Banking Online - Avoid malware, use Live CD

With all the malware aimed at the Windows OS, and MS's recent record number of security patches its been issuing, coupled with the fact credit card fraud on the web has hit record numbers, I figure there has to be a safer way to go about conducting online banking that doesn't involve installing every AV and firewall app out there and praying to the IT gods my system isn't infected by a trojan, virus, or other form of malware, backdoor, or RAT (root access trojan). Cyber attacks have gotten so sophisticated I'm beginning to wonder if it's worse now then it's ever been, in spite of the advances made in security. Newer trojans will look for your bank data on your HDD (or record all your web activity) and then xfer this info to the thieves server with you never knowing what is taking place.

So I tried a method recommended by a friend:

Download any version of a Linux "Live CD". Burn the download to a CD.
Reboot (with the Live CD in the CD/DVD drive). You'll be rebooting into a Linux OS. No files are installed to your HDD, in fact everything you do while in the Linux OS (which is running from the CD) will vanish the instant you close the session and remove the CD. So now you can bank online, shop, pay bills, while not leaving ANY record on your PC for the hackers to swipe. Should your Windows OS become infected by one of these sneaky trojans or RATs, there is nothing there for them to steal - all your banking activity took place under a different OS that left no traces on your HDD.

After I heard about this I dug around on the web for this topic and saw a few web sites recommending it. CNET even recommends letting your kids surf the web from a Live CD since many of the sites they may visit (particularly those game sites) are a hotbed of viruses and trojans. Nothing they do while surfing under the Live CD can cause any harm to your Windows OS or HDD.

Most of the Linux versions available as a Live CD come with a web browser, but if not, and you want to have your familiar web browser (say, FF) along with your old familiar bookmarks, you can add these files to your CD before you burn it. You can even run Linux as a Live CD from a USB flash drive as opposed to a CD/DVD.

It's not 100% foolproof since your credit card data is always vulnerable to theft from merchant websites with poor security, resulting in "data breaches", but this method should reduce the theft of banking data from your PC to near zero. If you do try it be sure to clear all the old history from your Windows system (no sense leaving it there).

Hope this helps!

[edit on 18-10-2009 by Blackmarketeer]

You can also use a PC emulator like VirtualPC (from Microsoft but free) and install any operating system you like made for a PC. I have tested with DOS 6.1 (not the best choice for using the Internet, I know, but just to make the list complete ), Windows 3.1, Windows 95, Windows XP, Windows 7, Red Hat (I don't remember the version, but it was an old one) and Ubuntu 8.

The advantage is that you don't need to restart your PC, you use it as any other program, but it works independently of your real computer.

Good suggestions but I have seen a trend in the online banking and they are now trying to match you with an IP.. Of course they still need cookies but BofA will require additional questions answered if you log in from a different IP.

Just because you boot a live CD doesn't mean your IP address changes, thats all handled by your router and your ISP. One concern I would have about using a emulator like VirtualBox, etc is that if the host OS is compromised there could still be a risk of key capture. But definitely an awesome idea for keeping data safe when banking online, if more people did this it would cut down on the costs of sorting out stolen accounts and such.

Somebody should build a Live CD distro made for online banking. Or banks could provide a precooked distro made specifically for that bank.

I don't mean for everybody that knows what they are doing, I mean for Luddites out there that double click web links still....

Use the little CD's that are no bigger than a credit card so it fits in moms purse or in a check register. A boot able encrypted flash drive could even be used to store bank records.
It's all out there right now, just think the banks could promote it or add it to their service offerings.

Just to be clear, this isn't about hiding your IP, in fact some banks require you to use your home IP as an additional measure of identity (as already pointed out). This is about preventing any malware or trojans you might pick up during your daily web surfing from infecting your PC and stealing any and all your account passwords. For instance, there's an online crime syndicate called the "RBN", the Russian Business Network (as you might have guessed, these are cyber criminals from Russia). They perfected a type of malware that can affect even legitimate web pages through their use of iFrames. Once you stumble across once of these infected iFrames, the malware begins recording or accessing ALL of your web activity and keyboard keystrokes. It compiles that data and then sends it out to the thieves servers whenever you next go online. So let's say you pick up one of these nasty pieces of malware, it sits idly on your system undetectable to your firewall, anti-virus, or anti-trojan software. Then you next surf over to your bank where you login. The malware not only obtained your banks URL, it also got your login name and password. Maybe you've kept that info stored in your browsers cache? Either way, your bank account is now in jeopardy. In the past, these thieves would send you fake emails (called "phishing") to trick you into going to their phony bank login page designed to look just like your real bank's page, where you would inadvertently input your account name and password. Phishing has fallen off under advancing security measures by most banks and ISPs, so the thieves now affect the iFrames of innocent web pages into downloading a malware package to your PC and then sitting back and waiting for you to surf over to your bank at your leisure. It might wait for weeks for you to do so, then it activates and records your login.

What I described in the top post was how to routinely surf the web without leaving ANY traces of your activity and without leaving any downloaded viruses, trojans, or malware on your computer. Because once you remove the Live CD, everything you did during that session vanished, and no alterations were made to your hard drive. Besides, Live CD's are Linux based, and you'll have other options than MS Internet Explorer, which by itself will eliminate 95% of your infection risk.

But also to caution, just because you're using something like a Live CD session doesn't affect how you're accessing the web - you're still using your own phone line and your normal IP. So using a Live CD won't protect you from a phishing attack (just be sure never to click on any web link from an email, even if it appears to be from a friend or trusted source).

reply to post by Blackmarketeer


Very true and great points, unfortunately it mostly comes down to the user being vigilant and not doing stupid things like installing Limewire on their computer or other such retardation. Ideally people should have a computer dedicated to such tasks as banking and online shopping which is used explicitly for those tasks and never anything else, not even checking an email account online. However as I said once already its not going to happen because for most folks its far easier to bemoan IT security staff after the fact rather than take a few moments to educate themselves on how to avoid the dangers of identity theft and malware.

Here in Portugal most banks use virtual on-screen keyboards with changing layouts for customers to enter their sensitive data, and I think it's the best method.