Web Development

On-line banking: How safe is it?

Michael Kassner is changing how he banks on-line after reading a MIT Technology Review article. You may want to as well; here's what it says about crimeware.

In the article "Real-Time Hackers Foil Two-Factor Security", Robert Lemos, a science and technology journalist sheds light on a serious security issue. The article points out, how sophisticated cybercriminals are becoming. In fact, a new term, crimeware is used to describe their exploits.

Crimeware

Crimeware is a class of automated malware designed to steal money, as explained by Wikipedia:

"Crimeware (as distinct from spyware, adware, and malware) is designed (through social engineering or technical stealth) to perpetrate identity theft in order to access a computer user's on-line accounts at financial companies and on-line retailers for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the thief controlling the crimeware."

Half a million dollars

I would like to step through the events that led to 447,000 dollars being stolen from Ferma, a California construction company. To avoid confusion, I first want to mention that after the crime, forensic analysis determined a computer used by Ferma was infected with undisclosed crimeware. Apparently, the infection occurred when visiting a certain Web site. Here's what happened after the infection:

  1. A Ferma employee logs into their bank's on-line financial Web portal.
  2. The portal requests a second authentication factor in the form of a 6-digit, one-use number.
  3. After authentication was confirmed, the employee begins making legitimate payments.
  4. At the same time, the crimeware program managed to initiate 27 fund transfers totaling 447,000 dollars to various bank accounts.

It appears the crimeware in this case was not detected. I do not doubt that. Especially if the malcode is sophisticated enough to determine the account has a draw limit of 447,000 dollars and automatically make transactions up to that amount.

Multi-factor authentication

Some are reporting that this is a failure of multi-factor authentication. I don't see that. Having multi-factor authentication in place forced the cybercriminals to go to extraordinary lengths to gain account access. Therein lays the problem. Once again the bad guys have figured out a work-around.

Solutions

Experts are coming up with various solutions to beef up the current system. Here are some examples:

  • Setup a dedicated terminal that is only used to access the banking Web portal.
  • Confirm each transaction with a one-time password from the same device used to log in to the banking Web portal.
  • Make the user enter a reCAPTCHA for every transfer that leaves the bank.
What really matters

The above solutions and others that I have seen are missing the point. The computer was exploited, most likely through some known vulnerability. Without that, the crime could not have happened. We are back to the same old problem, trying to stay ahead of the bad guys. Well, maybe more like trying to catch up to them.

My solution

For on-line credit transactions I use a credit card that offers a one-time number for each purchase. Still, not knowing how capable this new crimeware is, my approach could be problematic.

My bank does not use true multi-factor authentication. The bank considers security questions to be a second factor, but they are not. I'm also asked to approve the transactions, but not with a one-time password. So my authentication process is less secure than Ferma's bank.

I plan on using a LiveCD from now on when I am doing any kind on-line banking or retail transaction. That way, I know the operating system is not compromised. It's going to be a pain, but I do not see any other recourse at this time.

Final thoughts

It comes down to trusting the computer to be free of malware. I'm not willing to take that chance. If you have a better solution, I would love to learn about it.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

247 comments
AuthenticVoice
AuthenticVoice

The issue is not how sophisticated your multi-factor authentication. The Trojan simply piggybacks the process and modifies the transaction details using browser vulanerability. The long term solution is described here: http://www.sentry-com.net/Transaction.html

btompkins
btompkins

Paypal has a plug in that will generate a one time use Mastercard Number, additionally, you can dispute charges. I have this Paypal account tied to a bank account that is only used for online purchases, does not allow overdrafts and I only put the money in that I am going to use for the transaction, its a pain and its not perfect but I think I have myself covered.

ric2040
ric2040

Go the bank in person!, bottom line will always be... if its connected to the internet it will always be at risk.

ct2193
ct2193

Trusting your computer is, of course, a very important factor. Limiting your online use of the computer is a second factor that will greatly protect you. While the Live CD protects against infections that alter the Operating System, it causes security fixes to either be missing or for the end user to be burning CD's on a near daily basis. Not only is this tedious, but it wastes resources, is overall bad for the earth, and ultimately, requires you to trust the computer that is burning the CD. If you use an infected system to burn your CD, then you have the potential for infections to be infecting the resulting CD. Infecting the boot sectors is fairly generic as compared to guessing which Operating System the disc eventually boots into. Personally, I have a few recommendations to consider... 1) Simply don't do online banking and have online access to your accounts restricted, if not completely removed. (I prefer this method.) 2) Use less resources. The less service you pay for, the less you need to transact with. 3) From your protected and trusted computer that is up to date, configure your electronic transactions to be automated. Many different companies allow automatic transactions. Basically, every month, someone like Comcast would automatically charge your credit card or checking account. There's no guarantee that it will never be a problem, but it's now in their hands. They have more technical resources than most households and any risk they introduce would still exist even without your personal computer adding to it. Being in their hands also puts liability on someone else. Their breech means their pockets should anything happen. 4) Build a system that is for this dedicated use. Where possible, utilize a drive that is writable, but can be hard set to be read-only. The BIOS on some motherboards allow control of this, but it's still not really "hard set" and could be possible for malware to hack at your BIOS. (BIOS Viruses already do this.) 5) Virtualization! Harden your core Operating System and NEVER connect online with it. Run a virtual instance of whatever system you need for your online transactions. If the virtual copy of Windows gets infected, delete it and copy back in your image of the virtual drive. Update it and keep a copy. Delete and recopy after each use. Check out SUN Virtual Box for a legally free virtualizati9on option. You'll still need a valid license for whatever Operating System you install virtually though.

Craig_B
Craig_B

It seems like we have a couple of problems, how good is the bank security and how safe is the machine you access the bank from? From what I've read in other articles, "the security experts" use a locked down separate machine for online banking. Of course not everyone can do that, so the next best thing would be a locked down VM. I guess the common factor is do not use the same general machine/browser used for surfing the internet that you use for online banking.

daryl.thomas
daryl.thomas

I use the Mozilla browser from my iron key drive which is not only encrypted but doesn't exist on the local pc (live).

lastchip
lastchip

your banking IT systems in the US, are trailing those we have in the UK? It seems to me, one of the earliest contributors to this thread, hit the nail squarely on the head, when he said that upper management was reluctant to introduce secure systems. For example, when I use on-line banking here in the UK, there are a number of steps I need to perform, to get the required result. As soon as I want to log on, I'm transported to a secure page; encryption is used from this point. I need three pieces of information to log on, one of which has to be entered via my mouse, presumably to avoid keyboard loggers. Once on the site, any money movement requires me to use my hand held card reader (supplied by the bank) and enter my PIN and the amount, which then generates a numerical code, which has to be entered onto the site to authorise the transaction. Keep in mind, the code generation, is completely separate from the PC. It is only once it's been generated, you type it into the browser, which itself is in an encrypted session. I really don't see how at the present time, you can get much more secure than that; or am I totally missing the point? In fact, my bank guarantees, that providing I do nothing to compromise their security, they will not hold me responsible for any fraudulent transactions. Never-the-less, I really like the thought of yet another layer, in the form of using a live CD, and it is something I'll give serious consideration to. Thank you again Michael, for yet another excellent thought provoking article. Anyone that chooses not to read your pieces, is missing a rare treat of information. Edited for minor error.

KSoniat
KSoniat

When setting up accounts at the "on-line" banks they send transactions to your designated accounts, you verify, then ONLY those acounts can be used to transfer money. Takes a few days, but feels fairly safe. Good article.

The 'G-Man.'
The 'G-Man.'

issues challange response tokens to all customers that require the bank card and pin to provide the response code. Works fine. EDIT: You get challanged per transaction where money leaves your account. Instead of a live CD use a virtual machine or perhaps sandbox your browser.

JCitizen
JCitizen

I've often thought if I go the credit card route again, Master Card may be the one to get. My state used to only accept Master Cards as they had a more consumer centric billing, security, and account agreement.

fnjas
fnjas

I have seen banks start charging for teller window visits for some types of transactions. The banks are pushing customers to their web portals.

Ocie3
Ocie3

covered all of the bases on this topic. Unfortunately, there is no apparent solution that an ordinary person can [i]easily[/i] implement to confidently secure their computer for online banking, even if they can afford to dedicate just one machine to that purpose. To implement and use your fourth and/or fifth recommendations requires more technical knowledge than most people can and will acquire. Your third recommendation assumes that a "protected and trusted" computer is technically possible. Forgive me for having doubts, especially when Windows is the OS, whether another extant OS might be a more secure alternative. So, it seems to me that the only feasible security solution(s) would be to change the way that US banks currently implement banking [i]via[/i] their web sites. In particular, we truly need, at least, genuine two-factor authentication. Granted, it is currently not cheap, but ATM cards were not so cheap to implement and introduce to the banking public. Innovation is seldom cheap. There are several posts in this discussion by people who bank in the UK, India, and other countries besides the USA. The measures and procedures that they describe remind me of the maxim that what you gain in security you will likely lose in convenience. Which is to say that, IMHO, the reason that US banks have not adopted similar security practices is primarily a fear of alienating customers, at least with regard to personal accounts. "Older" people are the ones who have the most money. It takes a while for anyone who is "older" to [i]adopt[/i] change as well as [i]adapt[/i] to change. Today, most of us enjoy using a computer for communication and to share photographs and such, perhaps to watch videos or for other recreation, but less so for shopping, perhaps least for banking. The banks have long expected electronic banking to have a total lower cost than the costs of processing checks (which they now "convert to electronic transactions"), and mailing printed account statements each month. They want to get away from paper so much!! (The US Treasury wants to stop printing paper currency, but that is another matter.) Big businesses also want people to pay them [i]via[/i] electronic funds transfers, which are far less expensive than processing the receipt of checks, and they, too, don't want to mail any more invoices or statements of account than their diehard customers demand. So, if very many customers find that online banking is "too complicated", or "too time-consuming", then the banks and their business allies will lose the profits that they have hoped to gain by making both banking and commerce almost entirely electronic. One wonders how many customers will be alienated when they discover how easily thieves can drain their accounts with crimeware. So far, acts of very grand larceny have always affected businesses, governments and, sometimes, non-governmental organizations such as charities. But when banks are either induced or forced to adopt effective measures to stop such crimes against enterprises, it will not be long before crimeware begins to target personal banking, too.

Michael Kassner
Michael Kassner

I agree with all of your points. My concern is that we are aware of security issues and do not mind going through extra steps to remain secure. What are we going to do to help the millions of users that just want it to work?

apotheon
apotheon

If you're going to use a "locked down VM" for banking, and you're going to use the same physical machine for other (less secure) purposes, you should have a separate VM for those other purposes. If you use the host OS for less secure purposes, you'll end up obviating much of the point of using a VM for secure transactions. In fact, all else being equal, you'd be better off using the host OS for secure transactions and a VM for everything else. You could, perhaps, use a netboot setup to ensure that any malfeasance perpetrated by malware or a remote malicious security cracker on the local machine is wiped away upon reboot, similarly to what would happen if you booted a VM from a read-only OS image. Ultimately, though, you might as well just never use the host OS for anything other than hosting VMs, if you're going to go the VM route for securing your online banking.

Michael Kassner
Michael Kassner

Craig, you have it figured out. Please remember though, that 90 percent of the people on-line are not as astute as you are.

Michael Kassner
Michael Kassner

How the crimeware actually works only allows me assumptions as to what is secure or not. The only for sure method the members have come up with is if each transaction requires a one-time password for verification. Edit: Spelling

rob
rob

Here in the Netherlands I have to enter my account number and pass number on a https session, then I get a random number presented. After I enter my pin on a separate device provided by my bank I have to enter this random number. The resulting number I have to enter on the web-page again. After preparing all transactions I get screen for validation. When issuing the transactiuons I get a random number again, which I have to enter in the device, and provide the result to the web-page before any transaction is done. For each transaction above a certain amount I get a re-validate trough another process (still using the same device). Sounds pritty secure to me..

dmmillr1
dmmillr1

Would running ubuntu or opensuse or the like in a VM in say, virtualbox, just for banking, be a viable option as opposed to using a bootable version on a USB stick?

apotheon
apotheon

using Firefox under Linux . . . or Chrome with Linux, or Firefox with FreeBSD, or any of a number of other, similar options. Using IE (or anything else, really) on MS Windows is a generally bad idea, though.

Michael Kassner
Michael Kassner

Thanks for commenting. I read your posts religiously.

rpsibew110
rpsibew110

Both Windows and Apple offer a virtual keyboards that could be used to log in and or complete transactions.

Michael Kassner
Michael Kassner

I have a healthy respect for your system. It is indeed better. Especially since they do not hold you responsible. I wonder why the US is so far behind? Thank you for the compliment. I appreciate it when members such as yourself take the time to comment and help all of us learn. Edit: forgot a point.

Michael Kassner
Michael Kassner

I need to ask my bank if they do that. I set up accounts that I send funds to. I doubt the crimeware app is smart enough to input all the required information. maybe though. Thank you for pointing that out.

Michael Kassner
Michael Kassner

What your bank is doing. Is a VM or sandbox sufficient? I would prefer a VM or Sandboxie for this as there is no need to reboot. Still, couldn't the crimeware write to the browser in the VM session or sandbox? I suppose from the information I have gleaned about this crimeware app, if you only visit the bank portal, the browser should be clean. Any thoughts?

JCitizen
JCitizen

does this by offering an account that pays back in tiers a large to small percentage of the usual credit transaction fees charged by POS centers at businesses. Since I do literally everything electronically they usually pay 6% interest which includes many of the transaction fees in this. I've recovered up to $300 dollars a month on busy times of the year. They are willing to do anything not to have to hire more teller help. However their logon is weak, maybe not as weak as some; they try to make up for it by using a behavioral analysis algorithm that watches normal monthly trends. If a large electronic debit is detected from a new source, the credit union will lock the account out. I've very infrequently had to call the 800 number to unfreeze the transaction. It really hasn't be much of a hassle at all. Online VISA credit/debit transactions are double checked with Visa's authentication system which is better than most situations I've seen other people suffer from. I've only had one problem with it, and it was positive, because the transaction should have be rejected in that particular instance anyway.

apotheon
apotheon

There was a trend to do the same thing in the late '90s, too. It didn't last, then. I wonder if it'll last now. In the late '90s, though, they were trying to push everyone toward doing everything through an ATM instead. If someone doesn't come up with a better way to handle depositing paychecks, though, I don't see this push toward doing everything through the Web portal will work out any more than pushing toward doing everything through the ATM did. Actual physical money and checks are the major impediments to removing the human touch from banking in the mainstream population. Nobody wants to have to screw around with envelopes when making a deposit. People barely tolerate deposit slips; envelopes are deal-breakers, as is any system that doesn't provide immediate recognition on the bank's part that yes, that was an actual check that was deposited, so they can give the customer immediate access to the funds that were deposited. Nobody on the lower rungs of the financial ladder -- people who don't have enough money to not notice or care how long a hold might be on a check -- wants to wait two days for the ATM to get emptied and some clerk in a back room to sort the deposits before they can get at their money.

Michael Kassner
Michael Kassner

I think you answered my question as to why the US is so far behind. I suspect that will change soon. My next post is about all of the different kinds of banking malware that is popping up. It also will start affecting on-line retail as well. So they will change their tactics as well. At least, I hope so.

JCitizen
JCitizen

This model was not brought to light during our discussion over another article you posted about low cost authentication. Seems like we were looking at non-factor based authentication or alternatives there-in; sorry if this is perceived as off topic.

Michael Kassner
Michael Kassner

I have heard from many members in the EU that have a similar process. I wish that was the case here in the U.S. Thanks for sharing your information.

Michael Kassner
Michael Kassner

If the ISO is read only, I believe that it will work. Apotheon can verify that for me.

Ocie3
Ocie3

if memory serves, they store the "keystrokes" in the same OS input buffer that the actual keyboards store them in. So, a keystroke logger will read those keystrokes too.

Michael Kassner
Michael Kassner

The malware activates after log in. So that is really not an effective deterrent.

