Linux security question - NZ Banking C of P

Discussion in 'NZ Computing' started by Lodi, Sep 2, 2007.

  1. Lodi

    Lodi Guest

    Hi all...These are the bits of the NZ Banking Code of Practice causing
    all the current debate about internet banking personal liability ....

    <snip>

    Section 8c (iii)

    - you have used a computer or device that does not have appropriate
    protective software and operating system installed and up to date;
    - you have failed to take reasonable steps to ensure that the protective
    systems such as virus scanning, firewall, anti-spyware, operating system
    and anti-spam software on your computer are up to date;

    http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf

    </snip>

    My question is....how many Linux desktop users in this group use
    "protective software" such as "up-to-date virus scanning, firewall, anti-
    spyware, operating system and anti-spam software".

    I use Kubuntu Feisty and I have none of the above. Clicking on "Update"
    when Adept tells me to is the limit of my security procedures. Coming
    from an MS background it does seem a bit unnatural not to have a load of
    security software running and being constantly updated but I can see why
    it's not so necessary under Linux.

    Ignore for the moment the "internet banking personal liability" angle and
    the fact that InternetNZ and the NZ Consumers' Institute are trying to
    have the Code of Practice changed.

    Should I be running Clam AV or Panda AV or whatever AV even though I'm
    just a desktop, not a mail server, not connected to any MS machines, not
    serving anything, not forwarding anything anywhere.

    Should I be running IP Cop or Guard Dog or whatever firewall when my
    router has a built in firewall. And I don't mind being pinged/probed cos
    if someone got in there's nothing they can do without my admin password.

    I've run (K)Ubuntu for the last year quite happily without all the
    security software. What security software do the more experienced Linux
    desktop users run.

    Regards
    Lodi
     
    Lodi, Sep 2, 2007
    #1
    1. Advertising

  2. Lodi

    whoisthis Guest

    Its not just Linux, Mac OSX is also in the same category, I DO have a
    server on line and it has been for over 2 years..... no antivirus
    software, unused ports disabled, firewall running, and no problems.
     
    whoisthis, Sep 2, 2007
    #2
    1. Advertising

  3. Lodi

    Malcolm Guest

    Lodi wrote:
    > Hi all...These are the bits of the NZ Banking Code of Practice causing
    > all the current debate about internet banking personal liability ....
    >
    > <snip>
    >
    > Section 8c (iii)
    >
    > - you have used a computer or device that does not have appropriate
    > protective software and operating system installed and up to date;
    > - you have failed to take reasonable steps to ensure that the protective
    > systems such as virus scanning, firewall, anti-spyware, operating system
    > and anti-spam software on your computer are up to date;
    >
    > http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf
    >
    > </snip>
    >
    > My question is....how many Linux desktop users in this group use
    > "protective software" such as "up-to-date virus scanning, firewall, anti-
    > spyware, operating system and anti-spam software".
    >
    > I use Kubuntu Feisty and I have none of the above. Clicking on "Update"
    > when Adept tells me to is the limit of my security procedures. Coming
    > from an MS background it does seem a bit unnatural not to have a load of
    > security software running and being constantly updated but I can see why
    > it's not so necessary under Linux.
    >
    > Ignore for the moment the "internet banking personal liability" angle and
    > the fact that InternetNZ and the NZ Consumers' Institute are trying to
    > have the Code of Practice changed.
    >
    > Should I be running Clam AV or Panda AV or whatever AV even though I'm
    > just a desktop, not a mail server, not connected to any MS machines, not
    > serving anything, not forwarding anything anywhere.
    >
    > Should I be running IP Cop or Guard Dog or whatever firewall when my
    > router has a built in firewall. And I don't mind being pinged/probed cos
    > if someone got in there's nothing they can do without my admin password.
    >
    > I've run (K)Ubuntu for the last year quite happily without all the
    > security software. What security software do the more experienced Linux
    > desktop users run.
    >
    > Regards
    > Lodi


    - F-prot updates every night and a full scan of my home directory is
    done (never had a hit). Rkhunter and chkrootkit

    - Router has a firewall and this box has one as well.

    - Seamonkey/Firefox for browser's

    - Currently used Thunderbird as claws-mail seems to have an issue with
    reference headers (wading through code to see if I can work it out)

    - Notified by email of updates for my OS, then run the updater manually.

