With the recent news stories about bank accounts being hacked and monies pilfered we decided to investigate ways to protect our business.
Now the problem is two fold.
Online banking login details
The first is quite obvious, protecting the online banking username and password. It is fairly obvious when someone stands over your shoulder concentrating on memorising your account details. It is also very easy to protect yourself from this approach by, say, locking yourself in a tiny room.
More frightening is key logging software. We’ve on occasion identified key logging software running on a clients machine in the logs of one of our products. Malware, trojans, virus (whatever the plural may be) and the like easily infects browsers and workstations. We even had articles this week about government spy software in RSA masquerading as a firefox process collecting end user data. So this is where the problem lies, protecting the details from stealthy criminals thieving all your hard earned cash.
One time passwords
There is a fallacy regarding the cellphones we carry. Banks do not make us aware of this and place the onus on the phone owner to ensure their security. Our cellphone companies do not and have never indicated that sim cards are secure and securely dished out. So when our banks added OTP sms message and claimed we’re all saved it was a huge lie. A fake ID, a couple of bob, and 30 minutes later a crafty criminal is in possession of a new sim card on your account. The OTP sms messages arrive on the new sim card (as the one in your phone was declared stolen) and bobs your uncle, new beneficiaries are created, money transferred and wailing and gnashing of teeth for the now much poorer individual.
The solution is not simple, however, one easy start is to use a small OS that stores no data, runs from RAM and loses all data when the workstation is rebooted.
http://en.wikipedia.org/wiki/List_of_Linux_distributions_that_run_from_RAM. Wikipedia lists a number of these small distributions. So now when locked in a small windowless room this ensures no software key loggers are able to steal bank account details. Note software carefully placed in the previous sentence. Physical security is the only way to protect yourself from hardware key loggers readily available for purchase on the internet.
We’re experimenting with Tails, a small distro employing the tor network for anonymity. It’s not ideal, as it forces you to use the Tor network to access the internet securely which makes the experience slow and most banks will raise alarm if your bank activity jumps from country to country.
Another possibility is Lightweight Portable Security (LPS) which is a DoD initiative, if I can get it to work…