sunnuntaina, huhtikuuta 22, 2012

Getting rid of banking trojans

Today the Finnish Broadcasting Company (YLE) had a story about online criminals routinely stealing money from customers of Finnish banks.

I believe so far the banks have compensated customers for their losses. Of course, sooner or later, the banks must stop doing that because it will become too time-consuming and expensive. What will happen then?

Are the customers left to fend on their own?

Will the anti-virus industry step up their protection efforts and the problem will go away as soon as everyone has an up-to-date AV software installed?

Will Microsoft manage to lock down Windows so well that only the people who run old versions of Windows are affected and at the same time find a really good reason for people to upgrade to a newer Windows version?

Both of the latter scenarios are just extrapolations of current events. Undoubtedly, Microsoft will continue to improve security of Windows in upcoming versions. Just as likely, anti-virus software will probably continue to evolve to meet the challenges of the new threats.

Is that all? Is this the best we can hope for?

I think there is another solution. A very simple one. Unfortunately I cannot think of any way to make money out of it, so it probably won't happen. I will describe it here anyway, just in case someone decides to implement it.

Here it is: Banks should create a bootable read-only USB stick and give one to each customer. The read-only memory would boot a small Linux and run a web browser. The customers would be told to insert the stick into the PC and restart the computer before banking over the Internet.

There are a lot of details that can be debated: Should it be a USB stick or CD? Which Linux should it use? Should the browser run full-screen or in a window? Should it be made easy to use the Linux for other purposes too? Should the Linux be able to save files on the hard disk? Should it support Macs?

Those are minor details. Interesting details, I'm sure. But the core idea appears above in bold. If the banks would do that, they could sleep easy. The customers would know their money is safe.

This is such a simple idea I'm sure it has a ton of problems I have not thought about and because of those it just isn't a viable solution.

Just in case any bank decides to be bold and implement the idea, go ahead. I'm not going to charge money or patent the idea. And the bank cannot patent it either because they cannot claim the idea is theirs.