Afterbytes with Marcus Ranum - Using A Dedicated PC For Online Banking

ABA Recommends Using Dedicated PC for Online Banking

Date: January 1 & 4, 2010

Synopsis: The American Bankers' Association (ABA) issued guidance to small and mid-sized businesses regarding how to protect themselves from the growing problem of unauthorized Automated Clearing House (ACH) transactions. Of special note is the recommendation that businesses use a dedicated PC that is never used for email or web browsing to conduct online banking transactions.

Sources: Online banking warning surprises some experts, Businesses warned about online banking

This particular bit of news seems to have gotten disproportionate attention. On one hand, people see it as "ABA tells home users to use a dedicated PC!" and on the other it's business as usual.

But, it's not business as usual - what ABA is doing is recommending a specific response to a deeper problem. The problem is not "online banking" or anything like it; what we're seeing here is an implicit statement that endpoint trust is finally beginning to matter, as cybercriminals are increasingly attacking the shoddy operating systems that everyone seems to use for general purposes.

Here's how ABA got it wrong: the problem IS the PC. If what you're trying to do is online banking, using a desktop operating system, especially one with no real barrier between user-land and kernel memory space, is like putting out a fire with gasoline. What ABA probably should have said, instead of "get another PC" is "do not use a PC for online banking, at all." Of course, that would also be ridiculous, because there is, presently, no real viable alternative. However, as one of the other NewsBytes editors said, some kind of locked-down "computer as a smart terminal" would be sufficient. His suggestion (which was excellent, BTW) was to use something like Faronics' "deep freeze" - but there are a plethora of options; including running one's browser on a dedicated system, with execution lockdown enabled, and no local privileges associated with the browser.

I've been saying for the better part of 15 years, now, (which will show you how good my prescience skillz are!) that the time is ripe for single-purpose load-outs of operating systems. Back in 1997/8, I recall Dan Geer and I were calling for the "death of general purpose computing" or, as the case may be, its murder. Is this finally happening? As I look at an iPhone I see one of the nails in general-purpose computing's coffin. Will that nail help get the job done, or will it inevitably succumb to bloat and cross-marketing opportunity, until it becomes the new hacker playground?

Note to the entrepreneurial: if small businesses and banks are getting this kind of advice from ABA, maybe it's time for someone to produce a locked-down "trustworthy terminal" PC with a restricted software load-out. I think there's a market here for someone who wants to produce a machine that has a run-time guaranteed free of malware. I didn't say that'd be easy; I just said I think there's a market for it.