RU_Trustified
RU_Trustified

I remember a post by Rich Mogull at Securosis where he said he used different browsers for different functions. He may have used something more obscure like Opera for sensitive things. Why are you assuming that the web server in the bank's portal is secure? If malware is infiltrating banks these days, are they using something different for the web servers? What about zero days? Unless a bank is using a trusted operating system and mandatory access controls for that server, sooner or later they could be hit.

apotheon
apotheon

Really, for sandboxing to provide everything you want it to provide in this case, you'd have to have more than one. One sandbox (where I'm counting a VM as just a more comprehensive, special case of a "sandbox") would be for dealing with sensitive transactions where you consider the risk of getting infected minimal, and the other would be fore the rest of your life. This way, things you do outside of your sensitive transactions sandbox don't affect the OS that serves as host for your sensitive transactions sandbox, since stuff that affects that host OS might also affect the sensitive transactions sandbox. Sandboxes leak, though -- both OS VMs and application sandboxes such as Sandboxie. If there's some kind of flaw in the segregation provided by a given type of sandbox that allows some piece of malware, just once, to get something through to the host OS, you could be in trouble. Using filesystem integrity auditing from a remote host that isn't writable (or, ideally, even detectable) from the system you're using to house these sandboxes can help ensure the host OS hasn't been compromised, as long as you do an integrity audit before every launch of the sensitive transactions sandbox. Of course, this can get to have some rather high administrative overhead, because you'll still need to update the integrity auditing snapshot every time you make an authorized change to the filesystem(s) you're auditing. By the time you start doing that, you might actually want to think about skipping the sandbox idea altogether, and just do your sensitive transactions from a separate physical machine (but still do integrity auditing). As long as your network is on a switch rather than a hub, and the switch itself hasn't been compromised, you should be reasonably safe from getting your sensitive transactions compromised by a separate compromised system on the network. I guess, in the end, you can always be more paranoid, if you feel like it. Long before you get to the point of running a "clean" box that gets regular integrity audits from a separate system on the network, though, you might want to look into ensuring you're using the bank with the most secure policies you can reasonably get. If your paranoia level gets that high, you should definitely be concerned about a bank that doesn't even understand multifactor authentication.

The 'G-Man.'
The 'G-Man.'

If the sandbox is empted before & after every session then the browser should be clean. Is that not why sandboxing was created in the first place? Empty the sandox before visiting the bank (you can do this without a reboot) Empty after visiting the bank However if the crimeware is not browser related and actually a virus of sorts then I guess a VM (just for bank visits) would be the way to go. Mind you, as the VM runs within a host OS then is that also safe? Best bet - only bank with institiuions that provide correct transaction & web security. Making this part of the process of selecting a bank in the first place. If people left in droves because of this, all banks would have to take notice.

apotheon
apotheon

As far as I'm aware, most employees still don't get their paychecks that way. Hell, TechRepublic won't pay me that way for my articles -- and that's ignoring the people who won't go to the trouble to set up a direct deposit even if their employers would happily do so.

Ocie3
Ocie3

In the USA, most employers will gladly make an electronic deposit of an employee's paycheck to the employee's bank account, regardless of the bank where the employee has their account. Of course, sometimes there are unanticipated consequences. A friend told me that he wished that he had not joined the "direct deposit" program that his employer promoted, because his wife had access to the money before he ever saw it. I suggested that maybe they could have separate bank accounts, since having a "direct deposit" of a paycheck (or other income) usually eliminates the monthly maintenance fees charged for the bank account. They actually did that: one account for her (she works, too), one for him, and one that they call the "household account".

