August 26, 2012
Use another browser - Kaspersky follows suit
You saw it here first :) Kaspersky has dipped into the payments market with a thing called Safe Money:
A new offering found in Kaspersky Internet Security is Safe Money, Kaspersky Lab's unique technology designed to protect the user's money when shopping and banking online. To keep your cash safe, Kaspersky Internet Security's Safe Money will:
- Automatically activate when visiting most common payment services (PayPal, etc.), banking websites, and you can easily add your own bank or shopping websites to the list.
- *Isolate your payment operations in a special web browser to ensure your transactions aren't monitored*.
- Verify the authenticity of the banking or payment website itself, to ensure the site isn't compromised by malware, or a fake website designed to look authentic.
- Evaluate the security status of your computer, and warn about any existing threats that should be addressed prior to making payments.
- Provide an onscreen Virtual Keyboard when entering your credit card or payment information so you can enter your information with mouse-clicks. This will activate a special program to prevent malware from logging any keystrokes on your physical keyboard.
The #2 tip is the same as the #2 one that's been on this website for years - use one browser for common stuff and another for your online payments. This simple trick builds a good solid firewall between your money and the crooks' hands. What's more, it's easy enough to teach grandma and grandson.
(For those lost for clue, download Chrome and Firefox. I advise using Safari for banking, Firefox for routine stuff and Chrome for google stuff. Whatever you do, keep that banking browser closed and locked down, until it is time to bring it up, switch to privacy mode, and type in the URL by hand.)
Aside from Kaspersky's thumbs-up for the #2, what else can we divine? If Kaspersky, one of the more respected anti-virus providers, has decided to dip its toe into payments protection, this might be a signal that phishing and malware is not reducing. Or, at least, the perception has not diminished.
Out there in user-land, people don't really trust browsers to do their security, and since GFC-1 they don't really trust banks either. (They've never ever trusted CAs.) This doesn't mean they can voice, explain or argue their mistrust, but it does mean that they feel the need - it is this perception that Kapersky hopes to sell into.
Chances are, it's a good pick, if only because we're all going to die before any of these providers deals with their cognitive dissonance on trust. Good luck Kaspersky, and hopefully you won't succumb to it either.
Posted by iang at August 26, 2012 07:34 AM
Isn't that "safe" browser simply going to be the first thing the malware heads for after it's compromised the customer's PC?
It might help a bit against phishing, but right now if I loose one user land process I've lost them all.
I did some experiments with secure bootable USBs, but it's too complex (and sometimes involves BIOS configurations) for the average consumer. Running specific banking client software from the Windows Secure Desktop, might be a solution...
95/96 time-frame, consumer dailup online banking were making presentations at industry conferences that they were moving to internet ... a major motivation was consumer support costs associated with serial-port dial-up modems (major support costs would effectively be offloaded to ISPs). At the same time the commercial/cash-management dialup online banking were saying they would *NEVER* move to the internet (because of a long list of security reasons ... which have since come to pass since they began moving to the internet).
Within the past couple years, the feds have been recommending that businesses have a dedicated PC that is *NEVER* used for anything else than online banking (as a partial return to the days of online banking). This could be considered similar to the recommendation of having a different browser that is dedicated to only being used for online banking.
In the late 90s, there was lots of work being done on consumer smartcards for authentication as countermeasure to stealing credentials ... as well as the EU "FINREAD" standard as countermeasure to compromised PCs. Then there was a large project in the early part of this century with consumer smartcards and give-away of serial-port cardreaders. The disastrous consumer support problems in the wake of the give-away resulted in rapidly spreading opinion in the industry that smartcards weren't practical in the consumer market (when the problem was actually the give-way of serial-port readers; demonstrating that all the institutional knowledge about serial-port consumer support problems had evaporated in the span of a couple years; note that serial-port issues were major motivation for development of USB ... and the serial-port give-away cardreaders were likely gotten in firesale on obsolete technology).
This resulted significant retrenching from any card oriented solution in the consumer market (including the EU "FINREAD" countermeasure for both skimmed credentials and compromised machine).
Within a year or two, there were some non-card "SAFE" payment products developed (not as good as hardware tokens but better than what we have now) which saw high acceptance between the e-merchants (accounting for approx. 70% of online transactions of the period). However, merchants had been indoctrinated for decades that interchange rate was proportional to fraud rates ... and they were expecting order of magnitude interchange rate reduction from the *SAFE* products. Then the cognitive dissonance and the whole thing cratered when they were told that instead of major reduction in interchange rates (for the *SAFE* products), it would instead effectively be a surcharge on the highest rate they were already paying.
> (For those lost for clue, download Chrome and Firefox. I advise using
> Safari for banking, Firefox for routine stuff and Chrome for google
> stuff. Whatever you do, keep that banking browser closed and locked
> down, until it is time to bring it up, switch to privacy mode, and type
> in the URL by hand.)
Interesting advice, and I might try taking it myself (at the moment I just use Firefox for everything except websites on which it breaks, for which I fire up one of the others). Of course if browsers were better designed it wouldn't be necessary. (One could take this to a further extreme by doing banking only from a separate VM/OS, or even from a separate physical machine.)
In my case I'd modify your advice in one regard, namely to use Chrome for Google stuff except search, and to do search in Firefox. That's because for most Google stuff (Gmail, Google+, Google Docs, Picasa, etc.) it's useful to be logged in, but for search it's better for privacy not to be. Also, in Firefox it's easy to block Google ads so you don't even see them in the search results.
If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
> Isn't that "safe" browser simply going to
> be the first thing the malware heads for
> after it's compromised the customer's PC?
Yeah, there's phishing, and then there's malware. The thing about these very distinct attacks is that there is a balance in dealing with one and not the other, especially if the attacker is agile. So we would expect that Kaspersky's approach would deal somewhat with both, raising the bar on both a bit.
> It might help a bit against phishing, but
> right now if I loose one user land process
> I've lost them all.
Most malware attacks have to get in through some method - corrupting via one browser is a class of methods, but it doesn't necessarily result in a breached PC.
More like, the browser itself is vulnerable, so anything else the browser has to offer is vulnerable. Which might be the valuable interface to the bank
Although occasionally we do see a complete breakdown. That recent Java applet bug turns off the security of Java and thus gets access to all Java. Which in effect means the user account is compromised.
> I did some experiments with secure bootable USBs,
> but it's too complex (and sometimes involves BIOS
> configurations) for the average consumer. Running
> specific banking client software from the Windows
> Secure Desktop, might be a solution...
Anything involving hardware and Windows and multiple Intel providers ... well, you get the picture. It just doesn't work at a user level. Conceivably Apple could do it because it controls the stack from bottom to middle. Or Android could do so, in principle, but they open it up because they believe in open.
We have to get back to the basic fundamental premise: Browsers only offer a sort of middle level of security. They cannot be high security by their very nature. As Lynn points out, the banks knew this, and knew it well. What went wrong is that they fell to a game-theory dynamic of weakest-security-model-wins, which collectively swept the industry like a virus.
As Lynn goes on to point out -- it is now highly recommended that business use a single dedicated PC for only online banking. If that isn't an endorsement of the premise - browsing is only medium security - I don't know how more clearly it can be said :)
can be used to help reduce browser as an infection vector and hopefully limits scope of any infection. attacks might then include various social engineering attempting to obtain maximum permissions (and fails when machine is compromised).
EU FINREAD standard demonstrated that browser & PC compromise was well understood during the late 90s ... but a number of factors resulted in it being stillborn.