Banks eye bootable Linux CDs

24 March 2005 10:34 AM

Tags: coastguard, tronson, linux, firefox, internet banking, netbank, knoppix, cybersource

Australian company Cybersource says it's currently talking to two domestic banks about providing Linux-based bootable CDs to consumers to ensure Internet banking security.

The company yesterday released information about its Online Banking Coastguard solution. Coastguard is based upon Knoppix, a Linux distribution which boots entirely from CD and is known for its automatic hardware detection features. Cybersource has included Mozilla Firefox as the sole browser for Internet banking.

"We've brought it to the attention of several banks, and are in reasonably serious discussions with two of them," said Rohan Tronson, Cybersource's Coastguard product manager. Although he wouldn't say which companies were involved, Tronson acknowledged his company was talking to both national and regional players.

"One of them has considered the technology, but has already made a commitment to another technology, which is tokens. While it's [Coastguard] not incompatible with tokens, they've already made certain agreements with a certain company involved with those tokens. They've chosen at this stage not to make it something that they'll carry as a major product," Tronson said.

"However we are still in discussions with a section of that bank, to use the technology in a slightly different area, within the bank and within a project that the bank supports - we're likely to use something similar to this," he continued. He said that Cybersource would be shortly demonstrating its software to the second bank that it was in discussions with.

"We don't expect too much action at this point from the major banks," said Tronson, although his company has approached them with the Coastguard solution. "We'd probably expect some of the more regional ones or some of the providers of other financial services to be the first onboard with something like this."

However, Cybersource may find it tough going selling its Firefox-based solution to the major Australian banks. None of the larger players officially support Firefox- or Linux-based access to their systems, although various online guides exist to guide Linux users through the process of configuring their system for each particular bank. The complexity of each solution varies between banks, with those that provide Java-based Internet banking (such as St George) requiring the most tweaking.

Tronson did make it clear that if necessary, his company would customise its product to a bank's needs, saying: "There are other browsers available (Netscape, Opera, etc). If necessary we would be happy to replace FireFox with one of these (subject to licensing of course) as part of the customisation process."

Tronson claimed that the main attacks against banks and banking customers were "not necessarily solved by alternative security measures such as tokens and other forms of second factor authentication". Tronson argued that Coastguard would be a better solution for secure Internet banking because it provided "a totally locked-down, secure operating system and applications from non-modifiable media, with DNS-lookup configurations hardwired to secured servers provided by the banks themselves".

When building Coastguard, Tronson said, Cybersource recognised that Knoppix "is not particularly friendly or familiar to the majority of people". So the company took the Linux distribution and used the open source IceWM window manager to build a "user interface that had been made to look and behave much like the Windows XP that most users are used to".

In addition, the company pared down the Linux distribution so that it would supply "just the tools necessary for the single purpose of online banking". Tronson also said his company had secured the underlying Linux system and put extra development effort into ensuring that it would "function smoothly in a far wider variety of environments" than Knoppix normally would.

Cybersource plans for banks to put their own branding onto the product and make it an officially supported secure channel for accessing Internet banking services. The company envisages banks providing bootable CDs of Coastguard alongside other branded marketing material.

Talkback (23)
Print
E-mail
Share this...
- del.icio.us
- Digg
- Reddit
- Slashdot
- StumbleUpon

Talkback 23 comments

Add your opinion

Maybe if this was just another option available to internet banking customers, but how many people are really willing to reboot their PC just to access internet banking? No bank could force this solution upon customers, or they would find them leaving in Anonymous -- 24/03/05

Maybe if this was just another option available to internet banking customers, but how many people are really willing to reboot their PC just to access internet banking? No bank could force this solution upon customers, or they would find them leaving in droves. It's a nice idea, and would go a long way to ensure security, but I really don't think there's any chance for this to break into the mainstream. I'm betting that a hardware based add-on technology path will be followed by the banks eventually.
I do not want to go searching for my Knoppix CD everytime I want to do internet banking... Nor do I need to boot a new OS just to do my internet banking...by the time I do that I could have got in my car and driven to the damn bank! If Anonymous -- 24/03/05

I do not want to go searching for my Knoppix CD everytime I want to do internet banking...

Nor do I need to boot a new OS just to do my internet banking...by the time I do that I could have got in my car and driven to the damn bank!

If bank customers cannot secure their own computers, it is hardly the banks fault....why make it difficult for everyone by having to use this fun, but totally inapropriate technology?

And if i dont have a CD drive, or dont have my system boot from the cd drive by default? Is knoppix going to pick up my internet connection automatically? Dial-up, broadband, wireless....I'd be very impressed if it does. And what about thin clients?

Support costs will go through the roof with this "solution"...and internet banking will cost even more.

Knoppix is a great tool for system admins and good for getting customers up and running with an OS if their computers OS (probably windows) is broken but it is hardly the right solution here. Sorry
Hi, I'm the product manager responsible for the Online Banking Coastguard at Cybersource, and the person quoted in the article. I'd like to quickly respond to the comments so far: Jason wrote: > Maybe if this was just Anonymous -- 24/03/05

Hi,

I'm the product manager responsible for the Online Banking Coastguard at Cybersource, and the person quoted in the article.

I'd like to quickly respond to the comments so far:

Jason wrote:
> Maybe if this was just another option available to Internet banking
> customers,
...
> No bank could force this solution upon customers,

Right, I agree. This is intended as a secure option for banks and their customers, many customers are not satisfied with the level of security currently available and are already seeking a more secure solution, even if it means rebooting their PC to use online banking.

Anonymous wrote:
> I do not want to go searching for my Knoppix CD everytime I want to do internet banking...

Banks are already looking at a variety of methods of securing Online Banking, if it's not your Online Banking CD you have to find it may be your Token or your Smart Card. The difference being Coastguard is cheaper for the Bank (and therefore the accounth holders) and Coastguard offers security in a wider range of situations.

> Nor do I need to boot a new OS just to do my internet banking...by the time I do that I could have got in my car and driven to the damn bank!
> If bank customers cannot secure their own computers, it is hardly the banks fault....why make it difficult for everyone by having to use this fun, but totally inapropriate technology?

It is not a case of applying blame here, it is the situation which is unsustainable. Phishing attacks are becoming more and more sophisticated, to the point where even expert users can be unwittingly fooled. You are also fortunate to live close enough to a Bank to attend the branch in person so easily, many Australians have to rely on online banking for most of their banking needs.

> And if i dont have a CD drive, or dont have my system boot from the cd drive by default? Is knoppix going to pick up my internet connection automatically? Dial-up, broadband, wireless....I'd be very impressed if it does. And what about thin clients?
> Knoppix is a great tool for system admins and good for getting customers up and running with an OS if their computers OS (probably windows) is broken but it is hardly the right solution here. Sorry

This is not Knoppix. Our solution uses Knoppix as a starting point, but our development effort has gone to addressing issues with Knoppix and ensuring the product is suited for the single purpose of secure online banking. Including, an easy to use user interface, detection of Internet connections (prepare to be 'very impressed'), security, etc. Of course as with any software there are minimum hardware requirements before
you can use this solution, but most modern computers should be fine.

Regards
Rohan Tronson
Cybersource
I dont know about this, what happens if somebody steals my cd, can they break into my account? Anonymous -- 24/03/05

I dont know about this, what happens if somebody steals my cd, can they break into my account?
Rohan, It's all very well and good that you've created a technically impressive product, and i'm sure that you would have worked through all the issues mentioned by anonymous, including have it do adsl authentication, modem auto-detection, etc. to make Anonymous -- 24/03/05

