a blog about things that I've been thinking hard about

Ten Ways to Make Internet Banking Safer

26 August, 2007
internet banking security advice (assuming use of a live CD)

Secure booting, readonly sub-accounts, simple HTML interfaces for less powerful client computers

Optimise bootable CDs for usability

Optimise ISP service for bootable CDs

Ship a secure bootable CD with every computer sold


Advice for Banking Customers

1 Do not do Internet Banking from a computer booted off a writeable storage device Your computer's hard disk is a "writeable storage device", and booting off the hard disk is what most computers normally do when they are switched on. So this advice is telling you: when you do Internet banking, do not switch your computer on in the normal fashion.

The secure alternative is to boot your computer from a non-writeable medium, which can be various things, but for most personal computers the most practical non-writeable medium to boot off is a so-called "Live CD".

This is the one piece of advice that you probably won't read in the "Internet Banking Safety" leaflet that your bank gave you. That leaflet most likely told you how to make your Internet banking as safe as it can be assuming that you will do it from a computer booted off a writeable storage device.

It's difficult to determine exactly why banks persist in assuming that Internet banking should be done from a computer in exactly the same way as other kinds of web surfing, but I will guess at the following reasons:

Most of the advice I give in this article has to do with the first three items in this list, and it has to do with how other people involved in the act of Internet banking should make it as easy as possible for you the banking customer to boot your computer securely from a non-writeable medium. These other people involved in Internet banking are the people responsible for the design and operation of (1) your computer, (2) your computer's operating system, (3) your Internet connection and (4) the bank itself.

Even if banks, ISP's, OS developers and computer manufacturers all get their act together, there will still be some effort required on the part of the banking customer to achieve Internet banking security. So the question is, is it really worth it? Or are the bankers right in assuming that the inconvenience of rebooting is too great? In particular, can the Internet banking customer be bothered doing each of the following steps every time they do Internet banking? That is:

On the face of it, this seems highly inconvenient, compared to the alternative, which is:

However, the increased inconvenience of the reboot/bank/reboot procedure is not as much as it seems, because the second apparently shorter procedure introduces an enormous inconvenience into all your other computer useage, which is:

Anytime you perform any action on your computer, you must consider the consequences in relation to the security of Internet banking.

For example, this is what using the Internet on your home computer was like before you used it for Internet banking:

And here is what using the Internet on your home computer is like after you started using it for Internet banking:

As you can see, it's a different experience. Internet banking casts a long shadow over all your other Internet useage.

Advice to Banks

2 Lose the optimism In the world of security, optimism seems to be an incurable human disease. It goes something like this:

We'll fix all the problems that we know about, and after that we'll be secure.

For some recent examples of this attitude, read this commentary by Bruce Schneier on the Wired website.

In general optimism is a good thing, or so the books on self-help tell us. But it is not a good thing in the world of computer security, because on a computer the user is only ever one mistake away from being screwed. And the mistake doesn't even have to be a user mistake – it can be a mistake made by a software developer or a mistake made by a hardware vendor. Computer security is a very fragile thing, and it is something that needs to be thought about very pessimistically.

It follows that the modern personal computer running off a modern personal computer operating system booted off a hard disk is not good enough for Internet banking security, unless the customer goes to the extreme of never using their personal computer for anything other than Internet banking.

There may come a day when it is good enough, when some combination of capability-oriented security and formal methods means that the average personal computer is secure enough to do Internet banking, without the user having to think about Internet banking security all the time when doing other things on their computer.

However, I suspect that that day is so far in the future, that other things will happen sooner. For example, basic web-surfing computers might get so cheap that consumers will purchase a separate web-surfing device just for doing Internet banking (and anything else that needs to be extra secure), and the whole question of "is my computer secure enough to do Internet banking?" will be forgotten.

3 Provide sub-accounts with different capabilities Not everything that customers do when they do their Internet banking has the same security implications. The single major risk is that a criminal will gain control of a customer's computer and then perform a transaction to transfer money from the customer to themselves. So the banking feature which creates the greatest risk is that of transferring money to external accounts. Other features are less risky, and these features include:

Unfortunately many Internet banking accounts provide an all-or-nothing approach: if you are logged in so that you can see your bank statement, then you are also logged in so that you can transfer money to complete strangers. The idea of sub-accounts is that one customer can have different logins with different passwords and different risk exposures. The most basic distinction would be between a sub-account which can do external transfers and one which can't. With sub-accounts, the customer can choose to use one sub-account with reduced capabilities when booted off a hard drive and another sub-account with full (and therefore dangerous) capabilities when booted off a Live CD.

Even the feature of transferring money to an external account can be broken up into two parts:

A limited sub-account could be used to set up transactions, and the full-capability sub-account could be used at some later time to confirm them.

Another option is to make the full-capability sub-account only accessible via phone banking (I'm assuming here that the security of your telephone does not depend in any way on the security of your home computer).

4 Provide the simplest possible standard HTML interface to the customer's account This is a special case of the Robustness principle:

Be conservative in what you do, be liberal in what you accept from others.
The benefit of using stock-standard HTML protocols is that it gives the most choices to the Internet banking customer as to how they secure the software, the operating system and the hardware that they use to connect to their Internet bank account.

The worst approach for a bank to take would be to provide a banking website that only works with one particular brand of web browser running on one particular operating system.

Advice to ISP's

5 Provide DHCP, even for static IP addresses One problem with Live CD's is that they have no provision to store configuration information, unless the user is presented with a procedure for configuring and recording a new copy of the Live CD in question. While this is possible, everything is much easier if no configuration is required at all.

