A Quick And Easy Way To Minimize Online Banking Risks

Even if your business runs Windows, it can still use Linux to avoid problems related to one of its most important -- and potentially most dangerous -- online activities: banking.

Matthew McKenzie, Contributor

October 13, 2009

4 Min Read
InformationWeek logo in a gray background | InformationWeek

Even if your business runs Windows, it can still use Linux to avoid problems related to one of its most important -- and potentially most dangerous -- online activities: banking.Online banking fraud isn't just a problem -- it's a full-blown plague. Many businesses understand the dangers of phishing scams; educated users know never to click on an email link that might transfer them to a phony login page, and they always double-check the URL when they visit an online banking site.

But the most insidious security threats to online banking still work under the hood on a compromised desktop PC. Malware, including Trojans and keystroke loggers, can intercept a user's login credentials and allow thieves to clean out an account. One notorious Trojan can even alter a victim's online bank statement to conceal the crime, buying additional time for the thieves to escape detection.

When security software fails to catch this malware, it can run unhindered almost indefinitely. And in a worst-case scenario, a company that discovers someone has pilfered its bank account will have few options for recovering the lost funds.

As long as consumers report suspected fraud promptly, federal banking regulations generally require banks to reimburse them for any losses. Those regulations, however, do not extend to business accounts; unless your bank explicitly extends such protection to business customers, then a business that falls prey to online fraud will have to absorb the loss -- if it can.

Solid antimalware protection can reduce this risk. Since the overwhelming majority of Trojans and keystroke loggers, however, attack only Windows PCs, the best way to minimize your company's exposure to online banking fraud is to minimize its use of Windows operating systems to access online accounts.

That's where a Linux Live CD can deliver enormous benefits. Companies that want or need to run Windows PCs for most daily tasks can still boot into a Live CD environment when an employee needs to log into an online bank account.

Washington Post computer security columnist Brian Krebs explains the process in an outstanding overview published this week. Live CDs, he explains, are generally free, Linux-based operating systems that one can download and burn to a CD-Rom or DVD. The beauty of Live CDs is that they can be used to turn a Windows based PC into a provisional Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are completely wiped away after the machine is shut down. To return to Windows, simply remove the CD from the drive and reboot. More importantly, malware that is built to steal data from Windows-based systems simply won't load or work when the user is booting from LiveCD. Even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, the malware can't capture the victim's banking credentials if that user only transmits his user name and password after booting up into one of these Live CDs. There are hundreds of LIve CD options available; most desktop Linux distros offer Live versions. Like Krebs, I recommend using the Ubuntu desktop Live CD. Ubuntu is user-friendly, it doesn't cost anything to use, and it is likely to work well with any standard PC hardware configuration. (Even if it doesn't, trying a different Live CD is an extremely simple matter, since this process doesn't involve actually installing anything on a desktop system.)

Live CDs, by the way, will also work just fine on portable USB sticks, if your PC supports booting from such a device.

Krebs has more details on using a Linux Live CD for online banking sessions, including a quick run-through of the setup process using the Ubuntu desktop Linux distro.

For some users, of course, even the prospect of having to reboot a system just to conduct online banking sounds like a hassle. Such an attitude frankly mystifies me: When an undetected bit of Windows malware could cripple your business in a matter of seconds, how could an extra minute or two possibly represent a burden?

Consider the prospect of explaining to your boss -- or your employees -- that a thief walked away with thousands of dollars because you didn't feel like waiting for your system to reboot. And it's worth saying this again: Consumers who fall prey to online banking fraud are protected. Most businesses are not.

Using a Linux Live CD for online banking sessions doesn't eliminate the risk entirely. A phishing scam, for example, is more an attack on a user's lack of sophistication than on a particular technology; a gullible Linux user can fall prey to such a scam just as easily as a gullible Windows user.

But IT security is not about eliminating risk. It is about minimizing risk. And based on that standard, I think that the benefits of using Linux to conduct online business banking transactions far outweigh the minimal time and effort required to find, learn about, and use a Linux Live CD.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights