Protecting against Money Theft

Time and time again we read stories about malicious people using Trojans to steal money. This time it happened to Cumberland County Redevelopment Authority where, by using a Trojan, a malicious hacker stole nearly half a million dollars.  Brian Krebs from the Washington post has some really good tips and detailed coverage of this story.

Brian says that through his research and reports on cyber theft, SANS Technology Institute came up with a simple solution to the problem – use a DVD-based bootable operating system such as Knoppix.

I tend to fully agree. You see the problem is that once your system is infected with a Trojan it now becomes a ticking time bomb. The Trojan stays sitting there hidden in the background monitoring, waiting for you to access your online bank account. Once you do so, it does its thing. Depending on the Trojan it can either hijack your session and make its own transfer instead of yours, or, less sophisticated ones, will just email your credentials to the owner of the Trojan.

Online banking is obviously a great tool but unfortunately there is no foolproof way to be 100% safe except by using the bootable operating system solution. Banks obviously try their best. They employ a lot of effective measures, using two-factor authentications, restricting access based on your IP address and other schemes like these in order to protect their customers effectively. However each and every one of these security measures is useless if a Trojan just hijacks your session and changes it with its own transfers.

Needless to say to really be safe we want to be sure that there are no Trojans running when we’re doing our online banking; but how can we? Anti-virus solutions are a good resource; however, they can generally only detect known Trojans that are running in the wild. We could be infected with a custom made Trojan or the anti-virus in use might not yet have been updated to safeguard against the particular Trojan that I was infected with. So how can we be 100% safe?

My recommendation for a completely safe environment when conducting online banking is as follows (it is a bit cumbersome but I believe it is as secure as one can get and if you either make a lot of high value transactions or even if the account you interact with contains a lot of cash, it might be well worth the overhead).

Firstly set up a firewall exclusively for the machine doing the online banking and then connect to it the actual terminal that will be doing the banking. The firewall should block everything, both in or out, except for a pipe between it and the bank (the machine will be limited to connect only to our bank and nowhere else to remove the risk of Trojan infection due to some browser exploit). Secondly the machine should be always powered off and turned on only when it is necessary to interact with the bank. This is very important to ensure that no Trojan/viruses are running in memory. When the machine turns on it will boot our DVD/CD-based environment and we’ll use that to do our transactions. Finally ensure that there is no physical access to the machine except for the keyboard, mouse and CD/DVD drive. Ensure that it has no USB/FireWire/Hard drives installed and no network connectivity except to the firewall which in turn only allows access to the bank site.

This simple setup will protect us in a number of ways. Firstly the firewall will ensure that no one will use the terminal to browse sites which might have exploit code that could install a Trojan on our system. Running the system off a CD / DVD will ensure that our environment is never compromised, because even if a Trojan infects our system, it cannot modify any files or reload again on the next bootup. Finally if a Trojan does somehow manage to get in, keeping the machine switched off when not in use will ensure that any running Trojans which might infect our system (and they can only live in memory since our operating system is physically read only) will be wiped out. Additionally if everything really fails and we are infected with a Trojan that is running while we bank, the Trojan will not be able to call home or send the data anywhere. Obviously as I said in previous articles, one is never 100% safe; there is one possible scenario I can think of and that is that the bank itself, maybe through cross site scripting, ends up hosting the malware which manages to infect your machine through a browser exploit and is completely autonomous in that it can do transactions without needing to be connected to a command and control station. However I think this scenario is pretty remote.

If you want peace of mind and want to have the maximum level of security when interacting with the bank I think that this is in fact the best way to go about it. I would appreciate any thoughts you might have regarding such an approach or maybe something better! I understand that it might be a bit cumbersome to implement; however, I believe that it can be a very effective defense. Ultimately it’s surely more desirable to wait a couple of minutes for a system to boot than to end up with $500,000 less in your bank account!