The problem with the security of Internet banking is that it depends on the
security of both client and server. It doesn't matter how secure the bank's
computer systems are, if the customer's personal computer has become "owned"
by malicious software, then their money is at risk. And unfortunately it is very difficult to maintain the security
of a modern personal computer. If you are an expert in computer security, you know
that you are only ever one mouse-click or one security hole away from allowing
someone else to control your computer. If you aren't an expert in computer security,
then the odds against you are overwhelming.
The security advice that banks give to customers on their websites
is usually along the following lines:
- Be careful which websites you access.
- Be careful opening email attachments.
- Install anti-virus software, firewall software, anti-spyware software and
don't forget to keep all your operating system software and application software
up-to-date with security patches.
But even if you follow this advice (and some of the "be careful" advice undermines
the major benefits that the Internet promises us, i.e. access to an enormous variety
of free content from anyone and everyone), you are still just one mistake away
If you do your banking on your personal computer via the Internet, trouble can
mean big trouble. When you type your password into your computer to access
your bank account online, you are giving your computer and all the software running
on it full access to that same bank account. And if your Internet banking lets you
withdraw money out of your bank account and send it to someone, then the opportunity
for criminals to quickly and easily steal money from you is just too good to be passed by.
Incredible as it may seem, there is a simple security solution built into
almost all modern personal computers, which can be used to completely prevent any malicious
software that has been installed on your computer from having any effect at all on the
computer's operation. The name of this security solution is the bootable CD drive.
Its effectiveness arises from a few basic principles of how computers work:
- Most of us turn our computers on when we want to use them, and turn them off again
when we have finished using them.
- When the power is off, the computer loses all the data in its working memory.
- Therefore, a computer must have built into it a bootstrap process which
operates when it starts up. This bootstrap process loads a simple program from a fixed
(non-writable) memory (the BIOS) built into the computer's hardware, and this program usually
then proceeds to load other software consisting of the computer's operating system (or OS), either from
a writable disk drive, or from a removeable disk drive.
- Most of the time, the drive booted off is the computer's hard drive.
- But, most modern computers have options to boot by reading boot programs from a variety
of other sources, including floppy disk drives, network cards, USB "sticks",
and, most importantly for the current discussion, CD drives.
- If you boot from a CD, and the boot programs on the CD only ever load software from
the CD, and provide no means for the user to load software from the hard disk, then there
is no possibility of any malicious software on the hard disk having any control over
the operation of the computer (until such time as you boot again from the hard disk).
Because a hard disk is a fully writeable drive, it presents a very poor security risk.
If malicious software has ever taken control of your computer, it is very likely
that it has taken the opportunity to secretly install itself onto the hard drive. This
way it will always be active and potentially have control of any aspect of your computer's
operation, even if you turn the computer off and turn it on again.
But, you can boot off some other drive. There was a time when all software was
delivered on floppy disks, and including the operating system.
Being able to boot from the floppy drive was an important component of the installation process.
Nowadays floppy drives are just too small, so we do the same thing with CDs. A standard
computer CD stores 700MB of data, against the 1.44 MB on a floppy. If you
installed Microsoft Windows or some other operating system onto your computer yourself, you
probably started the installation process by booting off an installation CD.
This may have been the only time in your life that you ever booted your computer
off a CD. And if you bought your computer with the OS pre-installed, you may never
have booted off a CD. But you could, if you wanted to, boot off a CD every time you
switched your computer on. Bootable CDs designed for this purpose are called "live CDs"
(presumably because they "come alive" when you boot from them).
There are, however, a few reasons why it is not so practical to use a CD as your regular boot disk:
- A CD drive is slower than a hard disk.
- If you need to update your operating system or applications, you have to make
(or otherwise acquire) a new CD.
- A CD does not have enough room to store all the applications that most of us
want on our computers.
- Proprietary operating systems may not have provision for creating bootable
CDs, and the vendors of such operating systems may not wish to encourage the
creation of generic bootable CDs that can be freely copied and reused on different
computers without regard to copyright.
- If a CD is to be duplicated and distributed on a large scale, then it must
contain a lot of hardware detection and/or user configuration at startup time to determine
what hardware is contained in the computer and what settings are required for that
hardware to work correctly. (When you use a bootable CD to install a new operating system,
the hardware detection and system configuration only has to happen once.)
These disadvantages can prevent us from always booting from a CD, but they may not
be such a problem for those occasions where we need to use
a computer for a task where security is more critical. For example, when we do our Internet banking.
The basis scenario or "use case" is as follows:
- You decide to do your Internet banking.
- If the computer is already on, you insert the secure live CD, otherwise
you switch it on, open the CD drive and insert the live CD.
- Any current operating system is closed down, and the computer is
rebooted (by means of a non-interceptible command, e.g. pressing the reset switch).
- The computer boots off the live CD, connects to the Internet and brings up a web browser.
- You enter a URL (or you select one from a default home page built into the CD).
- You log into your account, and perform Internet banking functions.
- You log out (not strictly necessary, since you are going to reboot soon anyway).
- You remove the CD from the drive.
- You reboot the computer, and you continue with your normal (i.e. possibly reckless
and insecure) computer usage.
Taking into account the list of issues just given, the following are corresponding desirable properties
of a bootable CD designed for Internet banking:
- The CD contains a "stripped down" operating system and a basic set of applications
with just enough functionality to get the job done. In practice this means basic
process scheduling, keyboard and screen setup, and network connectivity. For the
purpose of doing online banking, a web browser able to do HTTPS, HTML (including forms)
and CSS should be all that is needed.
- The CD is based on an open-source operating system and applications. In practice
this probably means a derivative of Linux for the operating system and Mozilla for the
web browser, although other possibilities cannot be ruled out, for example a Java-based
OS, or an OS "kit" that allows one to construct a single-application operating system.
- Hardware detection should be limited to those components that are essential to
run a web-browser, i.e. keyboard, screen and network card (or modem). Configuration
is a potentially more annoying difficulty, and there are several possible approaches to reducing
this to a bare minimum (i.e. zero). Some of the solutions to the configuration problem
will require server-side changes made to the facilities of the Internet service providers (ISPs) and
Implementing the Solution
If you go to Google, and search for "Live CD", you
will find links to many options for creating bootable CDs. Unfortunately, as at the current
date, none of these seem to be especially designed for the purpose of secure Internet banking.
So I think there needs to be a special project to create a live CD which is suitable for
the purpose of Internet banking, and which represents a serious effort to provide a
universal solution to the problem of client-side security based on the safety of booting from a CD.
Assuming that more can be achieved in the short term with maximum use and leverage
of existing technology, the following are the design features which I think are
most important in a secure Internet banking live CD that can be used by
as many banking customers as possible:
- It should be based on Linux for OS and Mozilla for web browser.
- Both of these components should be "stripped down" to remove non-essential functionality.
- ISPs should provide configuration options to reduce user-specific configuration
to zero. (A particular problem is that of static IP addresses which must typically
be set on the user's computer. In contrast to this, DHCP gives automatic configuration,
but is used in situations where IP addresses are not static. A solution might be to
provide DHCP or some similar protocol which can work even for users that have static
- Banks should make sure that their websites can work with minimal web browser functionality,
and in particular should not require the users to access their accounts with a proprietary web browser
or other proprietary software.
A purpose-designed Live CD does seem to be a practical solution to the Internet banking
security problem, and is certainly better than the "always be careful when surfing" advice
given on banking websites. But it will not be an absolute guarantee of impregnable security,
and there are a number of issues that need to be considered by those recommending such
a solution, and which may require changes to its design:
- Not all Internet banking operations need to be made completely secure. Just browsing
bank statements is not as security-critical as being able to transfer money to someone else's
bank account in Switzerland. Banks should offer users multiple sub-accounts with different
capability levels. This reduces user temptation to not be bothered going through the cycle of
reboot, wait, log in, do stuff, finish, reboot and wait again.
- Users might forget to boot from the live CD before doing their Internet banking, or they
might forget not to use it when doing other things. This could be prevented by
putting special information on the live CD (a secondary password) which must be sent to the
bank website by the customer's web browser before before the website will grant access to
the more security-critical features of their account. And to prevent other computer useage
(which might increase the risk of break-in by malicious software), the web-browser could
contain a "white list" of known banks, in effect preventing accidental surfing to other
web sites. A general lack of other functionality on the live CD would be enough to discourage
the use of the CD-booted OS for anything else.
- Users might wish to print out a record of what they have done online. Accessing printers
increases required boot time (although this could be deferred until something actually
needs to be printed). One possible solution comes back to separation between security-critical
and non-security-critical functionality: printing records of transactions performed could
be done by access to a read-only sub-account.
- CDs are not necessarily read-only. This could be a non-trivial security issue. The easiest
way to make a live CD is to download a ISO image and burn it to a CD-R. Although normal
CD software will not permit rewriting of a CD-R, it is somewhat less certain as to whether
malicious software is prevented from doing this. This is potentially a problem if the user
ever inserts the secure live CD into the drive while the computer is in an insecure state
(i.e. booted normally from the hard disk). Typically CD writing software will not write
to closed sessions or to a closed disk, but I do not know if this is enforced in
the hardware or if it is only enforced in the software. (If you the reader know something
about this, please tell me.)
- Computer compromises are caused by security holes, and even the software on a live CD
is likely to contain bugs, some of which will be security holes. The ability to exploit
such holes is much more limited than when the system is booted from a writable hard drive, because
whoever or whatever manages to break in to a
live-CD-booted system must take advantage of the break-in immediately, before the user completes
their banking activity and reboots again. The number of opportunities to break in is also
much reduced. The user will not be installing any new software while doing their Internet
banking, which leaves only security attacks based on the processing of untrusted data.
Given that an Internet banking user only accesses known and trusted websites, the only possible
source of malicious data is either raw IP packets, or something very tricky in the account
detail itself (like a maliciously crafted cheque number).
- To deal with this limited threat, it may be necessary to occasionally update a recommended
secure live CD. If these are provided as commercially duplicated CDs distributed by the banks,
then the banks will need to notify their customers of the need for updates (which may involve
the live CD sending the website version information which the website can check before giving
the user access to their account). If an update is needed, the customer might have to physically
travel to their local bank office to pick up a new CD.
- For most computer users, a live CD is a more robust solution for the security of Internet banking
than any other practical alternative.
- If you are keen, you can make yourself a live CD right now from some suitable Linux distribution,
and boot from it when you need a secure client for Internet banking.
- More work needs to be done to provide and maintain a solution that is suitable for
the vast majority of less sophisticated computer users.
Update (2013): What happened, historically, is that customers did their internet banking
just like they did anything else on their computers, i.e. not very securely,
and banks bent over backwards to be forgiving about
any unintended account withdrawals caused by security lapses. So nobody cares about all the stuff above.