Tuesday, 13 October 2009

E-Banking on a Locked Down (Non-Microsoft) PC

What follows is a brief tutorial on how to do that with Ubuntu, one of the more popular bootable Linux installations.
Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom or DVD. The beauty of Live CDs is that they can be used to turn a Windows based PC into a provisional Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are completely wiped away after the machine is shut down. To return to Windows, simply remove the CD from the drive and reboot.
More importantly, malware that is built to steal data from Windows-based systems simply won't load or work when the user is booting from LiveCD. Even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, the malware can't capture the victim's banking credentials if that user only transmits his user name and password after booting up into one of these Live CDs
There are dozens -- if not hundreds of these LiveCD distributions -- each with their own flavor or focus: Some try to be as small or lightweight as possible, others - like Backtrack - focus on offering some of the best open source hacking and security tools available. For this project, however, I'm showcasing Ubuntu because it is relatively easy to use and appears to play nicely with a broad range of computer hardware
A few words of advice before you proceed with this project:
-LiveCDs are easiest to use on desktop PCs. Loading a LiveCD on a laptop sometimes works fine, but often it's a bit of a hassle to get it to boot up or network properly, requiring the use of cryptic "cheat codes" and a lot of trial and error, in my experience.

-If you do decide to try this on a laptop, I'd urge you to plug the notebook into a router via an networking cable, as opposed to trying to access the Web with the LiveCD using a wireless connection. Networking a laptop on a wireless connection while using an LiveCD distribution may be relatively painless if you are not on an encrypted (WEP or WPA/WPA2) wireless network, but attempting to do this on an encrypted network is not for the Linux newbie.
-I conceived this tutorial as a way to help business owners feel safer about banking online, given the ability of many malware strains to evade standard security tools, such as desktop anti-virus software. Consumers who have their online bank account cleaned out because of a keystroke-sniffing Trojan usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Not so for businesses, which generally are responsible for any such losses. I'm not saying it's impossible to bank online securely with a Windows PC: This advice is aimed at those who would rather not leave anything to chance.

-The steps described below may sound like a lot of work, but most of what I'll describe only has to be done once, and from then on you can quickly boot into your Ubuntu Live CD whenever you need to.

With that, let's move on. To grab this package, visit the Ubuntu site, pick the nearest download location, and download the file when prompted (the file name should end in ".iso"). Go make a sandwich, or water your plants or something. This may take a while, depending on your Internet connection speed.

After you've download the file, burn the image to CD-Rom or DVD. If you don't know how to burn an image file to CD or don't know whether you have a program to do so, download something like Ashampoo Burning Studio Free. Once you've installed it, start the program and select "create/burn disc images." Locate the .iso file you just downloaded, and follow the prompts to burn the image to the disc.
When the burn is complete, just keep the disc in the drive. We next need to make sure that the computer knows to look to the CD drive first for a bootable operating system before it checks the hard drive, otherwise this LiveCD will never be recognized by the computer. When you start up your PC, take note of the text that flashes on the screen, and look for something that says "Press [some key] to enter setup" or "Press [some key] to enter startup." Usually, the key you want will be F2, or the Delete or Escape (Esc) key.

When you figure out what key you need to press, press it repeatedly until the system BIOS screen is displayed. Your mouse will not work here, so you'll need to rely on your keyboard. Look at the menu options at the top of the screen, and you should notice a menu named "Boot". Hit the "right arrow" key until you've reached that screen listing your bootable devices. What you want to do here is move the CD-Rom/DVD Drive to the top of the list. Do this by selecting the down-arrow key until the CD-Rom option is highlighted, and the press the "+" key on your keyboard until the CD-Rom option is at the top. Then hit the F10 key, and confirm "yes" when asked if you want to save changes and exit, and the computer should reboot. If you'd done this step correctly, the computer should detect the CD image you just burned as a bootable operating system. [Unless you know what you're doing here, it's important not to make any other changes in the BIOS settings. If you accidentally do make a change that you want to undo, hit F10, and select the option "Exit without saving changes." The computer will reboot, and you can try this step again.]
When you first boot into the Unbuntu CD, it will ask you to select your language. On the next screen, you'll notice that the default option - "Try Ubuntu without any change to your computer" - is already selected. Hit the "return" or "enter" key on your keyboard to proceed safely.
The CD will probably spin for a few minutes while the operating system figures out all the drivers it will need to load to support the hardware on your computer. Eventually, it should load up a graphical desktop environment.
From here, you should be able to just click on the Firefox icon, and when the browser pops up, enter the address of your bank's site and log on.

Note that depending on where you live, the Ubuntu installation may not accurately detect your time zone (when I booted up Ubuntu to take these screen shots, the Ubuntu desktop was four hours ahead of my actual time zone. I mention this because some banks will detect the discrepancy based upon your Internet address, which gives fairly accurate information about which part of the country you are when you log in. If you find that after passing your credentials to your bank that you are asked for additional verification details, it may be because the system clock is not correct. To fix this, simply right-click on the time as displayed in the upper portion of the screen, and select "Adjust Date and Time." Your changes will remain in effect until you shut down or log off the LiveCD session.
When you're done using the Live CD, you can safely power down the machine, or reboot and eject the CD immediately if you want to return to Windows.

No comments: