Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Technology

Knoppix Used in Internet Banking Solution 263

renai42 writes "Australian company Cybersource says it's currently talking to two domestic banks about providing Knoppix-based bootable CDs to consumers to ensure Internet banking security. The company says at least one bank will probably use the CDs in at least one sector of its operations. Cybersource envisages that banks will re-brand its product and provide the CDs alongside other marketing material."
This discussion has been archived. No new comments can be posted.

Knoppix Used in Internet Banking Solution

Comments Filter:
  • To surf with knoppix you have to be using a cable/DSL ethernet modem or router, or have a supported dial-up modem and the ability to configure it.

    I suppose this is geared to internet cafe use? In which case you have to hope the network's set up in a way that doesnt require password authentication...

    Nevertheless, a great idea and I hope it works

    • Ahh... how nice. Getting paid to customize knoppix cds. There's a bunch of folks that have their act together. :)
    • i think it's geared towards users of that Other os, who want to use something safer, but not go through the trouble of installing another operating system. Or it's for those that use linux and want to use a read-only medium for something like this.

      In that light, to surf with *any* OS you need to have supported hardware :)

      btw i don't think many internet cafe's will let you pop in your own operating system
    • Re: (Score:3, Interesting)

      Comment removed based on user account deletion
    • I have posted about this before...but I think bootable CDs w/ a Read Only HD while you are online is going to be what everyone will have to be doing to bypass the virus problems we are facing now.

      Having used Ubuntu Live and mostly loving it, I agree with this post about problems with the modem, though. Even though it is possible to get the right drivers and get a winmodem going, bootable CDs are not really going to take off until all modems are picked up and configured correctly on the first try. When that
  • Umm.. why? (Score:3, Insightful)

    by onion2k ( 203094 ) on Thursday March 24, 2005 @05:54AM (#12034076) Homepage
    Sounds like an interesting challenge certainly, but let me guess the bank's thinking behind this move..

    If you use their traditional online banking service from a PC not booted using their CD, and subsequently get defrauded somehow, this will enable them to say "Ahhh.. but you weren't using our special software!", and ignore your complaint.

    How.. nice.
    • Re:Umm.. why? (Score:2, Insightful)

      by Anonymous Coward
      Wrong. They will reject any claims in either case.
    • Re:Umm.. why? (Score:2, Insightful)

      by metricmusic ( 766303 )
      On the other hand they are forcing you to use Linux. Makes a nice change to today where so many bank websites do not work on anything but IE.
    • Re:Umm.. why? (Score:3, Insightful)

      by Rick.C ( 626083 )
      If you use their traditional online banking service from a PC not booted using their CD, and subsequently get defrauded somehow, this will enable them to say "Ahhh.. but you weren't using our special software!", and ignore your complaint.

      Perhaps, but here's another idea:
      Having customers use internet banking is less costly for banks, but potential internet banking customers are hesitant to rely on online transactions because they fear (or know) that their PC is "owned". They think that someone might be lo

    • Re:Umm.. why? (Score:3, Insightful)

      by RoLi ( 141856 )
      I would agree if there was no alternative to using Knoppix.

      However, Knoppix would come in handy for not-so-savy but still paranoid types.

      It's guaranteed that:

      • Bank use doesn't affect their installation. For example if they have a super-paranoid firewall in place, they don't have to pull it down.
      • Possibly installed spyware can't grab passwords, PINs, TANs, etc.
      • Phishing is impossible
      • And it's even easier than normal banking. No worries about security settings, no worries about cookies, no worries about
  • by nfs3hp ( 855825 ) on Thursday March 24, 2005 @05:55AM (#12034079)
    until the network administrators find a serious vulnerability and have to burn/press about 35602638023862 new cds to patch it.
    • by Anonymous Coward
      The main threat to remote banking is installed spyware/keyloggers NOT privilage escalation vulnerabilities that hackers _might_ be able to take advantage of if the user wasn't,
      a) likely behind a firewall
      b) running off of read only media
      c) doing the equivalent of a fresh install with every use.

      There are very few vulnerabilities which could conceivably compromise a well customised bootable Linux CD. It's about as secure as you can get.
    • Never stopped AOL.

      How many CD's do you think they've burnt over the last 10 years (or so)?

      UBS Switzerland give you a little calculator with a removable card that hashes a challenge code. You type in the response for a one time password. Seems to work quite well as neither my card not the calculator have my account number on it. It does have a card number, which doesn't have a visual link to my account (which would stop casual theft).

      National Australia Bank used to have accounts tied to a specific SSL key
    • by Ed Avis ( 5917 ) <ed@membled.com> on Thursday March 24, 2005 @06:09AM (#12034127) Homepage
      Actually I think mailing out new CDs is far more likely to work than persuading users to keep their own systems (especially Windows boxes) up to date.

      (You could in principle install a Linux system on each user's own hard disk and push out updates to it, but giving them a new CD has far less to go wrong.)

      I rather miss the days when performing an operating system upgrade was as simple as opening the computer and putting in some new ROM chips; putting in a new CD and rebooting is getting back towards that level of friendliness.
      • The problem will come if mailing out new CD's becomes a habit for the bank.

        It would be quite easy for someone to slip in a cracked and hacked version, for which the customers (out of habit and routine) will happily treat as the new version, then pass on their banking details to whoever is listening.
        • How about this - with the inclusion of UnionFS (gawdDAMN is that cool), have it so that, on boot-up, apt-get update & upgrade from a trusted source (possibly one the bank has provided). Display a message saying "Please wait, we're just getting any security updates needed to keep your account safe" with a progress bar during the process.


          That should solve that problem, I would imagine (unless the trusted apt repository gets compromised).

    • Not likely

      This Knoppix is designed to connect to the bank and ONLY to the bank.

      So this pretty much rules out all browser-vulnerabilities, simply because the browser cannot load anything from other websites.

      Also I guess the firewall will block all ports, so there would be no way of an attacker to get in.

      I can't think of any security vulnerabilityEVER that would allow an attacker to compromize this system, can you?

      • A man in the middle attack can get it and doesn't even involve compromising the CD. Any router between the customer and the bank could be compromised and reroute all packets to a different destination. The most vulnerable will be the customer's router in thier home.

        Even that poses non-trivial problems. Without setting up dedicated links, I don't see a better solution.
        • A man in the middle attack can get it and doesn't even involve compromising the CD. Any router between the customer and the bank could be compromised and reroute all packets to a different destination. The most vulnerable will be the customer's router in thier home.

          Well, in that case the CD doesn't have to patched and redistributed as the problem doesn't lie within the CD but in the network.

          QED.

  • Um, what? (Score:5, Insightful)

    by Anonymous Coward on Thursday March 24, 2005 @05:58AM (#12034083)
    I can hardly keep track of an ATM card, now you're expecting me to carry around a big honking CD all the time?

    Pass
    • Re:Um, what? (Score:2, Insightful)

      by Gumph ( 706694 )
      The parent is modded insightful???? WTF, OMG etc etc
      surely funny is the more appropriate response, anyone who can't keep track of a bankcard is either a stark staring genius who shouldn't really be allowed outside without supervision or a complete dunderhead (how long has it been since you heard that word?) who again, should not be allowed outside without supervision!
    • They can use a mini-cd, the ones shaped like a business card, if thats not enough room for knoppix, then use a mini-dvd in businesscard shaped size.

  • by FudRucker ( 866063 ) on Thursday March 24, 2005 @06:00AM (#12034096)
    when the bank customer takes this CD home and boots it on their OEM with the WInModem they wont ba able to get online (atleast it will be secure that way)...
  • by guyverix ( 810762 ) on Thursday March 24, 2005 @06:01AM (#12034099)
    There wont be key-loggers, virus infested OS's Active X, IE, blah, blah, blah. At least this is a step in the right direction.
  • news? (Score:5, Insightful)

    by mnbjhguyt ( 449178 ) on Thursday March 24, 2005 @06:02AM (#12034101)
    ...says... it's talking... one bank will probably use... envisages...

    and from TFA: Banks eye bootable Linux CDs

    wake me up when something happens, ok?
  • by putko ( 753330 ) on Thursday March 24, 2005 @06:03AM (#12034106) Homepage Journal
    A step in the right direction.

    But it seems odd to me that if someone wants a one-trick secure browser solution, he'd use anything other than OpenBSD.

    If you sit down and do the analysis (without regard to "religion" or fashion), and say, "I only need a secure browser," you'll likely pick a BSD and it will likely be either NetBSD (hw support) or OpenBSD (security).

    I did a similar analysis, and came to this conclusion, after attempting to dispassionately evaluate the options.

  • by LiquidCoooled ( 634315 ) on Thursday March 24, 2005 @06:03AM (#12034107) Homepage Journal
    Boot from a tiny partition of Linux on a CC sized cd. Give it duel use and let all customers have it available.

    The other security features on the credit card could be put onto the CD to ensure authenticity.
    • hoho.
      I cant imagine the duel use of a credit card cd. Maybe as throwing star if you sharpen the edges?

      But: you know that there is only 30 or 40 mb of usable space on a credit card cd. You want a bootable linux, plus a gui, plus all the drivers to get you connectivity... not easily done.

      Plus credit card cds arent liked very much by slot in cdroms, if they are actually USED like a credit card (put in the purse), they wont work when you need them.
      • It is very easily done. You don't need a WM, so just start X as a FB and a browser. Just bundle the necessary networking stuff and you can cut most of the stuff out of the kernel because you don't need nor want say HDD support.
    • Boot from a tiny partition of Linux on a CC sized cd.

      Damn Small Linux [damnsmalllinux.org] does this and does it quite well. I like the small cd idea. Do you really need a full distro like Knoppix for online banking?

  • by brendano ( 457446 ) on Thursday March 24, 2005 @06:12AM (#12034136) Homepage
    This sounds like a great idea, provided that the Knoppix can be user-friendly enough to figure out how to boot up.

    There's really no surefire way to ensure that a user's harddrive-installed OS is secure for banking. Considering the staggering variety of adware/spyware/viruses on machines today, it must be quite easy for a malicious malware creator to make a program that hijacks name resolution (change DNS servers, or the HOSTS file) for perfect phishing, or they could install a keystroke logger, or whatever else. If they got their bank-website-hijacking malware on machines in whatever way all today's adware stuff gets on, they could easily phish thousands of bank transactions every day.

    The prevalence of malware seems to indicate that people can't control or trust the programs on their own hard drives. If that's the case, they can't trust any of their online interactions. Since Knoppix kills your harddrive and all its flexibility, it's much more secure.

    What would be funny is if more and more institutions started demanding the use of bootable OS's. Our PC's would be reduced to a BIOS, monitor, and keyboard ... reminds you of the Apple II days, where you had to boot half of the operating system off a floppy every time you turned on the computer.
  • Great Idea but... (Score:3, Interesting)

    by shashark ( 836922 ) on Thursday March 24, 2005 @06:13AM (#12034145)
    Cds can be as small as your credit card, besides being much more secure.

    But wait, how will one patch the CDs in case any security holes are found ? Rewritable CDs wont help either...
    • Cds can be as small as your credit card, besides being much more secure.

      Great. So first we have locked out all "not-the-latest-Pentium" computer users - and now we are locking out all slot-loading drive users? My bank uses a nice security device which is also credit card size. It's a, well, card with unique security codes. I can use any Web browser of my choice on any platform to access all the features. I prefer it this way, thank you.
  • by cheezemonkhai ( 638797 ) on Thursday March 24, 2005 @06:15AM (#12034157) Homepage
    Public Service announcement:

    All ATM's will now dispense Kash the new qt improved version of cash.
  • by 2ksilver ( 867820 ) on Thursday March 24, 2005 @06:21AM (#12034171)
    If implemented properly, this would be a great thing. Assuming they can get around the wide range of hardware people use, without requiring much technological knowledge from the user, this is a much more secure way than windows. Keep in mind that the same people who are infected with 1000x spyware programs and don't seem to care are the same kind of people who have little idea how a computer works. This would have to be as user-friendly as possible to not scare off users or prevent people from using it. I bet this fails, but someone else takes the idea and makes a better version of it and it will take off. Does the average user know how to boot from a CD?
  • Dutch Banks (Score:5, Informative)

    by Anonymous Coward on Thursday March 24, 2005 @06:28AM (#12034197)
    Hi, I'm not informed much about American and other foreign banks, but here in The Netherlands it works the following:

    (Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....

    You type in your PIN code and hit 'OK'. On the website of the bank you have to type 2 things. Your account number and the key generated after you hit 'OK' on the device. This key is different every X seconds (I don't know the interval).

    This matches with the interval the bank has running. This combination of pass ID, PIN code, account number and the interval is key to have access. You need all of them to get in.

    The websites session times out after about 2 minutes when there is no action anymore.

    If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.

    If the amount to fransfer is higher than X, you have to process 2 numbers on the device and submit the generated numbers on the website.

    This is all done on HTTPS and works with most browsers.

    I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....

    The device is small, portable and lightweight. Internet cafe's, at the office, at HotSpots, anywhere you can use 'safe' banking this way. As long as the banks website is online and within reach (no stupid proxies or whatever).

    Just my view on banking online....
    • Luxembourgish banks (Score:5, Informative)

      by BlueUnderwear ( 73957 ) on Thursday March 24, 2005 @06:56AM (#12034284)
      Hi, I'm not informed much about American and other foreign banks, but here in The Netherlands it works the following:

      (Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....

      Here is Luxembourg, banks are too cheap for handing out these calculator thingies. Instead they use a scratch-off plastic card with 16 alphanumeric digits on it. When logging in to their service, the site choses 2 (or some 3) positions out of the 16 possible, and you have to enter the corresponding digits.

      This key is different every X seconds (I don't know the interval).

      Well, here in Luxembourg, the "good" banks do it the same: the key (in our case: choice of scratch card numbers) is valid a set amount of time. However, some of the (less technically savy banks [fundmarket.lu]) propose you a different choice of digits each time you hit reload... so a thief who has sniffed some numbers (but not all) can just keep on hitting reload until the bank asks for numbers that he has... not good!

      If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.

      Our banks do not have this additional security yet... (Apart from maybe Cortal-Consors. I know their German operation has such a system).

      This is all done on HTTPS...

      In Luxembourg too. No bank is foolish enough to use plain http. and works with most browsers.

      Unfortunately, this is not the case in Luxembourg [webbanking.lll.lu] (although some progress was made over the course of last year).

      The currently worst offenders [fund-market.lu] have a gateway page which features a Rube-Goldberg like chain of Java Applets, Java Script code, and VB code which only works on Internet Explorer (the Java Applet is MS proprietary java (using the proprietary com.ms.util.SystemVersionManager class...). The output of this is fed, via the VB script, and then the Javascript (!) into a second URL, which gives you access to the Web application itself. Interestingly enough, once that gate is passed, there is no further dependancy on MS-ware, and you can cheat yourself access to the contents [fund-market.lu] (graphs of their mutual funds) by entering that second URL manually.

      For their homebanking they have the same "proprietary applet" hack, and in addition a server-implemented browser check. Manually enter the JVM=1 bit into the URL, and fake an Internet Exploder User Agent [mozilla.org] and you are in! What the hell are they thinking?

      I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....

      Indeed, the number generated by the device makes it secure even against keystroke loggers that may be installed (but don't challenge your luck either...)

      • There is a difference between the dutch (dynamic) and Luxembourg (static) way of approaching authentication using either a machine or scratch card. The point is that with a dynamic method, you can let the challenge number sent by the bank depend on both time stamp and on a number based on the amounts you want to transfer/send. This is an advantage since it limits the risk that a client files a complaint about transactions claiming that he only entered 3 out of 4 transactions and that "a hacker" has inserted
    • I have accounts in four banks, for various different reasons. I need a key generator from each bank for this to work.

      Not very usable, particularly when the number of keys gets larger.

      Work, banks, other stuff....
  • by DingerX ( 847589 ) on Thursday March 24, 2005 @06:33AM (#12034212) Journal
    Dear CitiKnoppix Customer,

    For security reasons, we need to verify your personal information and update your CitiKnoppix(tm) software. Please send us your mailing address and we will send you a new CitiKnoppix(tm) CD-Rom. As an added bonus for taking part in this experimental customer service program, we will credit your account with $1000.

    Sincerely,
    CitiPhishing.
  • by Anonymous Coward on Thursday March 24, 2005 @06:45AM (#12034248)
    ...to ensure Internet banking security

    if you can make comments like that.

    "Security is a process, not a product". Its a social problem as much as a technical one and I have doubt that whilst this could help, the scammers will get around it once it becomes commonplace.

    -dgr
  • Great. IF this catches on, not only will I get tons of AOL CD's, but I will get tons of banking CD's.

    50 free transactions if you bank with us! ...or one free coaster

    I liked the days of the floppy better; I could copy Commander Keen on to them.
  • by CastrTroy ( 595695 ) on Thursday March 24, 2005 @06:53AM (#12034275)
    Stop the complaining about how it won't work if you have a certain hardware configuration, or if you don't have a certain type of internet connection.

    I think the power here comes in that the bank can offer it as an option. If it boots in your computer, then great, use it. Maybe they could even throw something like GnuCash so that people can keep better track of their money. I say, don't make it mandatory, but offer it as an option to help at least some users feel more secure.
  • by MadCow42 ( 243108 ) on Thursday March 24, 2005 @06:59AM (#12034292) Homepage
    Online banking is successful / useful because it's convenient... that could be outweighed by security risks as malware gets worse.

    However consider how it'd work with a bootable CD:
    - shut down everything on my computer, save open documents, and all that crap
    - find a CD
    - boot to that CD (assuming it likes my hardware to start with)
    - wait for it to boot... (ho hum...)
    - do my banking
    - NOT be able to save any info to my local computer (for checkbook reconcilliation, or any other local use) - I guess I'll now have to find a paper and pen to copy the info I need down...
    - shut down again...
    - reboot again to get back to normal operation... (la-dee-da.... ho hummm...)
    - find the stuff I was working on before, and get back into the groove...

    Does THAT sound convenient any more? I don't know about you guys, but my computer doesn't boot very quickly. We're talking a total of 15 minutes minimum just to go check your balance.

    I can stop by the REAL bank on my way home from work easier than that. I don't see this as a good thing overall - even if it does provide the best security. There must be better alternatives (as mentioned in other threads).

    MadCow.
    • by natrius ( 642724 ) * <niran @ n i r a n . o rg> on Thursday March 24, 2005 @07:35AM (#12034427) Homepage
      Didn't someone mention a live CD that could autorun itself in QEMU when inserted in a Windows computer? That seems like it would be the perfect solution to me. No need to worry about hardware variability, and you'd be able to do all your banking in a virus-free virtual machine.
    • This is not for people who happily use onlinebanking.

      This is only for people who DO NOT currently use onlinebanking:

      • People who don't have computers available and want to do their banking at their hotel (when they are on vacation) or at a friend (if they don't have a computer)
      • People whose computer is infected with spyware and they shouldn't do their banking on these installations
      • People who are afraid of being infected with spyware or are generally sceptic about computer security and/or paranoid.
      • If on

    • And if your aren't at home, let's also add:

      -Walk into cybercafe
      -Try to reboot pc, discover it is locked down.
      -Get special dispensation from coffee slinger guy
      -Reboot.
      -Assume Knoppix likes hardware
      -Attempt to connect to network
      -Lacking network permissions, ask coffee slinger guy for those permissions. He doesn't know the settings, has to call the owner on his cell to get info..
      -Assume owner picks up and understands request.
      -Assume owner doesn't tell you to forget it, and actually remembers settings/provide
    • For most people: you can replace this:

      - shut down everything on my computer, save open documents, and all that crap

      - find a CD
      - boot to that CD (assuming it likes my hardware to start with)

      With:

      - walk over to the computer, turn it on (because, like most people, the user keeps the computer powered down and sitting in the corner when not being used) and shove the CD in the drive
  • by Sinbit ( 546592 )
    How can we be sure the distributed CD is not cracked in some way?
  • by EmagGeek ( 574360 ) on Thursday March 24, 2005 @07:28AM (#12034398) Journal
    At my company, they recently fired someone one the spot for possessing a Knoppix CD. My company views Knoppix as a hacker toolkit and nothing else. Anyone caught possessing or downloading Knoppix is fired immediately, complete with security escort to the door.

    Other places LOVE it... it's handy, useful, and easy to transport.

    I think one thing that would help this idea a lot would be if the CD booted into a VM. That way users would not have to do a hard restart.. just load the bootable CD into a VM and kill the VM when they're done...
    • Sweet merciful Zeus, what company do you work for that is so paranoid that it will fire employees for posessing a KNOPPIX disk?!? LiveCDs are by far the handiest trouble-shooting tools I've got for fixing borked XP installs. I'd hate to be in an IT dept that told me I wasn't allowed to use Knoppix simply because "hackers also use it".

      If you don't wanna say, you could always post it as Anonymous and say something like "Well, I dunno who the GP works for, but MY company [company name] is like that" :)

      Sli

      • If his company is a government contractor or works around other sensitive information, its not completely out of line.

        Boot into Knoppix, files on the hd set to read only by administrator can be read/copied with ease since Knoppix doesn't respect windows file permissions.

        If their workplace is like mine, the usb ports are disabled to prevent people from filling up a thumbdrive and walking out with licensed software or sensitive data. Knoppix enables these ports, allowing data to be copied from them.

        Machine
        • If a user has physical access to a regular PC, there is very little you can do to stop her from getting data off it.

          Steps like blocking LiveCDs and USB ports may help a bit, but a clueful user/dedicated blackhat-type would get that data through some other means anyway. (assuming it is valuable enough)

          I suppose the security measures in a place like that have to be of MUCH, MUCH higher caliber to be of any use. I don't think kicking out people who carry LiveCDs is the solution...

          For example, in the situati
        • by Sven The Space Monke ( 669560 ) on Thursday March 24, 2005 @11:16AM (#12036156)
          Oh, I agree completely - if a non-IT employee is using Knoppix (and isn't authorized), give 'em the boot. Keyword being "non-IT". Call me some sort of elitist if you must, but I feel that the average user shouldn't be allowed to change their screen-saver (changing mice and keyboards should be okay, since that's a comfort thing*). Seriously, a user that's allowed to install anything is a dangerous user. I wouldn't trust most users with anything more dangerous than nail clippers.
          I'm talking about IT people using Knoppix. If a sysadmin is trying to recover data that a user stupidly didn't back up, a LiveCD is the best way to do that. The OP made it sound like ANY employee that used Knoppix got the boot, IT staff included.
          Incidentally, if any company allows users to save sensitive data to their own hard drive, they're asking for problems. Sensitive files should be on a secure server, locked-down and access-restiricted. Disabling the USB ports treats the symptom, not the problem. And before anyone says boo about it, there ARE ways to prevent users from saving anything to their hard drive, even in XP.

          * - I once worked for a company that, for some reason, let employees have admin rights on their NT machines. This led to massive problems (the usual stuff). But heaven forbid I want to change my mouse! I've got very large hands, and I couldn't comfortably use the standard-issue mouse. I asked if I could bring in my own, since the Employee Health Dept couldn't provide a mouse that I liked (the only alternatives were either the same size or those stupid-ass joystick style ones). IT said I wasn't allowed to use a non-standard mouse because it might cause the computers to crash.

    • I think one thing that would help this idea a lot would be if the CD booted into a VM. That way users would not have to do a hard restart.. just load the bootable CD into a VM and kill the VM when they're done...