Rohan, It's all very well and good that you've created a technically impressive product, and i'm sure that you would have worked through all the issues mentioned by anonymous, including have it do adsl authentication, modem auto-detection, etc. to make it an easy to use product, but in the end people use internet banking for one reason: convenience. Have you done any research to find out whether users (and by user I mean the average joe who knows only how to use the most basic of computer functions) would be willing to go through the process of shutting down and rebooting windows (or whichever OS they may be using), searching for their internet banking CD, then waiting for that to boot up, etc, etc.. In the end, it's the user who will decide whether your product will succeed, not the bank.
i think this is a big step forward. banks are willing to think outside the box. of course they wont force this on customers but if they insisit on using virus/trojan prone windoze, then they must accept some responsibility. this will also hopefully mean t Anonymous -- 24/03/05

i think this is a big step forward. banks are willing to think outside the box. of course they wont force this on customers but if they insisit on using virus/trojan prone windoze, then they must accept some responsibility. this will also hopefully mean that the netbanking websites will work better for firefox/mozilla on osx/linux.
Eric, This isn't a problem, the CD provides secure access to the Online Banking site, entry of account details is done manually. No account information is stored on the CD. If someone stole your CD they would simply have the benefit of secure Anonymous -- 24/03/05

Eric,

This isn't a problem, the CD provides secure access to the Online Banking site, entry of account details is done manually. No account information is stored on the CD. If someone stole your CD they would simply have the benefit of secure online banking to their own accounts at your bank.

Rohan Tronson
Cybersource

Eric wrote:
> I dont know about this, what happens if somebody steals my cd, can they break into my account?
If I need to boot my computer just to use internet banking, I'd rather use phone banking instead. The reason why I use net banking is because most of the information I require to make a transfer to another account is stored on my computers HDD. eg. I just Anonymous -- 24/03/05

If I need to boot my computer just to use internet banking, I'd rather use phone banking instead. The reason why I use net banking is because most of the information I require to make a transfer to another account is stored on my computers HDD. eg. I just purchased an item on ebay and My Outlook displays the information to do transfers. Do I have to go through that trouble of rebooting? I'd rather just pick up the phone. Whats the cost of a local call if you really want security?

What about the people who do online banking at work? Or the people who do it on holidays on an internet cafe? Do I have to drag a CD that doesn't even fit in my wallet and can always get scratched?

Whatever the option the bank decides: Bootable CDs, smart cards, finger print readers, whatever. They are going to make the customers pay anyway. So whatever I have to pay I'd rather use the most convenient method and thats what internet banking is all about. Anywhere, Anytime.
I may not use this solution to do online banking, but I and all the other tech heads on here aren't the target market methinks. For Jane Doe, rebooting into the 'secure banking terminal' to do her banking, round trip 2 mins, may be worth the pea Anonymous -- 24/03/05

I may not use this solution to do online banking, but I and all the other tech heads on here aren't the target market methinks.

For Jane Doe, rebooting into the 'secure banking terminal' to do her banking, round trip 2 mins, may be worth the peace of mind. And I guess that that's what the banks are tweaking onto.

Anyway, great to see Australian companies producing innovative products.
Well, this is nice but... it won't be long until criminal organisations distribute CDs with the banks' logos on them and hacked versions of Firefox which send your details to their 'dummies'. It's a great idea if you can somehow guarantee the provenance Anonymous -- 24/03/05

Well, this is nice but... it won't be long until criminal organisations distribute CDs with the banks' logos on them and hacked versions of Firefox which send your details to their 'dummies'. It's a great idea if you can somehow guarantee the provenance of a CD.
Oh, I forgot to ask - regarding the internet connection, many people still use dial-up modems and most computers deployed over the past 5 years have a built-in 'winmodem' which works just fine for those running MS Windows (poor things). How many of these Anonymous -- 24/03/05

Oh, I forgot to ask - regarding the internet connection, many people still use dial-up modems and most computers deployed over the past 5 years have a built-in 'winmodem' which works just fine for those running MS Windows (poor things). How many of these people who rely on their winmodem for connection will be able to make use of that CD?
Firstly I'd like to say kudos to you for doing something different. : ) <quote>Phishing attacks are becoming more and more sophisticated, to the point where even expert users can be unwittingly fooled.</quote> I'm not sure Anonymous -- 24/03/05

Firstly I'd like to say kudos to you for doing something different. : )

<quote>Phishing attacks are becoming more and more sophisticated, to the point where even expert users can be unwittingly fooled.</quote>

I'm not sure I agree with that comment entirely. I agree phishing attacks are becoming more sophisticated, but to use "expert users can be unwittingly fooled", please keep that for your sales meetings with the banks. I'm a security consultant that has done work for the banks and I haven't been unwittingly fooled, and I see phishing "attacks" all the time. Can you point me in the direction of one of these sophisticated phishing "attacks" that would fool me?
Is this GPL? Will your network detection get into Knoppix? This is a very interesting use of some great free software. Will the work you've done on automating network configuration get contributed to the Knoppix project? Is the whole thing cover Anonymous -- 24/03/05

Is this GPL? Will your network detection get into Knoppix?