    I would query your bank first if you are concerned, at the end of the
    day they are the ones you will have to deal with.

    I use the internet and my banks internal secure(?) mail system for all
    my transfer etc and never had a problem.

    --
    Cheers Malcolm °¿° (Linux Counter #276890)
    SLED 10.0 SP1 x86_64 Kernel 2.6.16.46-0.14-smp
    up 3:22, 4 users, load average: 0.92, 0.97, 0.91
     
    Malcolm, Sep 2, 2007
    #3
  4. Lodi

    Shane Guest

    Malcolm wrote:

    > Lodi wrote:
    >> Hi all...These are the bits of the NZ Banking Code of Practice causing
    >> all the current debate about internet banking personal liability ....
    >>
    >> <snip>
    >>
    >> Section 8c (iii)
    >>
    >> - you have used a computer or device that does not have appropriate
    >> protective software and operating system installed and up to date;
    >> - you have failed to take reasonable steps to ensure that the protective
    >> systems such as virus scanning, firewall, anti-spyware, operating system
    >> and anti-spam software on your computer are up to date;
    >>
    >> http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf
    >>
    >> </snip>
    >>
    >> My question is....how many Linux desktop users in this group use
    >> "protective software" such as "up-to-date virus scanning, firewall, anti-
    >> spyware, operating system and anti-spam software".
    >>
    >> I use Kubuntu Feisty and I have none of the above. Clicking on "Update"
    >> when Adept tells me to is the limit of my security procedures. Coming
    >> from an MS background it does seem a bit unnatural not to have a load of
    >> security software running and being constantly updated but I can see why
    >> it's not so necessary under Linux.
    >>
    >> Ignore for the moment the "internet banking personal liability" angle and
    >> the fact that InternetNZ and the NZ Consumers' Institute are trying to
    >> have the Code of Practice changed.
    >>
    >> Should I be running Clam AV or Panda AV or whatever AV even though I'm
    >> just a desktop, not a mail server, not connected to any MS machines, not
    >> serving anything, not forwarding anything anywhere.
    >>
    >> Should I be running IP Cop or Guard Dog or whatever firewall when my
    >> router has a built in firewall. And I don't mind being pinged/probed cos
    >> if someone got in there's nothing they can do without my admin password.
    >>
    >> I've run (K)Ubuntu for the last year quite happily without all the
    >> security software. What security software do the more experienced Linux
    >> desktop users run.
    >>
    >> Regards
    >> Lodi

    >
    > - F-prot updates every night and a full scan of my home directory is
    > done (never had a hit). Rkhunter and chkrootkit
    >
    > - Router has a firewall and this box has one as well.
    >
    > - Seamonkey/Firefox for browser's
    >
    > - Currently used Thunderbird as claws-mail seems to have an issue with
    > reference headers (wading through code to see if I can work it out)
    >
    > - Notified by email of updates for my OS, then run the updater manually.
    >
    > I would query your bank first if you are concerned, at the end of the
    > day they are the ones you will have to deal with.
    >
    > I use the internet and my banks internal secure(?) mail system for all
    > my transfer etc and never had a problem.
    >


    If I can add just one thing, and this goes for _any_ OS, one way to watch
    your system is to periodically (eg. nightly) execute a script that recurses
    through every file on your system, collecting hash sums of each file held
    within, and then comparing that hash against the previous runs hash
    collection. Any changes to your files can then be spotted relatively
    quickly.

    The catch is, that a large number of files within your system change
    regularly (esp. /tmp) and provide you with a lot of checks to wade through.
    You wont know a rootkit has been installed, just that files that should not
    have changed, have. (That's funny I dont recall updating /bin/bash)
    Also you wont know of the changes until after the next run.




    --
    Q: How can you tell that a mathematician is extroverted?
    A: When talking to you, he looks at your shoes instead of at his.
     
    Shane, Sep 2, 2007
    #4
  5. Lodi

    Peter Guest

    Lodi wrote:
    > My question is....how many Linux desktop users in this group use
    > "protective software" such as "up-to-date virus scanning, firewall, anti-
    > spyware, operating system and anti-spam software".
    > I use Kubuntu Feisty and I have none of the above.