Ocie3
Ocie3

Quote: ".... My next post is about all of the different kinds of banking malware that is popping up. It also will start affecting on-line retail as well. So they will change their tactics as well." As it stands, the banks and online retailers have no choice; they must implement more secure systems. If memory serves, a recent AP wire story reported that US businesses and government agencies lost more than $18 billion in CY 2007 to online criminal activity -- much of it in outright robbery such as the one that you described in your article here, the rest to credit card fraud, debit card fraud and loan fraud. The losses for CY 2008 were expected to be at least twice those in CY 2007, and there is some concern as to what effect cybercrime will have upon the economy, i.e., upon recovery from the "(great) recession". The good news is that the aggressive FBI campaign against identity theft has made that less common, although it has not been eradicated. Banks have always promoted online banking as more convenient and time-saving than writing a check, entering data on a payment form, stuffing the pair into an envelope, putting a stamp on it and mailing it. Now they must introduce the matter of safety and security (whether prominently) to explain and justify the countermeasures that they adopt to make theft more difficult, whether impossible. IMHO, the banks had just as well be honest about it, if only to put a positive "spin" on their changes. If they are not forthcoming, but people eventually perceive the bank's motivation, then that will give them pause to wonder just what is going on and why no one wants to frankly disclose the risks. Such a shot to the heart could be quite serious for online banking and commerce. I'm looking forward to your next article(s).

RU_Trustified
RU_Trustified

From a news item just posted: "A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday from antivirus vendor Panda Security." http://news.cnet.com/8301-1009_3-10363373-83.html Norway was last on the list. Somebody should ask them what they are doing.

RU_Trustified
RU_Trustified

to his post. I can't remember specific details about it... but I remember thinking "how many hoops do people have to jump through to try and be secure?"

Michael Kassner
Michael Kassner

I suspect that you have misquoted him. The browser is not relevant, if it is we have failed.

Ocie3
Ocie3

Quote: "By the way, Sandboxie is a great at backing out system changes, but that doesn't stop malware from getting in, doing something bad and then being removed by Sandboxie." Sandboxie does [b]not[/b] allow any software that is running in a sandbox -- which is where any malware that is downloaded (by a program that is running in a sandbox) will be stored and running -- to create, change or delete any files that are outside of the sandbox! [i]That is why we run Sandboxie.[/i] It wouldn't be much of a "sandbox" program if it allowed malware to do those things, would it?? That said, Sandboxie can be configured to allow one or more programs that run in a sandbox to create, change and/or delete files outside of the sandbox. Allowing that can be desirable, but it also introduces some risk that the program will create a malware file or a malware-infected file outside of the sandbox. The risk depends upon the program and what sort of files that it ordinarily creates. As far as I know, whether Firefox and Sandboxie are running under Linux makes absolutely no difference, and there is no reason to believe that there would be any.

Ocie3
Ocie3

using the Sandboxie "recovery" feature does not "poke a hole" in a sandbox. You can download .PDF files to the HDD while running Firefox in a sandbox, and they will be stored in the sandbox with the pathname that you specified for the location of the file (except, of course, it won't begin with "C:\"). If you have configured the sandbox to enable "immediate recovery", as soon as the download is completed Sandboxie displays a query dialog asking whether you want it to copy the file, and it will also offer three (?) options as to location. I usually choose the "parallel" location, i.e., the same location in the file tree that is outside of the sandbox. Even if you don't configure "immediate recovery", when you delete the contents of the sandbox, Sandboxie ordinarily displays one or more file trees showing the copies of downloaded files that it has stored in the sandbox, and you can recover them at that time if you choose to do so. You only "poke a hole" in the sandbox when, for example, you allow Firefox to change its bookmarks file in the profile that you are using while it is running in the sandbox. That is, if you give an application permission (via Sandboxie's configuration) to write files in locations that are outside of the sandbox, then they [i]might[/i] store malware outside of the sandbox. Of course, whether that can and does happen depends upon the application in question, and what it is writing outside the sandbox, assuming that ordinarily the file which it creates or alters is not malware (of course).

Michael Kassner
Michael Kassner

First when I try to print to Adobe Acrobat is does not recognize Acrobat. I haven't been able to find anything that I can do to fix that. I alsodo not like the fact that I can not scroll with my touch pad I have to use the scroll bar on the right side.

mikeh222
mikeh222

I'm a big fan of Sandboxie and am curious about the details of your problem. I'd like to try to re-create it. By the way, Sandboxie is a great at backing out system changes, but that doesn't stop malware from getting in, doing something bad and then being removed by Sandboxie. It's a huge step up the security ladder, but Firefox under Linux is still safer.