This is a very interesting use of some great free software. Will the work you've done on automating network configuration get contributed to the Knoppix project? Is the whole thing covered by the GPL, and if so are the banks you sell to happy with that?
The KNOPPIX idea needs to be distilled into a bootable USB device would server much better (but not cheaper) then the CD option. Access goes to my keychain and not my CD tray. Some users might prefer both. A good link: http://loosewire.typepad Anonymous -- 25/03/05

The KNOPPIX idea needs to be distilled into a bootable USB device would server much better (but not cheaper) then the CD option. Access goes to my keychain and not my CD tray. Some users might prefer both.

A good link: http://loosewire.typepad.com/blog/2005/03/a_directory_of_.html

Another consideration is the onetime pad if used for each and every transaction could defeat the man-in-the-middle or other attacks.
"Unsupported" doesn't mean what it used to. At least one major Australian bank is rolling out Firefox internally, and at least two other support it but aren't allowed to say so by their marketing department. Feed some bank home pages t Anonymous -- 25/03/05

"Unsupported" doesn't mean what it used to. At least one major Australian bank is rolling out Firefox internally, and at least two other support it but aren't allowed to say so by their marketing department.

Feed some bank home pages to the Validator (http://validator.w3.org/) for some incisive comments on banks and standards.
The KNOPPIX idea needs to be distilled into a bootable USB device would server much better (but not cheaper) then the CD option. Access goes to my keychain and not my CD tray. Some users might prefer both. A good link: http://loosewire.typepad Anonymous -- 25/03/05

The KNOPPIX idea needs to be distilled into a bootable USB device would server much better (but not cheaper) then the CD option. Access goes to my keychain and not my CD tray. Some users might prefer both.

A good link: http://loosewire.typepad.com/blog/2005/03/a_directory_of_.html

Another consideration is the onetime pad if used for each and every transaction could defeat the man-in-the-middle or other attacks.
All GPL and other open sources in the Online Banking Coastguard are complied with in this product. This is an open source solution. The product as a whole is a fee-for-customisation and support service to the banks and financial institutions wh Anonymous -- 25/03/05

All GPL and other open sources in the Online Banking Coastguard are complied with in this product. This is an open source solution.

The product as a whole is a fee-for-customisation and support service to the banks and financial institutions who are customers, and they will get full and free access to the code.
All GPL and other open sources in the Online Banking Coastguard are complied with in this product. This is an open source solution. The product as a whole is a fee-for-customisation and support service to the banks and financial institutions wh Anonymous -- 25/03/05

All GPL and other open sources in the Online Banking Coastguard are complied with in this product. This is an open source solution.

The product as a whole is a fee-for-customisation and support service to the banks and financial institutions who are customers, and they will get full and free access to the code.
Regarding support for Firefox by the banks. Think of it this way. If banks are going to start shipping a security solution which prevents most major forms of attack against their online banking customers, and that that solution relies Anonymous -- 25/03/05

Regarding support for Firefox by the banks.

Think of it this way.

If banks are going to start shipping a security solution which prevents most major forms of attack against their online banking customers, and that that solution relies on the use of Firefox by those customers, don't you think that they will then MAKE SURE that their online banking systems are then compliant with Firefox?

Don't you think then that this makes a clever mechanism to ensure broader support for non-IE browsers amongst the banks, some of the last hold-outs?
Regarding support for Firefox by the banks. Think of it this way. If banks are going to start shipping a security solution which prevents most major forms of attack against their online banking customers, and that that solution relies Anonymous -- 25/03/05

Regarding support for Firefox by the banks.

Think of it this way.

If banks are going to start shipping a security solution which prevents most major forms of attack against their online banking customers, and that that solution relies on the use of Firefox by those customers, don't you think that they will then MAKE SURE that their online banking systems are then compliant with Firefox?

