Comments: Use another browser - Kaspersky follows suit

Isn't that "safe" browser simply going to be the first thing the malware heads for after it's compromised the customer's PC?

It might help a bit against phishing, but right now if I loose one user land process I've lost them all.

I did some experiments with secure bootable USBs, but it's too complex (and sometimes involves BIOS configurations) for the average consumer. Running specific banking client software from the Windows Secure Desktop, might be a solution...

Posted by Thomas Barker at August 26, 2012 11:47 AM

95/96 time-frame, consumer dailup online banking were making presentations at industry conferences that they were moving to internet ... a major motivation was consumer support costs associated with serial-port dial-up modems (major support costs would effectively be offloaded to ISPs). At the same time the commercial/cash-management dialup online banking were saying they would *NEVER* move to the internet (because of a long list of security reasons ... which have since come to pass since they began moving to the internet).

Within the past couple years, the feds have been recommending that businesses have a dedicated PC that is *NEVER* used for anything else than online banking (as a partial return to the days of online banking). This could be considered similar to the recommendation of having a different browser that is dedicated to only being used for online banking.

In the late 90s, there was lots of work being done on consumer smartcards for authentication as countermeasure to stealing credentials ... as well as the EU "FINREAD" standard as countermeasure to compromised PCs. Then there was a large project in the early part of this century with consumer smartcards and give-away of serial-port cardreaders. The disastrous consumer support problems in the wake of the give-away resulted in rapidly spreading opinion in the industry that smartcards weren't practical in the consumer market (when the problem was actually the give-way of serial-port readers; demonstrating that all the institutional knowledge about serial-port consumer support problems had evaporated in the span of a couple years; note that serial-port issues were major motivation for development of USB ... and the serial-port give-away cardreaders were likely gotten in firesale on obsolete technology).

This resulted significant retrenching from any card oriented solution in the consumer market (including the EU "FINREAD" countermeasure for both skimmed credentials and compromised machine).

Within a year or two, there were some non-card "SAFE" payment products developed (not as good as hardware tokens but better than what we have now) which saw high acceptance between the e-merchants (accounting for approx. 70% of online transactions of the period). However, merchants had been indoctrinated for decades that interchange rate was proportional to fraud rates ... and they were expecting order of magnitude interchange rate reduction from the *SAFE* products. Then the cognitive dissonance and the whole thing cratered when they were told that instead of major reduction in interchange rates (for the *SAFE* products), it would instead effectively be a surcharge on the highest rate they were already paying.

Posted by Lynn Wheeler at August 26, 2012 03:49 PM

> (For those lost for clue, download Chrome and Firefox. I advise using
> Safari for banking, Firefox for routine stuff and Chrome for google
> stuff. Whatever you do, keep that banking browser closed and locked
> down, until it is time to bring it up, switch to privacy mode, and type
> in the URL by hand.)

Interesting advice, and I might try taking it myself (at the moment I just use Firefox for everything except websites on which it breaks, for which I fire up one of the others). Of course if browsers were better designed it wouldn't be necessary. (One could take this to a further extreme by doing banking only from a separate VM/OS, or even from a separate physical machine.)

In my case I'd modify your advice in one regard, namely to use Chrome for Google stuff except search, and to do search in Firefox. That's because for most Google stuff (Gmail, Google+, Google Docs, Picasa, etc.) it's useful to be logged in, but for search it's better for privacy not to be. Also, in Firefox it's easy to block Google ads so you don't even see them in the search results.

Posted by An.on. at August 28, 2012 11:06 AM

...
If you primarily use Java because some Web site, or program you have on your system such as OpenOffice or Freemind requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
...

Posted by Media on the latest Java FUD at August 29, 2012 12:48 AM

Thomas wrote:

> Isn't that "safe" browser simply going to
> be the first thing the malware heads for
> after it's compromised the customer's PC?

Yeah, there's phishing, and then there's malware. The thing about these very distinct attacks is that there is a balance in dealing with one and not the other, especially if the attacker is agile. So we would expect that Kaspersky's approach would deal somewhat with both, raising the bar on both a bit.

> It might help a bit against phishing, but
> right now if I loose one user land process
> I've lost them all.

Most malware attacks have to get in through some method - corrupting via one browser is a class of methods, but it doesn't necessarily result in a breached PC.

More like, the browser itself is vulnerable, so anything else the browser has to offer is vulnerable. Which might be the valuable interface to the bank

Although occasionally we do see a complete breakdown. That recent Java applet bug turns off the security of Java and thus gets access to all Java. Which in effect means the user account is compromised.

>
> I did some experiments with secure bootable USBs,
> but it's too complex (and sometimes involves BIOS
> configurations) for the average consumer. Running
> specific banking client software from the Windows
> Secure Desktop, might be a solution...

Anything involving hardware and Windows and multiple Intel providers ... well, you get the picture. It just doesn't work at a user level. Conceivably Apple could do it because it controls the stack from bottom to middle. Or Android could do so, in principle, but they open it up because they believe in open.

We have to get back to the basic fundamental premise: Browsers only offer a sort of middle level of security. They cannot be high security by their very nature. As Lynn points out, the banks knew this, and knew it well. What went wrong is that they fell to a game-theory dynamic of weakest-security-model-wins, which collectively swept the industry like a virus.

As Lynn goes on to point out -- it is now highly recommended that business use a single dedicated PC for only online banking. If that isn't an endorsement of the premise - browsing is only medium security - I don't know how more clearly it can be said :)

Posted by Iang at August 29, 2012 02:06 AM

some browsers offer "personalities" ... effectively completely different browser instances. there is also "noscript" available for firefox (explicit website white-list for javascript)

it is possible to have personality with no-cookies, no script, no nothing ... for general browsing ... and completely different personality (of the same browser) with cookies and limited website scripting white-listing ... and being able to temporarily turn on/off javascript for specific websites.

can be used to help reduce browser as an infection vector and hopefully limits scope of any infection. attacks might then include various social engineering attempting to obtain maximum permissions (and fails when machine is compromised).

EU FINREAD standard demonstrated that browser & PC compromise was well understood during the late 90s ... but a number of factors resulted in it being stillborn.

Posted by Lynn Wheeler at August 29, 2012 08:10 AM

commercial online banking news from today:

Judge dismisses BancorpSouth defense in online theft suit; Bank contended that Choice Escrow's failure to secure online credentials caused $440,000 online heist
http://www.computerworld.com/s/article/9230730/Judge_dismisses_BancorpSouth_defense_in_online_theft_suit

more businesses are winning in court over online banking losses on grounds that financial institutions provide inadequate security

Posted by Lynn Wheeler at August 29, 2012 12:32 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55a50dc2dc50) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.