    I'm using Kubuntu Feisty and this does have a firewall and is an up to date
    operating system. The firewall, of course, is built into the kernel, and
    I've found Firestarter to be a useful GUI for configuring it.
    AFAIK the Linux virus scanners only check for Windows viruses.

    Although Linux is more resistant to malware, I don't treat it as invincible
    or immune. So, I have closed out unnecessary services, run a firewall,
    keep up to date with patches and minimise use of root privileges. Use
    sensible passwords (at least 8 characters long, not a dictionary word,
    upper * lower case, numbers, etc). If you don't run any servers (http,
    ftp, mail, etc), then your machine is less vulnerable.

    Also, keep your data backup up to date. If the system is ever compromised,
    the solution is a complete reinstall.

    HTH

    Peter
     
    Peter, Sep 2, 2007
    #5
  6. In message <fbd9e9$gtt$>, Shane wrote:

    > If I can add just one thing, and this goes for _any_ OS, one way to watch
    > your system is to periodically (eg. nightly) execute a script that
    > recurses through every file on your system, collecting hash sums of each
    > file held within, and then comparing that hash against the previous runs
    > hash collection. Any changes to your files can then be spotted relatively
    > quickly.


    There are already tools to do this--Tripwire is one name that comes to mind.
     
    Lawrence D'Oliveiro, Sep 2, 2007
    #6
  7. On Sun, 02 Sep 2007 04:17:51 +0200, Lodi wrote:

    > - you have used a computer or device that does not have appropriate
    > protective software and operating system installed and up to date; - you
    > have failed to take reasonable steps to ensure that the protective systems
    > such as virus scanning, firewall, anti-spyware, operating system and
    > anti-spam software on your computer are up to date;
    >
    > http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf
    >
    > </snip>


    That "code of practise" is nothing more than the banks trying to avoid
    liability for the poor design and security practises on their own website.

    I have considered for a while already that "internet banking" is not a
    secure means of conducting a banking transaction.


    <snip>

    > Should I be running IP Cop or Guard Dog or whatever firewall when my
    > router has a built in firewall. And I don't mind being pinged/probed cos
    > if someone got in there's nothing they can do without my admin password.


    Yes.

    A strong network firewall - not just relying on something bundled with a
    router - is always a good thing to have running.


    > I've run (K)Ubuntu for the last year quite happily without all the
    > security software. What security software do the more experienced Linux
    > desktop users run.


    Also, if you regularly receive many emails with attachments from Windows
    users it is a good idea to check them for virus content - if for no other
    reason other than to know you are not forwarding a virus onto someone else.

    Frankly, the banks are wanting to avoid liability for their own poor
    websites. I would advise you to not use those sites so long as their
    security is as poor as it currently is.

    The banks' websites are not good at preventing phishing attacks of even
    the most basic kind. Do not use them.


    --
    Jonathan Walker

    "The IT industry landscape is littered with the dead
    dreams of people who once trusted Microsoft."
     
    Jonathan Walker, Sep 2, 2007
    #7
  8. Lodi

    Shane Guest

    Lawrence D'Oliveiro wrote:

    > In message <fbd9e9$gtt$>, Shane wrote:
    >
    >> If I can add just one thing, and this goes for _any_ OS, one way to watch
    >> your system is to periodically (eg. nightly) execute a script that
    >> recurses through every file on your system, collecting hash sums of each
    >> file held within, and then comparing that hash against the previous runs
    >> hash collection. Any changes to your files can then be spotted
    >> relatively quickly.

    >
    > There are already tools to do this--Tripwire is one name that comes to
    > mind.


    And...?

    --
    "The number you have dialed is imaginary. Please, rotate your phone by 90
    degrees and try again..."
     
    Shane, Sep 2, 2007
    #8
  9. Lodi

    Greg House Guest

    On Sun, 2 Sep 2007 04:17:51 +0200 (CEST), Lodi <> wrote:

    >Hi all...These are the bits of the NZ Banking Code of Practice causing
    >all the current debate about internet banking personal liability ....
    >
    ><snip>
    >
    >Section 8c (iii)
    >
    >- you have used a computer or device that does not have appropriate
    >protective software and operating system installed and up to date;
    >- you have failed to take reasonable steps to ensure that the protective
    >systems such as virus scanning, firewall, anti-spyware, operating system
    >and anti-spam software on your computer are up to date;
    >
    >http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf
    >
    ></snip>
    >
    >My question is....how many Linux desktop users in this group use
    >"protective software" such as "up-to-date virus scanning, firewall, anti-
    >spyware, operating system and anti-spam software".
    >
    >I use Kubuntu Feisty and I have none of the above. Clicking on "Update"
    >when Adept tells me to is the limit of my security procedures. Coming
    >from an MS background it does seem a bit unnatural not to have a load of
    >security software running and being constantly updated but I can see why
    >it's not so necessary under Linux.
    >
    >Ignore for the moment the "internet banking personal liability" angle and
    >the fact that InternetNZ and the NZ Consumers' Institute are trying to
    >have the Code of Practice changed.
    >
    >Should I be running Clam AV or Panda AV or whatever AV even though I'm
    >just a desktop, not a mail server, not connected to any MS machines, not
    >serving anything, not forwarding anything anywhere.
    >
    >Should I be running IP Cop or Guard Dog or whatever firewall when my
    >router has a built in firewall. And I don't mind being pinged/probed cos
    >if someone got in there's nothing they can do without my admin password.
    >
    >I've run (K)Ubuntu for the last year quite happily without all the
    >security software. What security software do the more experienced Linux
    >desktop users run.
    >
    >Regards
    >Lodi




    But the World does not run around Lunix old chap, and in most cases only for Nerds..

    Lunix does not suffer from these Virus problems because its of very little use by the Masses and
    hardly used..
     
    Greg House, Sep 2, 2007
    #9
  10. Lodi

    Greg House Guest

    On Sun, 02 Sep 2007 15:10:21 +1200, Shane <-a-geek.net> wrote:

    >Malcolm wrote:
    >
    >> Lodi wrote:
    >>> Hi all...These are the bits of the NZ Banking Code of Practice causing
    >>> all the current debate about internet banking personal liability ....
    >>>
    >>> <snip>
    >>>
    >>> Section 8c (iii)
    >>>
    >>> - you have used a computer or device that does not have appropriate
    >>> protective software and operating system installed and up to date;
    >>> - you have failed to take reasonable steps to ensure that the protective
    >>> systems such as virus scanning, firewall, anti-spyware, operating system
    >>> and anti-spam software on your computer are up to date;
    >>>
    >>> http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf
    >>>
    >>> </snip>
    >>>
    >>> My question is....how many Linux desktop users in this group use
    >>> "protective software" such as "up-to-date virus scanning, firewall, anti-
    >>> spyware, operating system and anti-spam software".
    >>>
    >>> I use Kubuntu Feisty and I have none of the above. Clicking on "Update"
    >>> when Adept tells me to is the limit of my security procedures. Coming
    >>> from an MS background it does seem a bit unnatural not to have a load of
    >>> security software running and being constantly updated but I can see why
    >>> it's not so necessary under Linux.
    >>>
    >>> Ignore for the moment the "internet banking personal liability" angle and
    >>> the fact that InternetNZ and the NZ Consumers' Institute are trying to
    >>> have the Code of Practice changed.
    >>>
    >>> Should I be running Clam AV or Panda AV or whatever AV even though I'm
    >>> just a desktop, not a mail server, not connected to any MS machines, not
    >>> serving anything, not forwarding anything anywhere.
    >>>
    >>> Should I be running IP Cop or Guard Dog or whatever firewall when my
    >>> router has a built in firewall. And I don't mind being pinged/probed cos
    >>> if someone got in there's nothing they can do without my admin password.
    >>>
    >>> I've run (K)Ubuntu for the last year quite happily without all the
    >>> security software. What security software do the more experienced Linux
    >>> desktop users run.
    >>>
    >>> Regards
    >>> Lodi

    >>
    >> - F-prot updates every night and a full scan of my home directory is
    >> done (never had a hit). Rkhunter and chkrootkit
    >>
    >> - Router has a firewall and this box has one as well.
    >>
    >> - Seamonkey/Firefox for browser's
    >>
    >> - Currently used Thunderbird as claws-mail seems to have an issue with
    >> reference headers (wading through code to see if I can work it out)
    >>
    >> - Notified by email of updates for my OS, then run the updater manually.
    >>
    >> I would query your bank first if you are concerned, at the end of the
    >> day they are the ones you will have to deal with.
    >>
    >> I use the internet and my banks internal secure(?) mail system for all
    >> my transfer etc and never had a problem.
    >>