Don't you think then that this makes a clever mechanism to ensure broader support for non-IE browsers amongst the banks, some of the last hold-outs?
That is in fact the way I do my bank transactions. I use a bootable Mandrake CD for that. No room for kayloggers and the like this way. I am a bit surprised to learn about banks that refuse to accept standard browsers like Firefox, Ope Anonymous -- 25/03/05

That is in fact the way I do my bank transactions.
I use a bootable Mandrake CD for that.
No room for kayloggers and the like this way.

I am a bit surprised to learn about banks that refuse to accept standard browsers like Firefox, Opera and the like.
I cannot belive there is even one bank in Scandinavia that stupid.
I would rather change my bank than change back to Windows and IE.

Now even with a bootable CD there is this question of "fake" CD:s droping in through the mailbox.

Security is not easy.

If banks want to check what browser you are using I think they should refuse to do any transactions if the browser you use is way too old for security and then redirect you to the right download sight.
This is great for security conscious users. Unfortunately the majority of users are not security aware or are simply ignorant of the potential threats. This is particularly evident reading some of the comments posted above by people that think t Anonymous -- 25/03/05

This is great for security conscious users.

Unfortunately the majority of users are not security aware or are simply ignorant of the potential threats. This is particularly evident reading some of the comments posted above by people that think they have a firm grasp of technology; they certainly have a firm grip of something.....

People really need to take more responsibility for their online activities and not expect the companies and government to provide the only solutions.

This knoppix-based alternative isn’t a magic bullet but it is certainly a step in the right direction, and if it helps make the banks friendlier towards other browsers and operating systems it has to be a good thing.
Windows and IE are the problems here. The banks shouldn't have to supply bootable Linux CDs to account holders. The account holders should know how to use their PCs and how to protect their data. The banks tell people to store their PINs in a s Anonymous -- 26/03/05

Windows and IE are the problems here. The banks shouldn't have to supply bootable Linux CDs to account holders. The account holders should know how to use their PCs and how to protect their data.

The banks tell people to store their PINs in a safe place, they should also TELL account holders the same about computing "use a secure browser and OS." Not give them one.

Bottom line: It's up to the account holder to secure their own PCs. Don't expect the banks to do it for them.

Plain and simple.

Add your opinion

ZDNet Video

Blogs

Telstra 'network vandals' sever the national security argument
I was interested to read that Telstra had the good sense to finally hand over its network designs to the Federal Government last week.
Why Telstra can't afford to offer the iPhone
What a week it's been for mobiles.
Many mail make managers manic
E-mail is frequently blamed for creating storage bloat, but is the most effective means of dealing with the problem increasing storage capacity, imposing quotas, enforcing archive rules, or just driving the help desk nuts with questions?
More blogs »

Reader Services

Essentials

The 2008 iAwards
Find out more about Australia's premier information and communications technology (ICT) industry awards.
Information Technology Infrastructure Library (ITIL)
ITIL is a set of concepts and techniques for managing information IT infrastructure, development, and operations.
Windows Server 2008: Business Guidebook
This Business Guidebook consolidates a massive selection of features, blogs, case studies and news stories to provide everything you need to know.
Who guards the guards
ZDNet.com.au looks at how the security market was supposed to shape up, according to so-called "experts".
Broadband speedtest
How fast is your Internet connection? Calculate the speed here.
Windows
Find out the latest news and reports on Microsoft's operating system, whether it be for desktop or server.

Banks eye bootable Linux CDs

Talkback 23 comments

Maybe if this was just another option available to internet banking customers, but how many people are really willing to reboot their PC just to access internet banking? No bank could force this solution upon customers, or they would find them leaving in Anonymous -- 24/03/05

I do not want to go searching for my Knoppix CD everytime I want to do internet banking... Nor do I need to boot a new OS just to do my internet banking...by the time I do that I could have got in my car and driven to the damn bank! If Anonymous -- 24/03/05

Hi, I'm the product manager responsible for the Online Banking Coastguard at Cybersource, and the person quoted in the article. I'd like to quickly respond to the comments so far: Jason wrote: > Maybe if this was just Anonymous -- 24/03/05