On the Internet, the general solution to IP address configuration is DHCP. If your network has a DHCP server, then most Live CD's are set up to default to using DHCP to configure their IP and DNS addresses.

Sometimes ISP's provide customers with static IP addresses, and instead of providing DHCP, they give the customer instructions for entering all the details into their computer's network properties. These instructions typically include:

Doing this once is tolerable. Doing it for multiple devices that might connect to the Internet is annoying. Doing it every single time you boot from a Live CD is very annoying.

One solution is for the customer to get a router, because almost all consumer-oriented routers include DHCP. Probably no-one buys a router just to get DHCP, but the moment someone wants to connect more than one device in their house to the Internet, or connect any device wirelessly, then a router becomes essential, and they don't cost much anyway.

But in the meantime, there will exist some set of customers with static IP addresses and no router, who could benefit from having DHCP provided, and for the benefit of those customers the ISP's should provide it. I'm not a DHCP guru, but I see no reason why it should not be possible to make DHCP available even for static IP addresses.

Advice to Operating System Developers

6 Optimise essential configuration options Currently most Live CD images available for download are oriented towards "try-it-without-installing" useage. Such images can be acceptable for secure web browsing, but they could be optimised somewhat more for the user who is going to boot the CD over and over again.

The configuration requirements for Internet banking are fairly minimal, but in my own experience I have found myself performing one or more of the following tasks after booting from a Live CD:

A truly Internet-banking-optimised Live CD would preset useful defaults where possible, it would display a single form to configure options that might need configuring for a single web-browsing session, and (ideally) it would enable the user to create a new Live CD with the relevant options pre-configured to the newly chosen values.

7 Provide stripped-down OS and software relevant to the task One part of the inconvenience of rebooting from a Live CD is waiting for the system to come up and be ready to use. In the case of Linux Live CD's (which is the only kind I have tried so far myself), I suspect, although I cannot be sure, because I am not a Linux guru, that the OS is initialising a lot of stuff that isn't strictly necessary for the purpose of doing my Internet banking.

Here's a basic list of things that an "Internet banking" OS needs to provide:

Some things that can definitely be left out include:

8 Instant shutdown Another part of my Live CD experience is that not only do you have to wait for startup, but you have to wait for shutdown. If we know in advance that the OS is not saving data anywhere except to a remote website, then the following should be a sufficient procedure for shutdown:

Advice to Hardware Manufacturers

9 Make booting from CD as easy and safe as possible Although modern computers make it possible to boot from CD, they don't necessarily make it easy. In order to boot from CD on many computers, you have to do (and not do) the following:

The "race condition" between starting the computer and opening the CD tray cannot be completely avoided, unless the computer is wired to allow the CD eject button to function even when the computer is on standby. However, the following design would be an improvement:

My current home computer is a Dell Inspiron, and if you press F12 after startup then it comes up with a boot menu. This boot menu does wait for a response, and thus avoids the need to edit the default boot sequence in the BIOS, so it goes some way towards solving the "race" problem.

An extra feature which should be provided in the BIOS is an option to calculate the MD5 (or SHA-1) hash of the bootable code in the CD, and display it to the user before the boot proceeds. This would give an extra level of security, especially where a Live CD image may have been downloaded and recorded to CD on a potentially insecure hard-disk booted system. (This feature could be extended to include remembering which hash values had been previously OK'd by the user for booting the system.)

10 Provide an Internet banking Live CD with every system sold In practice I have used various Linux CDs, including Ubuntu and Knoppix, to do my Internet banking. However, even these are not perfect. For example, Dell sells Inspirons with Ubuntu preloaded, but my Inspiron (which I bought with Window Vista pre-loaded) will not boot Ubuntu 7.04 unless the "irqpoll" option is added to the boot command.

No one knows if it is even possible to make a Live CD which is guaranteed to boot successfully on any Internet-capable Intel-compatible x86 computer. From an individual computer owner's point of view, a robust solution is for the computer manufacturer to include a tested Live CD when they sell the system. For large manufacturers this may include an obligation to provided updated Live CDs when security issues arise. For small manufacturers it would be better to choose a major Linux or other free OS distribution, and ensure that the customer's hardware is compatible with that standard distribution CD at the time it is built (hopefully any updates to the chosen OS would continue to work on the same hardware).

Although open source Live CDs are the most readily available, this doesn't rule out the possibility of a proprietary solution. After all, if your computer has been built to run a particular version of Microsoft Windows, then a Windows-based Live CD should be able to reliably boot and connect to the Internet. Of course the issue with proprietary software is that if software on a CD works out of the box with no configuration or licence key entry, then it is infinitely piratable. The best suggestion I can make is that the CD be provided with stripped down functionality, so that the only thing it is useful for is secure Internet banking.

Note: Security Updates for Live CDs

There is less requirement for security updates for an Internet banking Live CD, compared to, for instance, a normal personal computer operating system. In order for an attack to succeed on a Live CD-booted system, it has to happen in between the time the computer was booted and when it gets re-booted, and, unless the attacker has some special access to Internet infrastructure, it has to be an "active" attack, i.e. one based on sending unsolicited IP packets to the target system.

Because the handling of unsolicited packets is the major weak point of such a system (i.e. it is the only "untrusted data" that the system is required to handle correctly), it may be worth making the TCP/IP stack more secure by placing the code which distinguishes solicited from unsolicited packets into a separate process with limited access to other parts of the system.

Update (2013): What happened, historically, is that customers did their internet banking just like they did anything else on their computers, i.e. not very securely, and banks bent over backwards to be forgiving about any unintended account withdrawals caused by security lapses. So nobody cares about all the stuff above.
Vote for or comment on this article on Reddit or Hacker News ...