Network News

X My Profile
View More Activity

E-Banking on a Locked Down PC, Part II

A pair of Security Fix blog posts last week urging businesses to consider using something other than Microsoft Windows when banking online elicited strong reactions from readers. Most said they thought it was a fresh perspective and sound advice, while others criticized me for going too far or for failing to recommend less drastic alternatives.

Let me be clear: The advice was aimed not at consumers, but at small to mid-sized companies that may not have a full-time IT/security staff, and who rely on one or two people to handle their bank accounts and payroll online.

That said, I wanted to respond to a couple of specific alternatives suggested by readers, because I felt they fell short of the level of security that these companies need to avoid becoming the next victim.


For example, some readers emphasized the importance of ensuring that employees' Windows computers are running under a limited user account that does not have the ability to install software or alter critical system settings. This so-called least-privilege principle is foundational in the field of computer security, as it can defeat many malicious software attacks. Indeed, I recommend the approach so frequently that if you Google for the term "limited user" you will see my column as the first entry.

Still, a number of today's more advanced threats - including the Zeus Trojan, a sophisticated family of malware most commonly associated with these attacks against small businesses -- will just as happily run on a limited user account as an administrator account in Windows.

Likewise, purchasing a cheap Windows netbook that is used only to access the company's bank Web site is a nice start, but one of the most common malware families associated with these attacks I've written about - the Clampi Trojan - spreads quite easily among Windows systems over a company's internal network. My advice was aimed at providing a no-cost solution for small to mid-sized businesses, but if these firms are going to purchase anything with a mind toward offering their controller or payroll administrator a safer computing option, they should probably splurge and get a Mac.

Since this series began, I have been flooded with pitches from companies providing all manner of security products and services aimed at securing the online banking site from the user's end. But in my opinion, most of these approaches come up short, erecting yet another hoop for the user (and the bad guys) to jump through.

From where I sit, any solution that fails to assume that a customer's system is already completely owned by the bad guys doesn't have a prayer of outsmarting today's threats. I find it strange that so few security companies are talking about what appears to be a clear demand for better back-end fraud detection technologies by many of the nation's banks (more on this topic in a future column).

It's also interesting to see that there are still people in the financial or security industry touting security tokens as the answer to this type of fraud. In break-in after break-in, the perpetrators have shown their ability to slip past virtually all of the customer-dependent security barriers erected by online banks (e.g., passwords, secret questions, and token-generated one-time codes).


I discovered the latest example of this failure just last week, when I spoke with Genlabs Corp., a chemical manufacturing firm based in Chino, Calif. Even though Genlabs' business banking account was protected by a security token code and a password, the thieves still were able to break into the firm's account online and transfer $437,000 to 50 different co-conspirators around the country.

Joyce Nicola, Genlabs' controller, said the thieves infected a PC belonging to a subordinate who was helping to set up new payroll accounts for the company. Normally, Nicola said, when they log in to their account at the bank, the site asks for a user name on one page, then the next page requests a password, and a third and final page requires the user to type in the output from a key fob that generates a new six-digit number every 60 seconds. When the employee logged in to the bank's site on the morning on the 16th, all three of those fields were instead present on the bank's home page.

A local computer forensics expert later determined that an infection from the "Zbot Trojan" (a.k.a., "Zeus") had allowed the attackers to re-write the bank's login screen as displayed on the employee's computer, so that the credentials were intercepted before they could be sent on to the bank's actual Web site. The technician's report on the Zeus infection -- available here (PDF) -- is worth reading, particularly points 5 and 6, which noted that the infection could not be diagnosed from within Windows.

To date, Genlabs has succeeded in reversing just $48,000 worth of fraudulent transfers, Nicola said.