Michael Kassner
Michael Kassner

I use Sandboxie quite a bit for research, but it limits many things if you keep the sandbox entirely contained. I can't use it when banking, as it will not print to Adobe Acrobat or what do you do with statement pdfs? Saving those would require making a hole.

saghaulor
saghaulor

"Best bet - only bank with institiuions that provide correct transaction & web security. " You missed the point. The problem usually is not the banks, rather, it's a compromised computer of the end user. The information is stolen after your computer has been compromised, and after you make a successful transaction. Then after it has all your personal tidbits, it does what it wants with your account. Think of it as a very sophisticated keylogger.

Ocie3
Ocie3

Not that I've made a survey of US banking website practices, or searched for such a review that might exist on the Internet, but I I would suspect that there is a relatively narrow range of practices, without any particular bank better than the others.

Michael Kassner
Michael Kassner

PM me, please. Ironically, I know the developers. I suspect that I am not doing something correctly. Not the first time.

howiem
howiem

Michael, I don't how much research you have done on this or which version of Sandboxie or Adobe you were using, but there might be a workaround for the printing problem. I found some at http://www.sandboxie.com/index.php?KnownConflicts, and http://www.sandboxie.com/phpbb/viewtopic.php?t=3713&sid=1849253151c25942789a1d254cf63b12 One user solved it by opening a file path to the licensing file %:\Program Files\Common Files\Macrovision Shared\Flexnet Publisher. The solution to the touchpad problem might be here http://www.sandboxie.com/phpbb/viewtopic.php?p=11866&sid=efc4823cf9afdcad8be5b608085a94ef I've been using Sandboxie for years. I set up a separate sandbox for wach bank and for each shopping site and only use the sandbox for its designated web site. The sandbox can be deleted after use for one time shopping events to keep the list from getting too long. I also delete the contents of each sandbox frequently. I use the No-script add-on in Firefox as well to get alerted on cross site scripting, etc. One of the things I like best about Sandboxie is that the support is great, and the program gets better and better.

Derek Schauland
Derek Schauland

VMware workstation is great, but Virtual PC might be the way to go as it is free. Both applications accomplish the same goal

Michael Kassner
Michael Kassner

Rapport appears to be a VPN client, that wouldn't help. The card reader would help, but it is not a one-time passphrase and it is used to make initial setup and changes. Transactions would still be in trouble. If I am looking at it correctly.

The 'G-Man.'
The 'G-Man.'

Did you read the acutal page I linked to?

arun.viswanathan
arun.viswanathan

It is good RBS have two factor but they not everyone. Even though two factor susceptible to MIMA having two phase plus factor is assuring. Arun

arun.viswanathan
arun.viswanathan

Hi Michael, It is a good discusssion which you have initiated. I still believe online banking is safe with the following: Two Factor: 1.Two phase (not factor) authentication i.e. a)login password and b) Transaction password 2. Your ATM card will carry unique references like A- Z in which each alphabets will be assigned unique number ex. A- 15, B- 24 .... now at the time of transaction you need to fill in with minimum three alphabets i.e. A H T or B J U On above scenario you have two factor and least expensive. Every quarter you can shuffle alphabetical values to keep it safe. The above example is ingenious and I found practised v=by an Indian bank. But i must admit when it comes to online security UK banks aren't that great either. Regards Arun

Michael Kassner
Michael Kassner

Sandboxie is a great program. The only problem I see is that it doesn't allow printing to Adobe Acrobat. I get my statements electronically. Also, I don't like the fact that scrolling on the touch pad doesn't work either. I may look at a VM product. Any thoughts as to what would be best just for this situation?

Derek Schauland
Derek Schauland

I agree and think that online retailers and banks should be all over this as it is in many ways their bread and butter. In the meantime, what would you recommend for sandboxing? I am considering VM for banking but was curious about the sandboxing option as well

Michael Kassner
Michael Kassner

I hope the banking an on-lime retail organizations jump on this. As for the sandbox, That seems to make sense if you only use that particular one for the banking portal. I get concerned about openings to print and save files though. But that is a problem with a LiveCD as well. Thanks for your thoughts.