Secure Online Banking with Linux USB Live

Abstract:

Online banking is becoming a very popular way to satisfy our banking needs and this even includes people with no or very little technical background. There are numerous advantages when doing banking transactions online, such as 24/7 bank opening hours, ability to make transactions from anywhere in the world and convenience. The only problem is that we do not take our secured home PC everywhere with us. Consequently, the use of other computer and operating system rather than our own for online banking may involve a great security risk. However, what we can and usually carry on us everywhere we go is some sort of the USB key storage device. This article describes a way of building our own customized Online banking USB live Desktop.

Introduction

Solution to online banking by having an USB key with some bootable Live Linux distribution solely dedicated to serve our online banking needs can be very handy not even when traveling, but also when used on day to day basis. Usually, computers are shared among colleges, family members or friends and therefore chances are very high that our personal details will be made available to some fraudsters and their sophisticated scams and software. What is more, encrypting our non-persistent USB key will make Live USB online banking desktop worthless when falling into enemy hands. Therefore, there is no harm of storing our online passwords directly on the USB itself using an application such as gorilla-password ( double encryption ). Perhaps the outcome of this guide is not as good as the famous IronKey with all its shiny features, but we would all missed the fun if there will be no space to improve it.

This article will comprise of four major sections:

  • build Debian USB live image
  • customize desktop environment within USB live image
  • rebuild USB live image with customized environment and encryption
  • transfer USB LIVE image to USB memory device

Prerequisites

Hardware

  • USB key with minimum size of 512 MB
  • PC with USB slot

Software

The software prerequisites are very simple and straight forward. All what is needed is a running Debian or Ubuntu desktop with live-helper and qemu packages.

apt-get install live-helper qemu mbr 

live-helper will take care of the live USB image build and qemu will be used for a customization of USB online banking desktop. mbr will be used to install a master boot record on USB memory drive.

Building a USB Linux live image

The simplest way to build a Debian USB linux live image is to use live-magic application which guides a user with entire process using a number of GUI dialogs. However, using this approach we will lose entire control of what is happening on the background and customization of the final product will be much harder. Instead, we will stick to a command line and use live-helper directly.

Creating config files

Using predefined package lists

At this point it is important to know what desktop environment we want to use and what programs / packages we want to include into USB live image. live-helper offers variety of package lists which are available to us. Complete list of package lists can be found in:

ls /usr/share/live-helper/lists

Example:

  • k3b-core

Additional packages from Debian repository

The package-list you have chosen previously may not include all software you wish to be installed on you USB live stick and therefore next step is choose additional packages.

Example:

  • password-gorilla
  • ssh
  • yakuake
  • kcalc
  • kpdf

Other packages

Not all programs we wish to install are in the standard Debian repository and therefore live-helper gives as an option to include these programs in form of *.deb packages. As an example we may wish to install Google Chrome or Adobe flash player. Before your proceed download all packages you require into your home directory.

Example:

  • google-chrome-stable_current_i386.deb
  • install_flash_player_10_linux.deb

NOTE:

This is just an example on how to include additional packages. Remember that including non-free packages carries its own risk and thus it may render your secure environment insecure.

lh_config

NOTE:

Ubuntu users may not have lh_* commands available. So instead lh_config use “lh config” and so on.

Let’s start by creating a new directory called live-debian-usb:

# mkdir live-debian-usb
# cd live-debian-usb

Next we will put all together with lh_config command:

# lh_config -p kde-core --packages "password-gorilla ssh yakuake kcalc kpdf" -b usb-hdd

After executing this command a config directory will be created within our current working directory. To include other packages we need to copy them into config/chroot_local-packages/ directory:

# cp ~/google-chrome-stable_current_i386.deb config/chroot_local-packages/ 
# cp ~/install_flash_player_10_linux.deb config/chroot_local-packages/ 

NOTE:

If you are running a local Debian repository or you have apt-cacher configured add following options to lh_config to speed up the whole process ( change IP address and port number ):

Example:

--mirror-binary=URL of local repository
--mirror-chroot=URL of local repository

Now we are all set to build our first image. This is done by executing a lh_build command:

# lh_build

This may take some time. live-helper will first create and configure a chroot environment. chroot environment will be then used to build our usb image. After successful build you will find binary.img file inside your live-debian-directory

USB LIVE Image customization

Now that we have our USB live image file ready it is time to start it up and customize all our desktop environment settings. To do that, we use qemu:

qemu --usb binary.img

This will start our new USB live image. Once inside, configure and customize your desktop. For example create bookmarks, change desktop background and etc. Once you are happy with your settings copy, gzip and scp your entire home directory somewhere outside of your live image. If an IP address of our host operating system is 10.1.1.2 then:

# tar cvzf /tmp/user.tar.gz /home/
# scp /tmp/user.tar.gz username@10.1.1.2:~/

would store user.tar.gz file locally inside our host’s home directory.

Rebuild customized LIVE image

Now, that we have our customization file saved locally we need to rebuild entire image and include our custom /home/user directory. First clean our compilation:

# lh_clean

Now we update our configuration to instruct live-helper to encrypt entire USB LIVE image:

NOTE:

Encryption is optional. I only comes handy if our USB stick gets missing from some unforeseen reasons.

# lh_config -p kde-core --packages "password-gorilla ssh yakuake kcalc kpdf" -b usb-hdd -e aes256

Then navigate into config/chroot_local-includes/ and extract user.tar.gz:

cd config/chroot_local-includes/
cp ~/user.tar.gz .
tar xvzf user.tar.gz; rm user.tar.gz; cd -

NOTE:

Feel free to add more custom files. For example if we want to include our custom /etc/network/interfaces then we would need to create all parent directories within config/chroot_local-includes/ and then copy interface file inside. All is set and ready to build our final LIVE USB version:

# lh_build

This time do not run away while you are building your LIVE image, because you will be prompted to enter a pass phrase with at least 20 characters. So while live-helper is working use this time to think about something secure and what you can remember. After successful build you will have a binary.img file ready in your current working directory.

Transfer USB LIVE image to USB stick

If you got this far your should have a running version of you USB LIVE image sitting within your current working directory in the form if binary.img file. To transfer this image to USB stick we first need to find name of our USB stick block device file:

# parted -l

Search for your USB stick character device file. For the rest of this guide we will pretend that our USB block device file name is /dev/sdX . Transfer LIVE image with dd command:

# dd if=binary.img of=/dev/sdX

NOTE:

The following linux command will remove all data from your USB stick ! NOTE: You need to overwrite entire disk ( /dev/sdX ) NOT just single partition ( /dev/sdX1 ) If your USB stisk does not have MBR ( master boot record ) installed, do so with install-mbr command:

# install-mbr /dev/sdX

NOTE:

My installation took around 450MB, so do not forget to claim your unused USB memory space with parted command.

Boot USB LIVE

All should be ready to boot your USB live online banking desktop. Change your BIOS boot settings to USB drive and enjoy.

Conclusion

Bootable USB LIVE stick can be very handy and easy to use on any computer with ability to boot from USB device. There are practically no disadvantages except when storing Online Banking passwords inside the USB LIVE image, as the image needs to be rebuild when passwords will change. Since the USB LIVE is locked behind encryption with minimum 20 characters pass phrase the chance that someone get an access to our passwords is close to 0. non-persistent mode ensures that it is impossible to store any sort of spyware for longer period than a single session. Yet, there is a plenty of space for improvement firewall, boot splash and etc.