Home > Uncategorized > American Bankers’ Association Recommends Using Dedicated PC for Banking Transactions

American Bankers’ Association Recommends Using Dedicated PC for Banking Transactions

Last week the American Bankers’ Association (ABA) recommended that small and medium-sized business adopt a special security measure, using a dedicated PC for Automated Clearing House (ACH) transactions, to protect against fraudulent transactions. This PC would be considerably safer than a normal one because, according to the ABA, because it would not be used for other purposes such as Web browsing and email, two activities in which the likelihood of a PC being compromised by attackers and malware increases considerably.

The ABA’s recommendation should not be limited to banking transactions, however. Once compromised, a PC should be considered completely insecure and unreliable. The probability of a given PC being compromised is high, especially if that PC has not been hardened. Numerous research studies have shown that an out-of-the-box Windows system connected to the Internet without additional security controls becomes compromised in less than 10 minutes. These considerations virtually mandate using a PC that is not subjected to the multitude of security risks that Web browsing and email functionality introduce only for financial transactions as well as for other more sensitive functions.

Small and medium size businesses can afford to buy dedicated PCs for banking and other business-related functions. A huge problem, however, is that users usually do not have this luxury; having different physical computers for different functions is usually not financially feasible. A college student is, for example, likely to be able to afford only one PC. Fortunately, virtualization technology offers some realistic help for everyday users in that different virtual machines (VMs) can be created for different functions. Two VMs could run Windows 7, but one of them could be used for financial and other transactions, whereas the other could be used for “normal” user activity such as Web browsing. This kind of use of virtualization offers numerous advantages*:

1. Multiple functions can co-reside on a single physical machine, thus precluding the need to buy, set up and maintain a second one.
2. Each of the VMs could be rolled back to a known good state every time the physical machine is booted. If a VM were compromised, it could be restored to a previous, uncompromised state during boot.
3. If a standard configuration for VMs were prescribed by an organization’s standards, every new VM could be built according to these standards. Each VM would thus have a uniform configuration throughout the organization, thereby helping ensure that uniform security-related settings would be in place everywhere.
4. The ABA could design and build a “Gold Standard” VM to be used throughout the banking industry. This VM would help organizations achieve desired levels of security without having to allocate resources to determine desirable settings.

Virtualization is not very perfect from a security point of view. One of the greatest concerns is that all virtualization products have vulnerabilities that, if not patched, can result in numerous undesirable outcomes, one of which is the possibility (in certain virtualization products) of a perpetrator who gains privilege access to a guest VM being able to obtain privileged access to the host VM on the same physical machine. But assuming that risks inherent in virtualization are properly mitigated, virtualization can and does provide protection against fraudulent banking transactions as well as other types of incidents.

There is also another “poor man’s solution” for users to consider—using one browser (IE, Google, Chrome, or…) for financial transactions and other more sensitive purposes, and then a completely different browser for all other purposes. The virtualization solution I have proposed is really better from a security standpoint; if someone running as a privileged user uses a particular browser that has a cross site scripting vulnerability to connect to a malicious Web site, the game is over. Using a different browser for other functions will do no good if the operating system itself is compromised. But using different browsers is also a much more manageable solution for everyday users.

The ABA deserves considerable credit for its initiative in making such a good recommendation. The big question is whether banks will accept and implement it. After all, you can lead a horse to water, but you cannot make it drink…

* – Phil Hoffman deserves credit for informing me about virtualization benefits that I had not previously considered.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.