By Brian Krebs  |  October 20, 2009; 2:00 PM ET
Categories:  From the Bunker , Safety Tips , Small Business Victims  | Tags: ach fraud, clampi, genlabs, zbot, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: ChoicePoint Breach Exposed 13,750 Consumer Records
Next: Nastygram: 'A new settings file'


People don't get it, Brian. Bruce Schneier pointed out that tokens could be circumvented by trojans over 4 years ago: . Having a Linux PC or a Mac and using it only for banking transactions should be seen as insurance. A computer can be charged off as a business expense and $2000 for a Mac is a great insurance policy if it keeps your firm from losing money. The examples you cite show that the losses are staggering to small businesses and governments. That banks are not liable for business and government customers' losses is a travesty since the taxpayer essentially made up many banks' losses this past year. The laws should be changed so that banks must monitor bank account tranactions like they do credit card transactions. It shouldn't be that hard to port the software they use over. Until that happens though, people have to watch out for themselves. That means that one should not try to make an insecure computer such as a Windows PC secure. We've been trying to secure that platform for over 15 years with little to show for it security-wise. Use a live CD or buy a Mac and let some other ignorant soul learn the hard way about protecting his business bank account.

Posted by: jbmoore61 | October 20, 2009 2:48 PM | Report abuse

Outstanding article, well thought out and factual. I now recommend as you do Linux (Unbuntu) live CD's for online banking.

For Home as well as Business.

Posted by: n3ujj | October 20, 2009 2:49 PM | Report abuse

Ubuntu runs on computers that many businesses and homes would cast aside as being too slow.

Just install it on such a computer and it will be plenty fast for running a web browser which is all it should be doing.

Installation is very easy so long as the hard drive has about 20 gig. I suspect it will run on less.

Unless there is a virus which you can get from the banking site or it comes in on an update from ubuntu, it should be all but impossible to get any virus or trojan. Just make sure that you don't go anywhere else.

I did break the above rule once...I went to to find a wallpaper that was not ORANGE-RED!

Posted by: eteonline | October 20, 2009 4:03 PM | Report abuse

Brian, agree with you 100 % - the solution you mention for banking online, booting from a Linux CD, seems far superior to the various alternatives proposed. I suggest, moreover, that this solution is equally applicable to users at home as it is to businesses....


Posted by: mhenriday | October 20, 2009 4:06 PM | Report abuse

The expert's report mentions 'Browser activity is monitored for multiple ".fi"~ ".ch"~ ".de"~ ".nl" and ".com" bank URL addresses'.

I'd be interested to know what banks are being targeted by this kind of virus - and publication may also be a wake-up call for those banks.

Posted by: nl01 | October 20, 2009 4:41 PM | Report abuse

Nice article.

Posted by: dward__ | October 20, 2009 4:49 PM | Report abuse

The problem is that business don’t read this kind of information, I mean, the recommendations of Brian are perfectly OK, but is the message reaching the right people? If online transactions cannot be secured, should there be a law to stop online banking at all? It’s radical, but as the problem grows and grows, are we going to let businesses and people lose their money while they try to probe that the cause was a Trojan?

Posted by: FaustoCG | October 20, 2009 5:30 PM | Report abuse

One question about using a LiveCD to bootup to do online banking: would the staleness of the versions ofthe OS and browser software on the LiveCD pose any security risk?

Posted by: tuber | October 20, 2009 5:32 PM | Report abuse

If you get a $2000 safeguard policy by purchasing a Mac - then why in the name of all that is not yet lobotomised would you ever want to go back to that 'other' system ever again? Mind-boggling what people cling not to attractive things but hopeless lacklustre third rate things.

Bk: awesome work. Again.

Posted by: Rixstep | October 20, 2009 7:08 PM | Report abuse

Rixstep: Completely switching over to Mac might not be an option for all businesses. And before you make the Parallels argument, if you get in the habit of using virtualized Windows you're throwing your security out the window again while clinging to a false sense of security.

Also, if you turn the Mac (or Linux) system into your main workstation, the same browsing activities and other wetware security holes that allowed your Windows system to get infected could put your Mac (or Linux) system at risk. It's just a hypothetical at this point, but as "the web" becomes the platform du jour we will see more inherently cross-platform attacks against the browser rather than the OS.

@tuber: If only use the system for banking and shut it down when it's not in use (especially, between uses) the risk of exploits in older versions should be insignificant.

Posted by: dragonwisard | October 20, 2009 10:49 PM | Report abuse

"The technician's report on the Zeus infection -- available here (PDF) -- is worth reading, particularly points 5 and 6, which noted that the infection could not be diagnosed from within Windows."

