although they don't contain anything new. That XSS, Clickjacking etc. are wide-spread is well-known. And here I disagree with Mrk. It has been shown in the past that many bank sites were vulnerable against XSS. Most of these holes might have been closed in the meantime but I wouldn't put too much trust in that. I wouldn't do online banking without Noscript.

But we were talking about other types of risk, like rootkits. Sure they exist. But how are they supposed to be executed on my system

 

1. So let's say you visit another crappy website

2. ... where a bad guy uses any of a number of vulnerabilities to steal your credentials from your browser.

2. If your bank credentials were also in the browser then they've got your bank creds.

3. Or if you use the same username & password all over the place,

4. then if they get your facebook creds, they've got all your creds including the bank.

...

I've mangled Brandi's post a bit but how many pieces need to fall into place?

Honestly, even before becoming an expert in the field of security, have you, not someone who knows someone who knows someone, actually had a personal bad experience?

Are we talking about needing highly sophisticated kernel recompiling or whatever or just plain common sense to avoid the scenario above?

Unlike m00nblood who doesn't do transactions online, I do.

 

Hi Brandi,

Let's see.

First, articles - biased and no more valid than one or another. Therefore, any which one article is meaningless, as anyone can write them with their own agenda. Moreover, you choose a piece of info and make it your whole truth.

Moreover, both those reports provided by security companies. Hm. Vested interest? Should they tell you you do not need their services? Like asking an insurance salesman if you need insurance. Right ....

Now that we cleared bias/statistics, let's focus on the actual content.

50-70% of sites are not vulnerable. Let me explain why. If 50-70% of sites are vulnerable, how come 50-70% of sites are not exploited? In the long run, that's what should be. But if you're saying, they MIGHT be vulnerable, then all humans are also vulnerable to bullets, but a small fraction is dying thereof daily. Hence, you do not walk about in a flak vest and helmet. Besides, you don't care about those other sites, you care about your bank.

Moreover, the profit from online banking > theft due to online crime, otherwise online banking would not exist. A simple rule of survival. In the long run, there's more profit to be had than lost. Therefore, the losing side in this battle are not banks.

To sum it up:

Companies with direct interest (security companies) + security fearmongering + false statistics = bollocks.

That's how I see it.

The truth:
Some sites are badly coded, can allow for exploits.
Banks sites, not likely. Access them directly, game over, all is well.

Mrk

 

Isn't that irrelevant? On the other hand, I do have relatives that perform online transactions. I have them running a dedicated Google Chrome profile, making use of the --host-rules command line switch, so that it can only connect to the bank's domains and IPs.

The reason being that, like what user tlu mentioned, I don't have such high trust that banks have 100% flawless code.

Heck, last year I made it public that my bank had its clients entering part of the security codes in HTTP, not HTTPS. After publically exposing it everywhere I could, they saw themselves forced to make a change.

Recently, I've discovered more banks in the same situation. Some of them also have mixed content - http + https.

Is your blog of any interest, from an attack point of view? I'd say it isn't. That doesn't mean it isn't possible to hijack it. It just means there's no point in doing it. The same applies to 50-70% of sites (I'm just quoting you in the %s.). There is no interest of whatsoever to hijack them, and simply because they're visited only by a small amount of users.

I do agree with you in certain aspects, though. There's a lot of FUD spread all over the Internet - *cough* security vendors *cough*. But, that's not the same as saying all is peachy.

 

I think it is better to create a separate user account with only essential permissions and use it solely for online banking (also clear browser cache before doing any sensitive transaction online). The steps are not complicated in Ubuntu and can be done using the GUI. This is what I do in windows too.

 

You mentioned it first in this thread that is "discussing" online banking. So how does it become irrelevant only when I refer to what you wrote?