Keyboard Encryption for online Banking Security any advice?

[Bold Eagle]

As the title suggests I was wondering if anyone can suggest a Keyboard Encryption app to provide added security when and if doing online banking?

I realise there are many discussions and white papers highlighting that some of these software apps can be circumvented and or hacked and thus be useless. But I was wondering if anyone could suggest a decent program that will do this, preferably free!

It is for a neighbour as I personally don't use one as I mainly pay bills over the phone via my bank and feel this is a bit more secure which I am suggesting he does as well.

[Bold Eagle]

Thank you for the response and I do believe most "major" banks will offer full coverage if the user has taken all reasonable steps.

My phone banking is undertaken purely across a landline which I think is a lot less vulnerable than online banking and I think would take a lot greater effort to compromise.

[Digitalocksmith]

You shouldn't need keyboard encryption software BE!

Online Banking passwords are not entered via the keyboard, they are entered using mouse clicks on the banks secured sites 'virtual' keyboard in order to guard against keyloggers.

My Westpac account also uses what they call 'Extended Validation Certificates' whereby the URL bar on your browser will be color filled in green which identifies a genuine Westpac Online Banking site.

Security is really top rate with Online Banking today and most banks use extremely advanced methods of security in Dynamic SSL Encryption methods etc.

My Online Banking usage stands at about 8 years now without a single issue and its extremely convenient.....would be hard to live without it now i'd reckon!

Westpac also offer me a 'Security Guarantee' should the very unlikely event of fraud occur.

Quote:

Originally Posted by Westpac

Our security guarantee
If your Westpac account is compromised as a result of Internet fraud we guarantee to refund any missing funds providing you comply with our Internet Banking Terms and Conditions.

Regards

[Digitalocksmith]

Here is a shot of my Account login page using a Virtual Keyboard.

The best security advice (other than that mentioned by Dom) that i could give would be NEVER open your online banking site from a link.

Establish the correct secure site and save it in your browsers favourites and ONLY EVER open it from there and that way you guard yourself against phishing sites etc.
Although the banks are right on top of these today and they are usually discovered and taken down faster than a spammer on MG's!

[Bold Eagle]

Hello fellow Aussie, Westpac as well.

There is a "white paper" implying that there are rootkits that will actually take screenshots of "virtual keyboards". Sadly most of the "online security" is reactive and only responding to events after it has occurred.

I still prefer my landline and only ever use online "when I have to" as to the best of my knowledge the landline can only be hacked "from a very localised source" at best.

I love the way Westpac changed their virtual keyboard page recently but I didn't know until I was there, was thinking wtf but felt slightly reassured by the URL bar on the page.

[Bold Eagle]

I should add I use FF with NoScript which does stop an amazing amount of crap from ever becoming active during normal activity, frankly way better than basic AdBlocking apps. But still I rarely put any personal detail online and only because I have to.

[Digitalocksmith]

Quote:

Originally Posted by Bold Eagle

I love the way Westpac changed their virtual keyboard page recently but I didn't know until I was there, was thinking wtf but felt slightly reassured by the URL bar on the page.

Yeah that freaked me a bit when i first opened it from favourites aswell.....I actually closed the site, googled it just to be sure and studied the URL like a hawk before reopening to the same page...

Rootkits that take screenshots hey.......I would know instantly if i had a rootkit installed on my system and i dont think it would help them in any case as it would require several screenshots taken in quick succession whilst the cursor was hovering over the virual key letter in the correct sequence at precisley the correct moment in time.......On thinking about this logically I dont see how this is possible!

If you understand the basics of Online Security with general computer usage today, i still think that there is a valid argument that online banking is safer than walking out of your branch's front door with a pocket full of cash.

Think about it, there is more security to afford your protection online than there is using an ATM.

I would agree with your last statement.....Credit card entry or personal details online where you could be on any Tom, Dick or Harry's site does pose a far greater security risk than online banking transactions!


Regards

[plodr]

Forget running windows. The solution to secure online banking
http://voices.washingtonpost.com/sec...e_bank_on.html

[Bold Eagle]

Excellent read there plodr so I need to make a read only bootable linux CD/DVD, I assume most of these OS would have a Browser within them and that will offer the most "cost effective" (many Linux Distro's are free) and secure method for online banking

[Bold Eagle]

Anyone have any experience with Live Linux OS's and could recommend a good one?

[plodr]

Any live CD will include FF (some may call it IceWeasel but under the hood, it is the same).
Go here, http://www.livecdlist.com/
IMHO, the easiest are: Ubuntu, Debian, MEPIS, PCLinuxOS, and perhaps Knoppix or Linux Mint. If the live CD doesn't run, then move on to another.

On a laptop, wireless can be a chore setting up and sometimes you get no display. In the case of it appearing to hang, I always boot a laptop with safe mode (VESA) so I don't have a problem with the vid chip and I turn off scsi and acpi. Some say noscsi and noacpi while others say scsi=off and acpi=off. When you boot up, on a laptop (desktops usually don't have problems) click whatever it says for other options. It might be something like press F3 for more options.

[Digitalocksmith]

Certainly i nice solution for small business especially......But is a change in OS just a short term 'band-aid' solution until this procedure becomes more common-place and variants of Zues and Clampi are adapted for Linux?

http://voices.washingtonpost.com/sec...d_down_pc.html

Seemingly the issue of Online Banking Security concerns among users has shifted from the Banks security procedures to that of the security within windows.

Is continuing education in securing a windows enviroment coupled with the know how of protecting yourself online and avoiding common security pitfalls the way to go in the long term?

Do you think that the bad guys will find a way to exploit Linux removable media vunerabilities if they are forced too?

Certainly an excellent current fix though for any OBanking security concerns you may still have Bold Eagle.


