The Problem

The problem with the security of Internet banking is that it depends on the security of both client and server. It doesn't matter how secure the bank's computer systems are, if the customer's personal computer has become "owned" by malicious software, then their money is at risk. And unfortunately it is very difficult to maintain the security of a modern personal computer. If you are an expert in computer security, you know that you are only ever one mouse-click or one security hole away from allowing someone else to control your computer. If you aren't an expert in computer security, then the odds against you are overwhelming.

The security advice that banks give to customers on their websites is usually along the following lines:

• Be careful which websites you access.
• Be careful opening email attachments.
• Install anti-virus software, firewall software, anti-spyware software and don't forget to keep all your operating system software and application software up-to-date with security patches.

But even if you follow this advice (and some of the "be careful" advice undermines the major benefits that the Internet promises us, i.e. access to an enormous variety of free content from anyone and everyone), you are still just one mistake away from trouble.

If you do your banking on your personal computer via the Internet, trouble can mean big trouble. When you type your password into your computer to access your bank account online, you are giving your computer and all the software running on it full access to that same bank account. And if your Internet banking lets you withdraw money out of your bank account and send it to someone, then the opportunity for criminals to quickly and easily steal money from you is just too good to be passed by.

The Solution

Incredible as it may seem, there is a simple security solution built into almost all modern personal computers, which can be used to completely prevent any malicious software that has been installed on your computer from having any effect at all on the computer's operation. The name of this security solution is the bootable CD drive.

Its effectiveness arises from a few basic principles of how computers work:

• Most of us turn our computers on when we want to use them, and turn them off again when we have finished using them.
• When the power is off, the computer loses all the data in its working memory.
• Therefore, a computer must have built into it a bootstrap process which operates when it starts up. This bootstrap process loads a simple program from a fixed (non-writable) memory (the BIOS) built into the computer's hardware, and this program usually then proceeds to load other software consisting of the computer's operating system (or OS), either from a writable disk drive, or from a removeable disk drive.
• Most of the time, the drive booted off is the computer's hard drive.
• But, most modern computers have options to boot by reading boot programs from a variety of other sources, including floppy disk drives, network cards, USB "sticks", and, most importantly for the current discussion, CD drives.
• If you boot from a CD, and the boot programs on the CD only ever load software from the CD, and provide no means for the user to load software from the hard disk, then there is no possibility of any malicious software on the hard disk having any control over the operation of the computer (until such time as you boot again from the hard disk).

Because a hard disk is a fully writeable drive, it presents a very poor security risk. If malicious software has ever taken control of your computer, it is very likely that it has taken the opportunity to secretly install itself onto the hard drive. This way it will always be active and potentially have control of any aspect of your computer's operation, even if you turn the computer off and turn it on again.

But, you can boot off some other drive. There was a time when all software was delivered on floppy disks, and including the operating system. Being able to boot from the floppy drive was an important component of the installation process.

Nowadays floppy drives are just too small, so we do the same thing with CDs. A standard computer CD stores 700MB of data, against the 1.44 MB on a floppy. If you installed Microsoft Windows or some other operating system onto your computer yourself, you probably started the installation process by booting off an installation CD.

This may have been the only time in your life that you ever booted your computer off a CD. And if you bought your computer with the OS pre-installed, you may never have booted off a CD. But you could, if you wanted to, boot off a CD every time you switched your computer on. Bootable CDs designed for this purpose are called "live CDs" (presumably because they "come alive" when you boot from them).

There are, however, a few reasons why it is not so practical to use a CD as your regular boot disk:

• A CD drive is slower than a hard disk.
• If you need to update your operating system or applications, you have to make (or otherwise acquire) a new CD.
• A CD does not have enough room to store all the applications that most of us want on our computers.
• Proprietary operating systems may not have provision for creating bootable CDs, and the vendors of such operating systems may not wish to encourage the creation of generic bootable CDs that can be freely copied and reused on different computers without regard to copyright.
• If a CD is to be duplicated and distributed on a large scale, then it must contain a lot of hardware detection and/or user configuration at startup time to determine what hardware is contained in the computer and what settings are required for that hardware to work correctly. (When you use a bootable CD to install a new operating system, the hardware detection and system configuration only has to happen once.)

These disadvantages can prevent us from always booting from a CD, but they may not be such a problem for those occasions where we need to use a computer for a task where security is more critical. For example, when we do our Internet banking.

The basis scenario or "use case" is as follows:

• You decide to do your Internet banking.
• If the computer is already on, you insert the secure live CD, otherwise you switch it on, open the CD drive and insert the live CD.
• Any current operating system is closed down, and the computer is rebooted (by means of a non-interceptible command, e.g. pressing the reset switch).
• The computer boots off the live CD, connects to the Internet and brings up a web browser.
• You enter a URL (or you select one from a default home page built into the CD).
• You log into your account, and perform Internet banking functions.
• You log out (not strictly necessary, since you are going to reboot soon anyway).
• You remove the CD from the drive.
• You reboot the computer, and you continue with your normal (i.e. possibly reckless and insecure) computer usage.