    >
    >If I can add just one thing, and this goes for _any_ OS, one way to watch
    >your system is to periodically (eg. nightly) execute a script that recurses
    >through every file on your system, collecting hash sums of each file held
    >within, and then comparing that hash against the previous runs hash
    >collection. Any changes to your files can then be spotted relatively
    >quickly.
    >
    >The catch is, that a large number of files within your system change
    >regularly (esp. /tmp) and provide you with a lot of checks to wade through.
    >You wont know a rootkit has been installed, just that files that should not
    >have changed, have. (That's funny I dont recall updating /bin/bash)
    >Also you wont know of the changes until after the next run.
    >
    >
    >
    >



    So tell me how do Joe Blow and Mum & Dad will do this..?

    90% of people that use the Net are not Neards..
     
    Greg House, Sep 2, 2007
    #10
  11. Lodi

    whoisthis Guest

    In article <>,
    Jonathan Walker <> wrote:

    > On Sun, 02 Sep 2007 04:17:51 +0200, Lodi wrote:
    >
    > > - you have used a computer or device that does not have appropriate
    > > protective software and operating system installed and up to date; - you
    > > have failed to take reasonable steps to ensure that the protective systems
    > > such as virus scanning, firewall, anti-spyware, operating system and
    > > anti-spam software on your computer are up to date;
    > >
    > > http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf
    > >
    > > </snip>

    >
    > That "code of practise" is nothing more than the banks trying to avoid
    > liability for the poor design and security practises on their own website.
    >
    > I have considered for a while already that "internet banking" is not a
    > secure means of conducting a banking transaction.
    >
    >
    > <snip>
    >
    > > Should I be running IP Cop or Guard Dog or whatever firewall when my
    > > router has a built in firewall. And I don't mind being pinged/probed cos
    > > if someone got in there's nothing they can do without my admin password.

    >
    > Yes.
    >
    > A strong network firewall - not just relying on something bundled with a
    > router - is always a good thing to have running.
    >
    >
    > > I've run (K)Ubuntu for the last year quite happily without all the
    > > security software. What security software do the more experienced Linux
    > > desktop users run.

    >
    > Also, if you regularly receive many emails with attachments from Windows
    > users it is a good idea to check them for virus content - if for no other
    > reason other than to know you are not forwarding a virus onto someone else.
    >
    > Frankly, the banks are wanting to avoid liability for their own poor
    > websites. I would advise you to not use those sites so long as their
    > security is as poor as it currently is.
    >
    > The banks' websites are not good at preventing phishing attacks of even
    > the most basic kind. Do not use them.


    1. There is keylogging software for linux, so unless you use your OWN
    computer irrespective of OS then it is untrusted. There are also various
    man-in-the-middle attacks and so on, again these are OS independent.
    Hell it can also be something as simple as a web cam on another machine
    which just happens to point at your keyboard so they can record
    keystrokes that way.

    2. If YOU CHOOSE to use an untrusted machine that does happen to have a
    keylogger then why should the bank be liable ?

    3. Phishing sites are quite sophisticated and are often hosted in
    multiple countries simultaneously. I fail to see how how the banks can
    prevent someone from writing a web pages that resembles theirs, the
    suggestion that they can is idiotic and shows a massive lack of
    knowledge.

    4. The BEST option is to use a 3rd means of verification, the PSA for
    example issues a device that has a synchronised rolling key, the BNZ has
    a card that you need to decrypt a verification string and so on.

    Bottom line is the banks are tired of shelling out money to cover
    someone elses stupidity, this is no different to insurance companies who
    will not pay out if you leave your keys in the car and it gets stolen.
    You have to take some responsibility for your own choices somewhere.
     
    whoisthis, Sep 2, 2007
    #11
  12. Lodi

    Shane Guest

    Greg House < wrote:

    > On Sun, 02 Sep 2007 15:10:21 +1200, Shane <-a-geek.net>
    > wrote:
    >
    >>Malcolm wrote:
    >>
    >>> Lodi wrote:
    >>>> Hi all...These are the bits of the NZ Banking Code of Practice causing
    >>>> all the current debate about internet banking personal liability ....
    >>>>
    >>>> <snip>
    >>>>
    >>>> Section 8c (iii)
    >>>>
    >>>> - you have used a computer or device that does not have appropriate
    >>>> protective software and operating system installed and up to date;
    >>>> - you have failed to take reasonable steps to ensure that the
    >>>> protective systems such as virus scanning, firewall, anti-spyware,
    >>>> operating system and anti-spam software on your computer are up to
    >>>> date;
    >>>>
    >>>> http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf
    >>>>
    >>>> </snip>
    >>>>
    >>>> My question is....how many Linux desktop users in this group use
    >>>> "protective software" such as "up-to-date virus scanning, firewall,
    >>>> anti- spyware, operating system and anti-spam software".
    >>>>
    >>>> I use Kubuntu Feisty and I have none of the above. Clicking on "Update"
    >>>> when Adept tells me to is the limit of my security procedures. Coming
    >>>> from an MS background it does seem a bit unnatural not to have a load
    >>>> of security software running and being constantly updated but I can see
    >>>> why it's not so necessary under Linux.
    >>>>
    >>>> Ignore for the moment the "internet banking personal liability" angle
    >>>> and the fact that InternetNZ and the NZ Consumers' Institute are trying
    >>>> to have the Code of Practice changed.
    >>>>
    >>>> Should I be running Clam AV or Panda AV or whatever AV even though I'm
    >>>> just a desktop, not a mail server, not connected to any MS machines,
    >>>> not serving anything, not forwarding anything anywhere.
    >>>>
    >>>> Should I be running IP Cop or Guard Dog or whatever firewall when my
    >>>> router has a built in firewall. And I don't mind being pinged/probed
    >>>> cos if someone got in there's nothing they can do without my admin
    >>>> password.
    >>>>
    >>>> I've run (K)Ubuntu for the last year quite happily without all the
    >>>> security software. What security software do the more experienced Linux
    >>>> desktop users run.
    >>>>
    >>>> Regards
    >>>> Lodi
    >>>
    >>> - F-prot updates every night and a full scan of my home directory is
    >>> done (never had a hit). Rkhunter and chkrootkit
    >>>
    >>> - Router has a firewall and this box has one as well.
    >>>
    >>> - Seamonkey/Firefox for browser's
    >>>
    >>> - Currently used Thunderbird as claws-mail seems to have an issue with
    >>> reference headers (wading through code to see if I can work it out)
    >>>
    >>> - Notified by email of updates for my OS, then run the updater manually.
    >>>
    >>> I would query your bank first if you are concerned, at the end of the
    >>> day they are the ones you will have to deal with.
    >>>
    >>> I use the internet and my banks internal secure(?) mail system for all
    >>> my transfer etc and never had a problem.
    >>>

    >>
    >>If I can add just one thing, and this goes for _any_ OS, one way to watch
    >>your system is to periodically (eg. nightly) execute a script that
    >>recurses through every file on your system, collecting hash sums of each
    >>file held within, and then comparing that hash against the previous runs
    >>hash
    >>collection. Any changes to your files can then be spotted relatively
    >>quickly.
    >>
    >>The catch is, that a large number of files within your system change
    >>regularly (esp. /tmp) and provide you with a lot of checks to wade
    >>through. You wont know a rootkit has been installed, just that files that
    >>should not have changed, have. (That's funny I dont recall updating
    >>/bin/bash) Also you wont know of the changes until after the next run.
    >>
    >>
    >>
    >>

    >
    >
    > So tell me how do Joe Blow and Mum & Dad will do this..?
    >
    > 90% of people that use the Net are not Neards..


    The same you will.
    --
    Q: Who knows everything there is to be known about vector analysis?
    A: The Oracle of del phi!
     
    Shane, Sep 2, 2007
    #12
  13. Lodi

    Gordon Guest

    On 2007-09-02, Lodi <> wrote:
    > Hi all...These are the bits of the NZ Banking Code of Practice causing
    > all the current debate about internet banking personal liability ....
    >
    ><snip>
    >
    > Section 8c (iii)
    >
    > - you have used a computer or device that does not have appropriate
    > protective software and operating system installed and up to date;
    > - you have failed to take reasonable steps to ensure that the protective
    > systems such as virus scanning, firewall, anti-spyware, operating system
    > and anti-spam software on your computer are up to date;
    >
    > http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf
    >


    Let us put this another way. Are you relaxed/happy to use internet banking
    with your bank with this attitude?

