Hello All.

In a predicament at the moment, and wanted to know how I can approach this.

My Accounts Finance Director has just told me that they are now using online banking with all the office accounts, and that she is kind of worried out this access via her/staff workstations.

We do get the odd trojans and a rariety a virus, but as users they don't have the common sense to see a problem with a website and stay away from it.

RBS have recommended Rapport, and to me this looks like a general AV tool http://www.rbs.co.uk/corporate/ms/sc/online-security/rapport.ashx, but has anyone used this product over and above there AV software.

Or should I be thinking about placing a separate thin-client desktop on the Account Staff PC's with access to just the required bank links.

Your help would be apreciated, please.

The only secure method is to get a Linux bootable CD distro and use that. Don't install just boot from the CD.

Druid

For all our major banking here (which includes all investment / pensions banking movements for various clients including Pru, Axa, Zurich) they use tokens from HSBC / Lloyds. Users key in banking transfers / payments in conjunction with logging onto the sites.

Then, once they have been keyed, they are passed to a manager to check and approve. The approval process takes place on a standalone PC that is connected via a modem on a seperate line. This means that even if there is a trojan etc, it may be on the users PC, but the passwords change via the token each time. However, there is no way it can get onto the standalone PC, due to this being password controlled by managers and having no network / general web access.

I know this is quite a major way of doing it all, but our transfers can sometimes breach ceiling limits of £100m per day when interaccount transfers are taking place.

PS - based on other responses, mine is not a technical solution.....just how we do it here from a Finance user point of view.

You could go for a plain thin client but those are just as likely to be messed with.

Best would be a think client in its own vlan behind a firewall (Palo Alto PA-2020 springs to mind) with very tight application level restriction. Only cost around £10k to implement but will be the most secure.

1. take away internet access from those that dont need. Its not a perk of the job....

2. Take away email access from those that dont need it.

3. Put some kind of proxy in place to filter / restrict web access to a list of approved sites, or one that will pick up fishing / spam / mallicious websites.

4. Put some kind of spam mallicous email scanner in place, that stops the fishing emails being delivered

5. Educate your users not to click links et all from peeps they dont know.

6. Make sure your anti-virus is in tip top condition

7. Consider installing anti spy / malware removers on all your desktops.

All our BACS transfers are done from 1 or 2 PC's thats off the main domain, that dont have any internet access or an email client installed on them. they hve enough access to just do the BACs transfer and nothing else...

fastdruid, thanks for that - and if they were IT savvy that would be ideal but I need to try and keep the staff having to relocate away from there desks, and that could be a bit too much like hardwork for the PEBKAC (Problems Exist Between Keyboard and Chair).

You say that but it's not tricky once setup, depends of course on how much you want to spend, how big you are as a company and exactly what the requirements are.

Windows is insecure, unless you totally isolate it, firewall it to hell and back there is no way to guarantee you won't get trojans on and for things involving money you want something secure.

I'd personally make it so that the users are given a CD, insert CD, reboot and there is a desktop with firefox[1] setup with the homepage set to the online banking, remove CD, reboot and they have their normal desktop again.

Druid

[1] More secure than IE for a start.

Fizzwheel,

1. I can see that option going down like a lead baloon with my bosses. Unfortunately most sites are readily available apart from the generally blocked sites.

2. All office use Email, so can't do that.

3. We do use, WebSense Web Security, which I find most good and we have this set-up to block most sites that are offence, and cross the line.

4-7. We have both a gateway spam filter, and internal messaging filter, so that's pretty much secure - but the hardest part is the education of users, and getting them to stop opening weird emails that may have slipped through the net.

That could be the temporary solution, until I can test other means, and just secure and lockdown the PC to only the banking sites.

Hi Druid,

Our company is not big at all with 80 users, and 3 account staff. Purchasing additional software seems like it's not an option, and the requirements are to provide a poteintally secure online banking method for the 3 accounts staff and FD.

In an environment to test your methods, do you have a link to a downloadable section I could obtain these CD and test in-house?

but the hardest part is the education of users, and getting them to stop opening weird emails that may have slipped through the net.

definately, but thats also the weakest link in the whole system as well...

Would this do....KNOPPIX - http://www.knopper.net/knoppix/index-en.html

http://www.ubuntu.com/getubuntu/download

If you have DHCP and recent decent hardware it will "just work".

Druid

definately, but thats also the weakest link in the whole system as well...

Yep, would agree their - :(

Druid - Thanks for the link, will download this, and give it a try.