Saturday, March 5, 2011

Bootable CDs for banking, and why they won't work - Repost

I've been seeing from a lot of security types that banking from your home PC using Windows is inherently insecure; and that a solution to this is to use an OS on a bootable CD (the Live CD is usually touted). This is an elegant technical solution to the problem represented by an OS that runs from rewriteable media. For the purposes of the discussion, the specific OS doesn't matter; depending on a specific OS to protect you because it's a small fraction of the installed userbase is depending on a variant of security by obscurity. Ideally, you shouldn't bank online at all, say the extremists.

However, it's a terrible idea outside of the merely technical. Let's start with why online banking exists. Online banking exists because a bank's business model and inventory are both based on bits, not atoms. Banks actively work to reduce the number of atoms that they have to concern themselves with, because they only make money on bits, and atoms are a cost. As customers of a bank, we want them to do this, because the banks' costs are passed on to the customer. Thus, the rise of ATMs (which, while atomic in nature, consist of cheaper atoms than do tellers). Thus the rise of online banking (a server farm is made of cheaper atoms than a bank branch, in addition to having negligible cost for additional operating hours versus a traditional branch). Thus the death of checks enclosed in your statement (since they are converted to bits at the earliest opportunity and the atoms disassociated, rather than being schlepped across country). &c, &c. Online banking is here to stay.

So, on to why bootable OS CDs won't work. First I'll do the consumer side, then the bank side. And then I'll go over why they don't solve the problem anyway.

The consumer side: I have on my desk a multitasking POWERHOUSE undreamed of, say, 20 years ago. Skipping the rest of the hyperbole, it is vanishingly unlikely that I have to close down my other applications to open up an online banking application. Nor would I want to - I balance my checkbook not by pen and paper, but by database. By doing this I don't have to worry about arithmetic errors, puzzling out handwriting, etc. And to avoid data entry issues, I don't hand-type information into the database, I retrieve it via the internet. Likewise, I schedule outgoing payments in my financial management program. There's a positive benefit to doing so, I don't have to give a third-party permission to debit my account, and the timing of doing so is ENTIRELY under my control, across multiple financial institutions and payees. The communications between this application and my banks is encrypted, but essentially (S)HTML. It essentially includes the functionality of a web browser. And you want me to give up the incredible power of automation and communication for security? Fat fricking chance. This gets worse if I'm a business owner, incidentally. As a private person I could manage my finances via paper if I wished, though it would be much harder, and significantly more expensive. It would be essentially impossible to do so as a small business owner, certainly not if I wish to stay on the right side of the tax man and the bar association.

The bank side: A CD is made of atoms, and they are atoms that do not replace other, more expensive atoms. They aren't even passive atoms; the CDs have to be made available to customers, and thus schlepped about the country, inventories have to be managed and refreshed from time to time, technical issues need to be supported (and tech support comes attached to some very pricy atoms indeed, even if they are located on the other side of the world). The bank wants nothing to do with them. All they do is reduce costs; and costs are passed on to the customer. Period - by definition a for-profit company passes all of its costs and a markup on to the customers.

But, let's say you've convinced me; your bootable OS CD also has a financial management program that can write to the local storage device, so I can take advantage of the power of my computer while still keeping an un-breachable wall of security around the OS. Let's say you've convinced the bank that the CD will reduce the costs associated with online bank fraud; the OS booted from the CD is immune to Trojans and other malware.

It is still not secure. Lets start with distribution: at some point these CDs must be mastered. That mastering plant is an extremely vulnerable single point of failure. Get your malware on at the source, and you've slipped past every defense; plus it's very expensive to repair the damage. You have to reship EVERY infected CD, doubling your costs.

You have to ship the CD. Do I need to go into the kind of man-in-the-middle attacks possible if you ship them directly to the end user via the mail system? It's trivial for Eve to insulate herself from mail fraud by using mules, and not much more trivial to use unwitting mules. I wouldn't count on the high cost of atoms to deter the black hats - ATM skimmers work despite being made of atoms, not bits.

But if you ship them to the bank, they have to be kept in a secure location, or the supply of CDs can be tainted by inserting the malicious ones into the supply. Which defeats the purpose of having online banking in the first place, which is reducing the amount of walk-in traffic to branches. And since it must, by definition, be available to the public, you can't secure the data on it from an attacker.

It doesn't stop phishing: even if no bank actually offers downloadable ISO images, the phishers will...

Each bank is vulnerable to the least secure of them. Either the bank requires that only their own secured CD be used to access their online banking, or they cannot enforce use of a CD-booted OS. And they can't actually enforce use of their own CD, the most they can do is enforce use of their own CD or malware CDs targeted at them, since the malware CDs will be able to perfectly mimic the targeted bank's CD. For that matter, who in their right mind is going to reboot their machine each time they want to change banks in the middle of a session?

There are minor issues as well - what if bank A doesn't offer the financial software customer b wants to use? The CD must be updated from time to time as additional features (including security) are added, not to mention drivers for hardware etc.

Bootable CDs are a terrible solution that is being pushed (in large part) by the anti-Microsoft crowd for the purposes of gaining a beachhead for non-Microsoft OS. I'm not going to trivialize the problem; I suspect it's overblown. To the individual, compromise of the bank account is horrific, but I wonder how much per bank customer, or (more appropriately) per banked dollar, is lost annually. I suspect that systemically available fraud insurance would be a better approach (though you run into some moral hazard issues there).

(Originally posted on my Livejournal – some minor clean-up editing has been done)

No comments:

Post a Comment

Please keep it civil