How to Avoid Banking Trojans Using Live CDs
A screenshot of Xubuntu Linux running the Mozilla Firefox Web browser.
CREDIT: Canonical Ltd./Mozilla Foundation
One of the most damaging, and most difficult to detect, pieces of malware nowadays is a banking Trojan.
Banking Trojans infect Windows PCs via email attachments or drive-by downloads from corrupted Web pages. They take up residence in Web browsers and lie in wait until a user accesses an online bank account.
When the user does, the banking Trojan will figure out a way to piggyback into the user's account. It can capture the banking session ID, and log back on as soon as the user has logged off. It can even erase the record of its transactions from a user's account page.
It can give the user fake Web pages, such as a fake logout window so that the user never truly logs out, or even a mockup of the real bank's site.
Whatever the method, the goal is always the same: to move money out of the user's account into other accounts, and from there to accounts overseas.
Small business bogeyman
Private citizens are insured against such theft by federal regulations. For them, banks have to cover every dollar lost above $50.
But commercial bank accounts have no such protection. A bank can refuse to cover a business or other organization's loss to theft if the banking Trojan is found to be on the client's computer.
Small businesses and organizations are especially vulnerable to such schemes, because they generally have less digital security than larger outfits. We've heard of several cases where a small business or local government takes its bank to court for not covering losses, often tens of thousands of dollars, to banking Trojans.
There are many ways to avoid being hit by a banking Trojan. Robust, updated anti-virus software will catch most variants. So far, there aren't any known banking Trojans targeting Mac OS X.
Set it in polycarbonate
Security expert Brian Krebs has a different way to avoid banking Trojans, and it's almost guaranteed to be foolproof: Do all your online banking using a Linux-based "live CD."
A live CD is a compact disc with a full, free Linux operating system on it. It'll boot up any Intel-based PC, and you can make it yourself by downloading the disk image and burning it to the CD.
Krebs recently posted a full set of instructions for creating a live CD on his blog, which is well worth reading for anyone interested in computer security.
The Linux operating system on the CD will have everything you need to access the bank account — a Web browser, a file manager, an email client and so on. You'll probably need only the Web browser.
You'll be protected from banking Trojans, and from all other malware, as long as you don't save any files to the machine's hard drive. Since the Linux operating system and all its applications are burned into the CD, they can't be altered in any way.
"Put simply," wrote Krebs in a Washington Post article in 2010, "even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, that malware can't capture the victim's banking credentials if that user only transmits his or her credentials after booting up into one of these Live CDs."
Using a live CD may take a little getting used to — some Linux distributions work differently from Windows. But it'll be well worth your peace of mind.