      You mean, like this [slashdot.org]?

      I tried it. On my XP2000+ it took 15 minutes to boot, but was fairly decent at running applications (by fairly decent, I mean approxomately equal to remotely VNCing into a box on a cable modem).

      That's actually an even better idea.. boot it under the VM, but don't actually la
  • Fatally flawed (Score:4, Insightful)

    by nmg196 ( 184961 ) * on Thursday March 24, 2005 @07:43AM (#12034457)
    I don't see how this improves security at all.

    If the whole OS is supplied on a CD, that means that when you boot from it, there will be NOTHING on the PC to validate that the CD doesn't contain a virus or trojan. While this won't be a problem for the bank's real CDs, it will be a matter of days before people start being spammed AOL style with fake CDs though their doors which look exactly like the ones their bank sent out and some with a covering later saying that it's an upgrade or something.

    Because you're BOOTING from the CD rather than using it to install something, you'll be bypassing your antivirus software and software firewall and there's no way that anything can warn you that the CD you're using is a trojan. It can litterally slip in right though your letterbox and into your CD-ROM drive without any checks whereas downloaded or web based applications have to go through your firewall and be scanned by your virus scanner in order to get onto your machine.

    The CD could be set up to transfer your money into some else's account and because it was done by your machine on your IP with your user/pass it will be very difficult to pursuade your bank that you didn't do it.

    This is an absolutely crap idea and most of the posts above seem to miss this point entirely. These CDs better have some pretty cunning holograms on them or something and the users need to know EXACTLY what they're going to look like before they get them.
    • Well, around here you need to go to the bank to make the (internet banking) contract. Even if it's not like that elsewhere, going to a bank once just to get the CD is not that bad. Would that be secure enough for you?

      Let's try to be constructive here. This could really be a good idea, there's no need to say "it's fatally flawed" if the first iteration is not 100% secure...

    • Re:Fatally flawed (Score:3, Insightful)

      by CastrTroy ( 595695 )
      Phishing only works because sending out an email costs $0.00001 and can be done rather anonymously. It costs quite a lot, $0.50 CDN, Or $0.37 US (i think) to send a letter. Add on the cost of actually producing the CD, and the problems in mailing out 1,000,000 pieces of mail anonymously. You can't just put 1,000,000 CDs in a street corner mail box. This kind of attack will be much harder than regular phishing. Unless you can figure out who the people are who are stupid enough to use a fake cd, and just
      • Re:Fatally flawed (Score:3, Interesting)

        by nmg196 ( 184961 ) *
        If you hear that your bank will be sending out CDs and then you receive one, I think pretty much anyone might be fooled into trying it - even most techys. After all it's not like it's a common way to distribute a trojan, so you won't be expecting one. I mean, would you scan a Knoppix CD that you got from the front cover of a Linux magazine? Probably not. But who's to say that someone hasn't replaced the cover CD for one of their own? After all - the magazine's just been sitting there in a public place for a
      • If someone put a bunch of fairly professional looking CDs (labelled and in printed cardboard sleeves) marked "Free high security bootable CDs for customers of Bank of Fubar" in display boxes at retail locations, a number of dopey customers of that bank (excluding you and me, of course!) would probably pick them up and try them out. If they seemed to work the first few times, those people would keep using them until disaster struck.

        It would be a lot more expensive than e-mail phishing, but it would work wi

  • Great Idea (Score:4, Interesting)

    by Anonymous Coward on Thursday March 24, 2005 @07:47AM (#12034471)
    I have been using Knoppix for all our banking since AVG found a Keystroke logger on my Wife's PC. KNOPPIX ROCKS. I also use it at Hotels where they have Business Center PC's.
    Knoppix is not just a good start, it is a GREAT start to solving the problems of infected Client PC's. Every boot is a clean install, and user settings CAN be saved to the HD if you really want.
  • So, let me get this straight, in order to use the bank's site "securely", I have to reboot my computer? And while I'm doing that, I can't access any of my Windows apps, like Quicken or Excel?

    Oh, yeah, that'll catch on.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...