Taking into account the list of issues just given, the following are corresponding desirable properties of a bootable CD designed for Internet banking:

• The CD contains a "stripped down" operating system and a basic set of applications with just enough functionality to get the job done. In practice this means basic process scheduling, keyboard and screen setup, and network connectivity. For the purpose of doing online banking, a web browser able to do HTTPS, HTML (including forms) and CSS should be all that is needed.
• The CD is based on an open-source operating system and applications. In practice this probably means a derivative of Linux for the operating system and Mozilla for the web browser, although other possibilities cannot be ruled out, for example a Java-based OS, or an OS "kit" that allows one to construct a single-application operating system.
• Hardware detection should be limited to those components that are essential to run a web-browser, i.e. keyboard, screen and network card (or modem). Configuration is a potentially more annoying difficulty, and there are several possible approaches to reducing this to a bare minimum (i.e. zero). Some of the solutions to the configuration problem will require server-side changes made to the facilities of the Internet service providers (ISPs) and the banks.

Implementing the Solution

If you go to Google, and search for "Live CD", you will find links to many options for creating bootable CDs. Unfortunately, as at the current date, none of these seem to be especially designed for the purpose of secure Internet banking. So I think there needs to be a special project to create a live CD which is suitable for the purpose of Internet banking, and which represents a serious effort to provide a universal solution to the problem of client-side security based on the safety of booting from a CD.

Assuming that more can be achieved in the short term with maximum use and leverage of existing technology, the following are the design features which I think are most important in a secure Internet banking live CD that can be used by as many banking customers as possible:

• It should be based on Linux for OS and Mozilla for web browser.
• Both of these components should be "stripped down" to remove non-essential functionality.
• ISPs should provide configuration options to reduce user-specific configuration to zero. (A particular problem is that of static IP addresses which must typically be set on the user's computer. In contrast to this, DHCP gives automatic configuration, but is used in situations where IP addresses are not static. A solution might be to provide DHCP or some similar protocol which can work even for users that have static IP addresses.)
• Banks should make sure that their websites can work with minimal web browser functionality, and in particular should not require the users to access their accounts with a proprietary web browser or other proprietary software.

Issues

A purpose-designed Live CD does seem to be a practical solution to the Internet banking security problem, and is certainly better than the "always be careful when surfing" advice given on banking websites. But it will not be an absolute guarantee of impregnable security, and there are a number of issues that need to be considered by those recommending such a solution, and which may require changes to its design:

• Not all Internet banking operations need to be made completely secure. Just browsing bank statements is not as security-critical as being able to transfer money to someone else's bank account in Switzerland. Banks should offer users multiple sub-accounts with different capability levels. This reduces user temptation to not be bothered going through the cycle of reboot, wait, log in, do stuff, finish, reboot and wait again.
• Users might forget to boot from the live CD before doing their Internet banking, or they might forget not to use it when doing other things. This could be prevented by putting special information on the live CD (a secondary password) which must be sent to the bank website by the customer's web browser before before the website will grant access to the more security-critical features of their account. And to prevent other computer useage (which might increase the risk of break-in by malicious software), the web-browser could contain a "white list" of known banks, in effect preventing accidental surfing to other web sites. A general lack of other functionality on the live CD would be enough to discourage the use of the CD-booted OS for anything else.
• Users might wish to print out a record of what they have done online. Accessing printers increases required boot time (although this could be deferred until something actually needs to be printed). One possible solution comes back to separation between security-critical and non-security-critical functionality: printing records of transactions performed could be done by access to a read-only sub-account.
• CDs are not necessarily read-only. This could be a non-trivial security issue. The easiest way to make a live CD is to download a ISO image and burn it to a CD-R. Although normal CD software will not permit rewriting of a CD-R, it is somewhat less certain as to whether malicious software is prevented from doing this. This is potentially a problem if the user ever inserts the secure live CD into the drive while the computer is in an insecure state (i.e. booted normally from the hard disk). Typically CD writing software will not write to closed sessions or to a closed disk, but I do not know if this is enforced in the hardware or if it is only enforced in the software. (If you the reader know something about this, please tell me.)
• Computer compromises are caused by security holes, and even the software on a live CD is likely to contain bugs, some of which will be security holes. The ability to exploit such holes is much more limited than when the system is booted from a writable hard drive, because whoever or whatever manages to break in to a live-CD-booted system must take advantage of the break-in immediately, before the user completes their banking activity and reboots again. The number of opportunities to break in is also much reduced. The user will not be installing any new software while doing their Internet banking, which leaves only security attacks based on the processing of untrusted data. Given that an Internet banking user only accesses known and trusted websites, the only possible source of malicious data is either raw IP packets, or something very tricky in the account
detail itself (like a maliciously crafted cheque number).
• To deal with this limited threat, it may be necessary to occasionally update a recommended secure live CD. If these are provided as commercially duplicated CDs distributed by the banks, then the banks will need to notify their customers of the need for updates (which may involve the live CD sending the website version information which the website can check before giving the user access to their account). If an update is needed, the customer might have to physically travel to their local bank office to pick up a new CD.

Conclusion

• For most computer users, a live CD is a more robust solution for the security of Internet banking than any other practical alternative.
• If you are keen, you can make yourself a live CD right now from some suitable Linux distribution, and boot from it when you need a secure client for Internet banking.
• More work needs to be done to provide and maintain a solution that is suitable for the vast majority of less sophisticated computer users.