    Would you fly with an airline which said that 72 seconds after take off
    there was a chance that it would crash before the end of the flight?

    Convience vs security including risk.
     
    Gordon, Sep 2, 2007
    #13
  14. Lodi

    Gordon Guest

    On 2007-09-02, Greg House <> wrote:
    >
    >
    >
    > But the World does not run around Lunix old chap,


    No, and nor would Ms Penguin want it to.

    > and in most cases only for Nerds..


    Ms Penguin has just crossed you off her fish list.

    >
    > Lunix does not suffer from these Virus problems because its of very little use by the Masses and
    > hardly used..
    >

    Gentle reader this *is* the the point. Once we have about 429 OS being used
    then, what will be the point of virus/malware writing, for it can not
    deliver a positive cost benefit ratio.

    Competition is good, the irony is that people are unaware of the risks until
    they are hit.
     
    Gordon, Sep 2, 2007
    #14
  15. On Sun, 02 Sep 2007 17:15:35 +1200, whoisthis wrote:

    > Bottom line is the banks are tired of shelling out money to cover someone
    > elses stupidity, this is no different to insurance companies who will not
    > pay out if you leave your keys in the car and it gets stolen. You have to
    > take some responsibility for your own choices somewhere.


    If you choose to put a financial system on the Internet for all, and I do
    mean *ALL* to access, then you should take the consequences of that.
    Nobody asked for "internet banking". The banks put that up as a way to
    reduce costs. Of course they have now found that it is an easy channel for
    fraud. Problem is that they don't want to make that channel difficult.
    They are pushing the responsibility for the security of that service onto
    their customers.


    --
    Jonathan Walker

    "The IT industry landscape is littered with the dead
    dreams of people who once trusted Microsoft."
     
    Jonathan Walker, Sep 2, 2007
    #15
  16. Lodi

    whoisthis Guest

    In article <46da4db8$>,
    Jonathan Walker <> wrote:

    > On Sun, 02 Sep 2007 17:15:35 +1200, whoisthis wrote:
    >
    > > Bottom line is the banks are tired of shelling out money to cover someone
    > > elses stupidity, this is no different to insurance companies who will not
    > > pay out if you leave your keys in the car and it gets stolen. You have to
    > > take some responsibility for your own choices somewhere.

    >
    > If you choose to put a financial system on the Internet for all, and I do
    > mean *ALL* to access, then you should take the consequences of that.
    > Nobody asked for "internet banking". The banks put that up as a way to
    > reduce costs. Of course they have now found that it is an easy channel for
    > fraud. Problem is that they don't want to make that channel difficult.
    > They are pushing the responsibility for the security of that service onto
    > their customers.


    They ARE making it difficult. But please explain HOW based on your vast
    knowledge how they can stop a keylogger on a home computer.

    I use internet banking all of the time on MY computer only. Reality is,
    you are more likely to be involved in a car crash than a banking fraud
    if you take basic precautions.
     
    whoisthis, Sep 2, 2007
    #16
  17. Lodi

    whoisthis Guest

    In article <>,
    Greg House < wrote:


    > But the World does not run around Lunix old chap, and in most cases only for
    > Nerds..
    >
    > Lunix does not suffer from these Virus problems because its of very little
    > use by the Masses and
    > hardly used..


    Linux HAS had viruses and malware.
     
    whoisthis, Sep 2, 2007
    #17
  18. Lodi

    Gordon Guest

    On 2007-09-02, Jonathan Walker <> wrote:
    > On Sun, 02 Sep 2007 04:17:51 +0200, Lodi wrote:
    >
    >> - you have used a computer or device that does not have appropriate
    >> protective software and operating system installed and up to date; - you
    >> have failed to take reasonable steps to ensure that the protective systems
    >> such as virus scanning, firewall, anti-spyware, operating system and
    >> anti-spam software on your computer are up to date;
    >>
    >> http://www.nzba.org.nz/pdfs/Code of Banking Practice 2007.pdf
    >>
    >> </snip>

    >
    > That "code of practise" is nothing more than the banks trying to avoid
    > liability for the poor design and security practises on their own website.
    >
    > I have considered for a while already that "internet banking" is not a
    > secure means of conducting a banking transaction.
    >
    >
    ><snip>
    >
    >> Should I be running IP Cop or Guard Dog or whatever firewall when my
    >> router has a built in firewall. And I don't mind being pinged/probed cos
    >> if someone got in there's nothing they can do without my admin password.