Have to nitpick -- it's definitely possible to spot a Zeus infection from within Windows once one knows what to look for, especially when compared to some of the nastier kernel rootkits. Saying that (knowing where to look) is often a cop-out statement, as malware changes file names, locations, other "meta data" (like Clampi); however, Zeus's modus operandi in this area is pretty static. The situation is indicative of the bad guys' assessment of their primary detection threat -- file signature based scanning; however, the "fingerprints" of Zeus infections can be seen in the Registry, in memory, and in network activity, if not looking for discrepancies in the file system. It's also possible to cleanup Zeus from within Windows; however, "reformat and reinstall" is the consensus answer because it's much more difficult to screw up than rummaging around in the Registry and on the hard drive (or, put another way, reinstall "scales" well, manual cleanup doesn't).

Posted by: philipsloss | October 21, 2009 7:50 AM | Report abuse

I converted an old WIN-98 machine to use the ubuntu live CD - works fine.
I am confused: if the "small to midsize companies" should do this, why should not everyone (home user) do this? are we not just as vulnerable?

Posted by: B1nm90 | October 21, 2009 10:39 AM | Report abuse

Though I am a security vendor, I agree with what Brian has wrote and with that of many of the other posters regarding the merits of Live CD employment, and with dealing with the presumption of an already compromised computer.

Our computer protection products are preventative in nature. That's in large part because malware detection, from a practical perspective (important distinction), will NEVER be 100% effective. Once a computer is "rooted", malware detection is like asking a politician if he's honest and candid. A tool that operates without the subject OS running can detect a 3rd generation toolkit, but still detection is not guaranteed. Re-imaging is far in the way the most practical response to the uncertainty of a computer's integrity.

Once re-imaged, products like our AppGuard, as well as other zero-day protections from other vendors, can provide a very effective defense, and some of these products do so with practically no CPU overhead or user-prompts. And some of these products are ridiculously easy to deploy and maintain.

So, as I boast of my company's product's capabilities, particularly with respect to those from the big vendors, we do NOT claim to offer perfect protection. In fact, like other vendors, our greatest vulnerability lay in socially engineered attacks where end-users are tricked into suspending our product's protection. That is why we recommend to our customers that they identify high-risk employees (such as finance folk) and deny them such discretions and to make certain that those folk get very timely IT support to compensate.

I've talked with finance folk from small businesses about the Live CD approach. All of them have acknowledged its value. But, all of them also cited significant inconveniences it poses as well. In sum, they have other client software applications that require the transaction data from their online banking transactions. I'm still trying to develop a better understanding of their workflow challenges and hope to write something up soon. For those folk, who prefer NOT to use a Live CD for such reasons, I've recommended to their IT support that they re-image the computers, lock-down some computer settings, isolate these computers from the rest of the LAN as much as practical, and yes, install one of our products to protect the computers from what signature-based defenses miss routinely. And part of that product deployment calls for using the ‘privacy mode’ feature to protect confidential documents from potentially compromised software applications.

It’ll be interesting to see how enterprise shifting toward cloud computing affects the workflow of finance personnel. When done with consideration for endpoint security (e.g., site-locked web browsing), a Live CD, Thin Client Computer (network computer), or other “stateless” environments may face fewer hurdles to wide-spread adoption.

Say Brian, did you read that white paper yet? If not, there’s a newer version.


Eirik Iverson

Posted by: eiverson1 | October 21, 2009 11:13 AM | Report abuse

I'd very much like to implement this in our organization however our network and desktop managers feel that a dedicated machine running a non standard operating system (non standard to them being anything that isn't windows xp) is unneccessary as the anti virus software and web filters will catch all the bad stuff.

I need evidence to support my claim that AV is not the be-all/end-all solution and that these root kits are constantly slipping through the cracks where our only notice of eventual infection is wholly dependent on the AV vendor acquiring a signature that can detect this. Which in most situations it is now too late, putting us on a reactive rather than proactive footing. This is unacceptable when the CEO calls asking the CIO why our online bank account is missing 50 million dollars and if due to a rootkit why we didn't do anything to PREVENT this rather than just waiting to REACT to it.

The other thing I need to battle is the response of "oh well, we wont give then an ubuntu netbook but we'll just slap a thin client on their desk and we can control their desktop environment centrally". The thin client would still be windows based, but why would this still be a bad solution?


