Only the Easiest Way is the Secure Way

We, being security professionals, are often "just" looking for the most secure way to implement a certain task. Often we tend to forget the user when we implement these measures. I once visited a customer showing me their ultimately secure solution to do VPN and access mail:

  • Boot the computer
  • Log on
  • Start Virtual PC
  • Start the secure OS
  • Log on
  • Within the secure OS, open VPN
  • Within the secure OS, start the mail client

Tell me the average user who understands, what I just described. And the next question is just rising: How do you transfer data from the "secure" VM to your machine? I know that this works but how to tell the average user…

A similar problem is discussed with the banks: The least trustworthy part of Internet banking is outside the control of the bank: The user and the user's PC. So, how to address this? Well in Western Europe two-factor authentication is definitely the standard which addresses at least part of the phishing attacks – but unfortunately they get more and more sophisticated: We see targeted Trojans just attacking a single bank, installing a Browser add-in and doing a Man-in-the-Middle just within the Browser. How to address this? The banks are thinking about virtualization. So, the same scenario as described above – and you will definitely lose my mother as a customer as she will not understand, what to do. Internet Banking is a huge saving for the banks and therefore they are really reluctant to change anything at their systems that would make customers moving back to traditional banking – rather risk losing some money.

So, what are the approaches we see?

  • Accept the fraud and live with it
  • Make the customers pay for the loss of money as well if they act irresponsibly (today, the banks usually refund the lost money)
  • Use virtualization and risk losing some customers
  • Use something like Terminal Server Application Mode, where the user just accesses the application sitting on a Terminal Server. In the future he/she will not see a difference between online or offline
  • Boot from a special CD

Option 1, is what we are doing today: Close the eyes and make sure the press does not talk too much about it. This is paradise for the bad guys – they will never get prosecuted…

Personally, I think that option 2 will start to come up (in combination with other measures)– at least partially and I think it is right. Why should the Internet Banking users care about PC security if there is nothing in for them? However, this is dangerous. We saw already successful attacks on Windows XP SP2 machines, where one would have to say that the user did everything we told him/her to do: The firewall was on, the machine was patched and AV as up-to-date. The only problem he had: He was local Admin – but who isn't at home? Windows Vista will make it definitely harder to have malware installed but up until then, we should not make these users's pay for getting malware installed. But there are a lot of other users who do not care at all and they shall pay for their negligence!

Option 3 and 4 will have some future as the application is not within the control of the user anymore – but it has to be seamless for the user. My mother shall not see the difference between Microsoft Word on the local PC and the Banking Application remote of virtual.

Option 5: Well, tell me mother that she shall prepare her paying on the PC, then reboot with a special CD to do Internet Banking – and by the way, how does the file with the payings come over to the "Secure OS"? Mount the original disk? How does my mother then find the file? She just goes to "My Documents" normally… There is some research around this: Bootable disc eliminates viruses for safer banking – but in my opinion, we are addressing this problem from the wrong angle…

Roger