    >
    > Yes.
    >
    > A strong network firewall - not just relying on something bundled with a
    > router - is always a good thing to have running.
    >
    >
    >> I've run (K)Ubuntu for the last year quite happily without all the
    >> security software. What security software do the more experienced Linux
    >> desktop users run.

    >
    > Also, if you regularly receive many emails with attachments from Windows
    > users it is a good idea to check them for virus content - if for no other
    > reason other than to know you are not forwarding a virus onto someone else.
    >
    > Frankly, the banks are wanting to avoid liability for their own poor
    > websites. I would advise you to not use those sites so long as their
    > security is as poor as it currently is.
    >
    > The banks' websites are not good at preventing phishing attacks of even
    > the most basic kind. Do not use them.
    >
    >

    Ms Penguin has just gone out the door saying that you can have the fish of
    the day.
     
    Gordon, Sep 2, 2007
    #18
  19. Lodi

    Gordon Guest

    On 2007-09-02, Shane <-a-geek.net> wrote:
    > Lawrence D'Oliveiro wrote:
    >
    >> In message <fbd9e9$gtt$>, Shane wrote:
    >>
    >>> If I can add just one thing, and this goes for _any_ OS, one way to watch
    >>> your system is to periodically (eg. nightly) execute a script that
    >>> recurses through every file on your system, collecting hash sums of each
    >>> file held within, and then comparing that hash against the previous runs
    >>> hash collection. Any changes to your files can then be spotted
    >>> relatively quickly.

    >>
    >> There are already tools to do this--Tripwire is one name that comes to
    >> mind.

    >
    > And...?
    >

    Use it eh?
     
    Gordon, Sep 2, 2007
    #19
  20. Lodi

    Squiggle Guest

    Jonathan Walker wrote:
    > If you choose to put a financial system on the Internet for all, and I do
    > mean *ALL* to access, then you should take the consequences of that.


    And they do, if it was a foul up at their end they pick up the bill for
    that.

    > Nobody asked for "internet banking".


    Say what? Do you honestly think they put the time and effort into
    developing internet banking when no one wanted it?

    > The banks put that up as a way to
    > reduce costs. Of course they have now found that it is an easy channel for
    > fraud.


    Not that easy really, posting cheque books out to customers was a far
    more risky business IMO until most shops stopped accepting cheques from
    "walk-ins". Stupid/Ignorant people are stupid/ignorant no matter what
    the technology used is, and fraudsters will always find a new way to
    target these people.

    > Problem is that they don't want to make that channel difficult.
    > They are pushing the responsibility for the security of that service onto
    > their customers.


    In the same way as they make you responsible for taking a reasonable
    level of precaution to make sure nobody watches you type in your PIN at
    an ATM.

    You are of course free to go back to usung a cheque book and visiting
    the bank in person for every withdrawal or deposit you want to make.
    Just dont be surprised when nobody will take your cheque as they are a
    far softer target for fraudulent use.
     
    Squiggle, Sep 2, 2007
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Hilary A Croughton

    Firefox and online banking

    Hilary A Croughton, Jul 27, 2004, in forum: Firefox
    Replies:
    7
    Views:
    614
    Smiley
    Jul 30, 2004
  2. totsob
    Replies:
    1
    Views:
    1,140
    Markus
    Oct 22, 2004
  3. Artiflect

    Online Banking scam

    Artiflect, Nov 12, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    603
    Dr. Harvie Wahl-Banghor
    Nov 12, 2004
  4. Gavin Tunney

    Internet banking & security

    Gavin Tunney, Jan 13, 2004, in forum: NZ Computing
    Replies:
    64
    Views:
    1,301
    Gavin Tunney
    Jan 23, 2004
  5. Have a nice cup of pee

    Linux... yeah linux.. Linux

    Have a nice cup of pee, Apr 12, 2006, in forum: NZ Computing
    Replies:
    19
    Views:
    665
    Bette Noir
    Apr 17, 2006
Loading...

Share This Page