Posted by: user099 | October 21, 2009 12:10 PM | Report abuse

As a security software vendor that offers products that benefit from the acceptance of the assertion that signature-based and other technologies are limited to preventing infestations by previously discovered and documented malware, I have a financial conflict of interest, from an enterprise or potential customer perspective. Ultimately, you need to hear from others like Brian who do NOT have such a financial interest.

Meanwhile, I’ll refer you to a blog post I wrote:

The folks from Secunia, not a computer protection vendor, tested the premise by creating their own malware and testing the ability of signature-based products to detect it. This approach, while not without some flaws (noted in the above blog post), differs from nearly all other independent lab tests, which use previously detected malware samples for testing, albeit detected via analysis of honeypots. Rigorously analyzed honeypots are limited in their discovery to what they encounter, btw. If you’ve never been robbed or mugged, does that mean there are no such criminals out there? Yes, that’s a bit of a self- or premise-serving comment but I think the point is still valid.

Another angle to consider in testing this premise is that of the difficulty and cost of testing zero-day protection products. One cannot simply scan a folder full of samples. Instead, one must allow those samples to be consumed/processed by the software applications and components that they are designed to target. For example, a tainted PDF document would need to be opened by say Adobe Acrobat Reader so that the zero-day products/features can either succeed or fail at preventing a malware infection. Conducting such tests properly is considerably more tedious and time-consuming than mere signature-based detection tests.

Again, seek the inputs of independent folk such as Brian and others.


Eirik Iverson

Posted by: eiverson1 | October 21, 2009 12:58 PM | Report abuse

Hi, Brian. I have long argued that the only way to do online banking securely is to do the transactions on a separate non-programmable device. If you had a serial-numbered dongle with a two-line screen, a pair of buttons for yes/no, and a USB connector, the user sets up the transaction on the PC as normal, then the bank establishes a cryptographically secure connection to the dongle and checks the serial number to be sure it's the right one, displays the transaction on the dongle's screen, and the user says yes or no. This means no matter what lies the malware is showing on the PC's screen, the real transaction shows up on the dongle, because SSL-style crypto is good enough that you can trust that what went in at the bank's end is what came out at the dongle's end. Alternatively the PC could set up the transaction and the dongle could sign it if the user approves, somewhat like chip+pin credit cards do.

My bank already sends me a keyfob with a screen and a button for free, so I wouldn't expect the device that I described to be prohibitively expensive, and it should work with people's existing PCs and operating systems.

Posted by: johnlevine | October 21, 2009 1:00 PM | Report abuse


And the COST[S] for the analysis & report was roughly how much ???

Posted by: | October 22, 2009 2:33 AM | Report abuse

A question.

If you did a clean install of a current Windows operating system then restricted it from going anywhere but the banking site and Windows Update and eliminated email and disabled autorun, CD/DVD drives and USB ports (perhaps difficult in these days of USB keyboards), could that eliminate most of the threat?

This might make it palatable to those who are afraid of Linux. I don't know if a Windows pc can be restricted to such a degree.

Of course the ever-present threat in any security setup is the end user, especially the half-smart end user.

Posted by: eteonline | October 22, 2009 8:48 AM | Report abuse

Mr. Krebs,
Will the Zeus Trojan install with limited user account privileges?

Thank you

Posted by: phmckenna | October 23, 2009 10:04 AM | Report abuse

@phmckenna -- that question is answered in the body of the story:

"Still, a number of today's more advanced threats - including the Zeus Trojan, a sophisticated family of malware most commonly associated with these attacks against small businesses -- will just as happily run on a limited user account as an administrator account in Windows."

Posted by: BTKrebs | October 23, 2009 10:43 AM | Report abuse

Will the Zeus trojan install, or be detected, on a Windows account running the latest version of Firefox and the latest NoScript extension?

Posted by: Garak | October 23, 2009 2:49 PM | Report abuse

" ... any solution that fails to assume that a customer's system is already completely owned by the bad guys doesn't have a prayer of outsmarting today's threats."

Completely agree.

On the Linux side, running it off solid state media is faster than off a CD. And solid state media can throw away all system changes at shutdown time if that's what you'd like or keep all changes if you'd rather do that. Best of all worlds.

Posted by: MichaelsPostingID | October 27, 2009 12:02 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company