I dont know about this, what happens if somebody steals my cd, can they break into my account? Anonymous -- 24/03/05

Rohan, It's all very well and good that you've created a technically impressive product, and i'm sure that you would have worked through all the issues mentioned by anonymous, including have it do adsl authentication, modem auto-detection, etc. to make Anonymous -- 24/03/05

i think this is a big step forward. banks are willing to think outside the box. of course they wont force this on customers but if they insisit on using virus/trojan prone windoze, then they must accept some responsibility. this will also hopefully mean t Anonymous -- 24/03/05

Eric, This isn't a problem, the CD provides secure access to the Online Banking site, entry of account details is done manually. No account information is stored on the CD. If someone stole your CD they would simply have the benefit of secure Anonymous -- 24/03/05

If I need to boot my computer just to use internet banking, I'd rather use phone banking instead. The reason why I use net banking is because most of the information I require to make a transfer to another account is stored on my computers HDD. eg. I just Anonymous -- 24/03/05

I may not use this solution to do online banking, but I and all the other tech heads on here aren't the target market methinks. For Jane Doe, rebooting into the 'secure banking terminal' to do her banking, round trip 2 mins, may be worth the pea Anonymous -- 24/03/05

Well, this is nice but... it won't be long until criminal organisations distribute CDs with the banks' logos on them and hacked versions of Firefox which send your details to their 'dummies'. It's a great idea if you can somehow guarantee the provenance Anonymous -- 24/03/05

Oh, I forgot to ask - regarding the internet connection, many people still use dial-up modems and most computers deployed over the past 5 years have a built-in 'winmodem' which works just fine for those running MS Windows (poor things). How many of these Anonymous -- 24/03/05

Firstly I'd like to say kudos to you for doing something different. : ) <quote>Phishing attacks are becoming more and more sophisticated, to the point where even expert users can be unwittingly fooled.</quote> I'm not sure Anonymous -- 24/03/05

Is this GPL? Will your network detection get into Knoppix? This is a very interesting use of some great free software. Will the work you've done on automating network configuration get contributed to the Knoppix project? Is the whole thing cover Anonymous -- 24/03/05

The KNOPPIX idea needs to be distilled into a bootable USB device would server much better (but not cheaper) then the CD option. Access goes to my keychain and not my CD tray. Some users might prefer both. A good link: http://loosewire.typepad Anonymous -- 25/03/05

"Unsupported" doesn't mean what it used to. At least one major Australian bank is rolling out Firefox internally, and at least two other support it but aren't allowed to say so by their marketing department. Feed some bank home pages t Anonymous -- 25/03/05

The KNOPPIX idea needs to be distilled into a bootable USB device would server much better (but not cheaper) then the CD option. Access goes to my keychain and not my CD tray. Some users might prefer both. A good link: http://loosewire.typepad Anonymous -- 25/03/05

All GPL and other open sources in the Online Banking Coastguard are complied with in this product. This is an open source solution. The product as a whole is a fee-for-customisation and support service to the banks and financial institutions wh Anonymous -- 25/03/05

All GPL and other open sources in the Online Banking Coastguard are complied with in this product. This is an open source solution. The product as a whole is a fee-for-customisation and support service to the banks and financial institutions wh Anonymous -- 25/03/05

Regarding support for Firefox by the banks. Think of it this way. If banks are going to start shipping a security solution which prevents most major forms of attack against their online banking customers, and that that solution relies Anonymous -- 25/03/05

Regarding support for Firefox by the banks. Think of it this way. If banks are going to start shipping a security solution which prevents most major forms of attack against their online banking customers, and that that solution relies Anonymous -- 25/03/05

That is in fact the way I do my bank transactions. I use a bootable Mandrake CD for that. No room for kayloggers and the like this way. I am a bit surprised to learn about banks that refuse to accept standard browsers like Firefox, Ope Anonymous -- 25/03/05

This is great for security conscious users. Unfortunately the majority of users are not security aware or are simply ignorant of the potential threats. This is particularly evident reading some of the comments posted above by people that think t Anonymous -- 25/03/05