Regards

[Bold Eagle]

Well the most robust method I can determine from these articles so far would be to:

- Have a dedicated "stand alone" system that has no HDD (so no where for any Malicious Software to be written/stored),
- Uses a read only "Live CD" of linux to access Online Banking (and only ever goes to that site and possibly a browser email account),
- Records could be written in a "paper" account ledger (which any small business should be doing anyway) and or into Open Office and sent via a browser email account to another system,
- This email account would only ever be used to "send" and never receive.

The only "potential" vulnerability I can see with this system is that eventually malware is able to actually store itself in the RAM via a "drive by hack" and access the password information during that session. I'm not even sure if an attack on RAM is currently possible?

I assume that any and all OS have the potential to be "preyed" upon and the greatest weakness with any system is the HDD and or writeable permanent (non-volatile) storage device (e.g. SSD, R/W DVD, USB Drive, etc).

Education is indeed the key but no matter how much you lock Windows down (which is pretty complicated) weaknesses will always be found and exploited.

[Digitalocksmith]

What if you mistakenly access the wrong site via a live CD OS?

Are you safe then?

Is a user who is unable to effectively secure their windows enviroment, more easily able to secure a possibly infected or phished Linux enviroment?

RAM Aquisition

Cooled RAM Attacks


Regards

[plodr]

Quote:

What if you mistakenly access the wrong site

IMHO, anyone that is that inept, probably should not be doing online banking in the first place. Stick to phone banking. I use this option more than online banking. I have and will always have a hard wired phone.
If you are using FF in windows then FF in linux is the same. Because the distro is live, you have no cookies, no passwords and no favorites.
If you type your bank site in the address bar incorrectly, usually you get some sort of Open DNS page or a google page asking if you meant with a suggestion for an alternate site.

[Digitalocksmith]

Quote:

Originally Posted by plodr

IMHO, anyone that is that inept, probably should not be doing online banking in the first place

This maybe so......I just wanted to point out to others contemplating the use of a 'Live' OS enviroment for online banking, that it is not an absolute guarantee of impregnable security.

I'm pretty sure that its possible to enable cookies within the browser of a live CD which are then stored in RAM base but naturally are lost on reboot.
Most Banking websites require cookies in order for any individual system to able to log on as HTTP is in itself a stateless protocol, but im not sure how much of an actual issue this problem could present.

Running an OS that cannot be updated may also be a security concern and would create the need to re-burn the distro periodically in order to keep things patched.
A live OS running as root has the power to modify the contents of your Hard Drive including the master boot record which may provide security issues for your normal windows enviroment which is installed there.
It would be possible for someone to insert a WINDOWS-based root kit in the MBR during the live linux session.

Quote:

To deal with this limited threat, it may be necessary to occasionally update a recommended secure live CD. If these are provided as commercially duplicated CDs distributed by the banks, then the banks will need to notify their customers of the need for updates (which may involve the live CD sending the website version information which the website can check before giving the user access to their account). If an update is needed, the customer might have to physically travel to their local bank office to pick up a new CD.

A few other possible issue's I stumbled across:

Quote:

Computer compromises are caused by security holes, and even the software on a live CD is likely to contain bugs, some of which will be security holes. The ability to exploit such holes is much more limited than when the system is booted from a writable hard drive, because whoever or whatever manages to break in to a live-CD-booted system must take advantage of the break-in immediately, before the user completes their banking activity and reboots again. The number of opportunities to break in is also much reduced. The user will not be installing any new software while doing their Internet banking, which leaves only security attacks based on the processing of untrusted data. Given that an Internet banking user only accesses known and trusted websites, the only possible source of malicious data is either raw IP packets, or something very tricky in the account detail itself (like a maliciously crafted cheque number).

Quote:

CDs are not necessarily read-only. This could be a non-trivial security issue. The easiest way to make a live CD is to download a ISO image and burn it to a CD-R. Although normal CD software will not permit rewriting of a CD-R, it is somewhat less certain as to whether malicious software is prevented from doing this. This is potentially a problem if the user ever inserts the secure live CD into the drive while the computer is in an insecure state (i.e. booted normally from the hard disk). Typically CD writing software will not write to closed sessions or to a closed disk, but I do not know if this is enforced in the hardware or if it is only enforced in the software.

Quote:

Not all Internet banking operations need to be made completely secure. Just browsing bank statements is not as security-critical as being able to transfer money to someone else's bank account in Switzerland. Banks should offer users multiple sub-accounts with different capability levels. This reduces user temptation to not be bothered going through the cycle of reboot, wait, log in, do stuff, finish, reboot and wait again.

I'll say it again just one more time for good luck.....If you dont take the time to educate yourself in basic online/computer security issues and learn how to avoid the common pitalls.....nothing will keep you totally protected whether it be Windows, Linux or any other OS!

There are always risks, the ultimate choice is yours!


Kind Regards

[Private Fumbler]

Quote:

Don't use any standard web browser 'Saved Form Information' or 'Password Manager' for online banking or purchasing as *none* of them encrypt the information securely enough.

I've noticed that my regular bank and Paypal too have removed the automatic fill feature for logins and passwords. The only way to enter the information is to tap it in.

[Bold Eagle]

I have to agree we will probably never achieve impregnable on-line security but I sincerely believe that this is a very "viable" and cost effective measure that would significantly raise the security bar for the "average user" at this current point in time.

Arguably one of the most crucial comments presented by the author:

"Virtually all of the data-stealing malware in circulation today is built to attack Windows systems, and will simply fail to run on non-Windows computers."

http://voices.washingtonpost.com/sec...e_bank_on.html

This implies to me that at this current point in time the malware just will not be able to run in a linux environment.

Excellent discussion we are having on this and here I am in linux at MG and I have to say I am very impressed with Ubuntu for this short test spin.