Solutions to ‘Man in the browser’ online banking security threat

27 11 2007


As reported by Computer World UK malware is shifting towards intercepting traffic inside the browser – a kind of man in the middle attack, rather than keystroke logging or phishing. This style of malware would intercept the password entered on the webpage using exploits in the browser. How about this solution to combat this?

Banks should offer their own applications to use for online banking – for instance, a virtual machine that saves it’s state running something like damn small linux + a web browser. This could be packaged with qemu.

You’d boot the virtual machine, use your banking, then when you closed it off, the virtual machine wouldn’t save changes, so it would always be the same.

This could be distributed on read only flash memory, or even plain old CDs to avoid malware modifying the image.

So: how do you do this?

1. Download DSL Embedded edition

2. Unzip it, and click dsl-base.bat

3. Up comes DSL linux, it boots using QEMU in a matter of seconds

4. Use your online banking as you wish (Ctrl – Alt releases the window so you can get back to your other applications)

5. That’s it…

The protection of using both Linux and a virtual machine in windows in 5 steps!

Now, if only banks would redistribute this, you can imagine how easy it would be to rebrand DSL, and to auto open firefox on the correct page.

Comments?

StumbleUpon Toolbar Stumble It!