Online Banking Security

Discussion in 'all things UNIX' started by JConLine, May 3, 2012.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It's irrelevant, because whether or not one does online transactions has nothing to do with it. To make it clear, and most likely there was some confusion, I didn't say what you mentioned is irrelevant, only that the fact I don't do online transactions is irrelevant. Or, is it relevant? o_O
     
  2. BrandiCandi

    BrandiCandi Guest

    No, you didn't mangle my words. There are a lot of "ifs."

    As far as personal bad experiences, you probably WON'T know at the moment it's happening. How could you? I couldn't.

    And no, the defenses are not sophisticated. Block scripts. Update the browser & plugins. Simple common sense when browsing & clicking. Delete history & cookies upon closing the browser.

    My fundamental point is that there are risks. Everyone is free to do their own risk assessment and decide that any given vulnerability is not worth the effort to defend against or isn't likely to happen. I have no problem whatsoever if everyone in this thread decides it's too much of a bother to block scripts (it's a common complaint, I get that).

    What I take issue with is anyone who decides that you don't need to worry about these vulnerabilities because they don't exist. They do. It's wrong to say they don't. Understand the reality, then make a decision based on that reality. Don't make a decision based on a lack of information.
    Some may be more biased than others. The OWASP link (top ten vulnerabilities) is as unbiased as they come. OWASP is an open source, not-for-profit project dedicated to cleaning up the crappy websites we've been talking about. Here's a link that's also as unbiased as possible from The Linux Documentation Project:

    http://tldp.org/HOWTO/Secure-Programs-HOWTO/cross-site-malicious-content.html

    I'm going to stop now. I've either made my case or not. If I continue I'll just be repeating myself even more.
     
  3. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,377
    So you did get affected at least once while doing online banking or shopping? If yes, would you mind describing the circumstances and what you think happened?
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think she's saying that it would be difficult to know that you've been effected at the time. Not that she has herself in the past been effected without being able to tell.
     
  5. JConLine

    JConLine Registered Member

    Joined:
    Apr 16, 2009
    Posts:
    108
    Brandi expresses my thoughts. I don't think I'm smart enough to accurately assess the risks of online banking, and because of that, it's no trouble to add precautions. In 5 min I can add UFW with basic configuration, add NoScript to a browser, add enforce profiles to Apparmor, and add Norton DNS. And, as far as I know, there's not much of a downside to these security settings. They may be overkill but who cares.

    I have thoroughly enjoyed this discussion!

    Jim
     
    Last edited: May 8, 2012
  6. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,377
    Yes, but I just wanted to know whether she was affected or not. AFAIK, not a single Wilders member on any OS has reported being affected.
     
  7. BrandiCandi

    BrandiCandi Guest

    I'll answer your question. I have no idea. Before I started caring about computers, my facebook account was hacked. Could have been some kind of browser exploit, I don't have the foggiest idea. But somehow, someone got my credentials and posted spam on my page. I changed my password and all was fine. One of my old email accounts was sending spam to my contacts- again that could have been the result of a malicious browser exploit or something else entirely. But somehow a malicious entity gained access to my email account and my contacts. I quit using that account but I suppose a password change would have fixed it.
     
  8. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi,

    As veteran member like tlu and mrk, it seems that we repeat the same song about the fight Security/Insecurity.Sorry to do the same...

    As said Bruce Schneier, "Security is a Process", and it is impossible to control 100% of this process
    There is several third parties involved in online banking/shopping:this is a client/server side scenario with OS/Browser-server/web site.
    The goal is to mitigate risks for every side of this process.
    The host/pc/client side:an hardened distro with SeLinux or grsecurity kernel patch for instance that helps in kernel rootkit prevention by preventing /dev/kmem, /dev/mem writing, use of virtual keyboard, vpn service and hardened browser settings and addons like no script etc...

    there is a lot of choice available as a live cd or installed distro, i can mention for instance Fortress Linux ( http://www.fortresslinux.org/ ), LPS ( http://spi.dod.mil/lipose.htm ), UPR ( https://www.privacy-cd.org/en/home-mainmenu-71/55-was-ist-ubuntu-privacy-remix )
    or Porteus ( https://porteus.org/ ).

    Regarding the server side, the user has limited possibilities.
    the most iimportant things is to choose a serious client that satisfies to PCI DSS common criteria: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard or https://www.pcisecuritystandards.org/
    And to have a bank that uses several security measures and authentication factors to secure the transaction (the virtual keyboard for instance can be defeated on both sides).
    Some banks for instance send an ID Number via sms to validate the transaction.
    There is other method and material available like this usb antikeylogger http://www.eksitdata.com/_uk/index.asp

    No client defense if the server is rooted and client database is stolen via an SQL Injection...and your credit card data will be then sold on carders boards for ten dollars before being used on yes cards in SPAIN...
    And it is not necessary to list all possible attacks that have already been discussed here like all web application threats (XSS, CRSF...) and browsers variants (Man in the browser etc)
    statically mrk is right because Linux is statically sure.
    On the other hand, BrandiCandi is not wrong if we consider that absolute security does not exist and that most defenses can be bypassed.
    Endless cat and mouse game and endless discussions...

    rgds
     
  9. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I agree with both sides here. Brandi and Hungryman are right in that there are *nix vulnerabilities. But Mrk is right in saying that the vast majority of those vulns will not affect your average desktop user. If you look at the CVE's for remote root exploits, they almost always involve some arcane service that would usually only reside on a server machine. If you run a server, then yes, you need to be vigilant. If you run a desktop, not so much. You really only need a firewall and updates.

    A desktop user should be worried about the browser. That's pretty much it. And there are tools you can use on *nix to make browser exploits much more difficult.
     
  10. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    My bank site makes use of javascript so I had to allow the site with NoScript. I remember reading somewhere that even if allowing such sites, NoScript will still warn on detection of XSS injections
    Is this true, or am I kidding myself ?
     
  11. tlu

    tlu Guest

    No, you're not ;)

    You might also consider the following feature:

     
  12. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    Ah, thank you tlu, I feel so much safer now ! :) (aber ich brauch 'ne neue Brille).
     
  13. tlu

    tlu Guest

    :D:D:D
     
  14. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    Last edited: May 12, 2012
  15. tlu

    tlu Guest

  16. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    hahahaha i am bad at security never reach above 1 :D

    hey by the way you use openDNS or norton DNS just wondering :)
     
  17. tlu

    tlu Guest

    I guess I was just lucky ;)

    I'm using OpenDNS with DNSCrypt.
     
  18. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    Last edited: May 13, 2012
  19. BrandiCandi

    BrandiCandi Guest

    Not sure what you mean by the bolded part. Can you elaborate?
     
  20. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi
    sorry i mean statistically...in relation to the malware industry which targets for the most part the Windows platform.

    rgds
     
  21. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Just to follow another thread but in the right toppic
    https://www.wilderssecurity.com/showthread.php?t=330438

    The open source community provides ways to build his own LiveCD for critical tasks, especially online banking and shopping.
    There is a Heise maintained project based on Ubuntu for German users called Bankix: http://www.heise.de/ct/projekte/Sicheres-Online-Banking-mit-Bankix-284099.html

    If a LiveCD appears by default more secure than a Windows station, all systems are vulnerable to client/server attacks.
    This includes network based (mostly MITM) and Web application based attacks (XSS/CSRF , Man in the Browser etc).
    Therefore the most important factor is the choice of the Bank or merchant: Does the Bank support the security standards, which kind of authentification factors is used etc...
    There is currently enought technology (software and hardware) to make transaction much more secure, and to mitigate all kind of risks ( example http://www.vasco.com/verticals/banking/onlinebanking.aspx ).
    As pointed out by this (http://www.paymentssecurity.com/2012/05/the-merchant-dilemma.html#more ) article, the main dilemma remains in the server/Bank side as it is up to the client to connect fron a trusted and non-compromised machine, but on the other hand, it s up to the Bank/merchant to provide all the required security process to secure the transaction...
    "Money Money Money..." as could sing Abba, Pink Floyd or Dire Straits..

    Rgds
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,311
    Location:
    Canada
    I'd say that sums it up nicely in a nutshell. Deal with a reputable bank and prevent unnecessary scripts through the browser and you're good to go.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.