From a security perspective, we can all come up with scenarios where a Live CD isn’t absolutely perfect, but it’s still exponentially more secure than a standard Windows install.

America’s small- and medium-sized banks *can’t* be held responsible for commercial-account online banking funds transfer fraud–their capital bases are too small with respect to the size of the flows in and out of the demand accounts of their small- and medium-sized enterprise customers. They also do not have, and cannot acquire the cybersecurity expertise needed to even read the FFIEC’s 2005 and 2011 Guidances with understanding. Lastly, they don’t actually run the information technology on which online banking is done; they outsource the function to one of 13 “processors” such as Intuit Financial Services (formerly: Digital Insight) or Metavante.

Nor would we want them to. We need America’s bankers out making loans that will boost employment, not trying to become part-time cybersecurity jocks.

Of course, the small- and medium-sized banks commercial customers are even less able to secure online banking.

yourmoneyisnotsafeinthebank.org does even want America’s small- and medium-sized banks to have to *know* cyberattacks are possible, much less their customers be burdened with that information. There is nothing they can do with that information anyway–the Pentagon cannot reliably fend off attacks on its information technology infrastructure. Having our small banks have to deal with things like the FFIEC Guidances is itself an important victory for our adversaries, much as the cost and hassle we impose on ourselves via TSA Security is Al Qaeda’s largest and most enduring victory over us.

This is not to say that we don’t want America to have an informed citizenry. Our democracy depends on it. But during the Cold War average Americans were not asked to personally conduct defensive operations against the Evil Empire, and it makes no more sense to ask Americans to do the equivalent during our current Cyber Cold War.

If public policy could move all Americans to run tests, the tests would not be for malware on their Windows PCs! Undiagnosed diabetes and hypertension are costing us 10s of billions of dollars per year, a number that is rapidly escalating. The fact that our best efforts at educating the public can’t get *these* rates down should give pause to those of you who think “user education” can be any important part of the solution to cybercrime.

Sadly, “security” is not about absolutes: There is, and can be, no *absolute* security. Instead, security is inherently comparative, and since current systems are completely vulnerable to normal (software) infection, why would we expect anything better against hardware infection?

Infection is a computer equipment problem and cannot be solved by software alone, even software from a DVD. On the other hand, if malware cannot run in the encountered OS, it is not going to be doing much infecting. So in that sense, yes, a LiveDVD is indeed protection against *new* hardware infection. It just cannot reverse an infection which has already occurred.

The user is well advised to use only their own hardware; to protect it and take it with them. An older laptop with a DVD writer and hard drive removed is a good choice. A small external router may provide added protection.

If you look at the report (PDF) that Brian linked and referenced in the article, “Dissecting Operation High-Roller”, you’ll see in the Executive Summary that it’s not only the banks. It includes credit unions, large global banks and regional banks.

I have no doubt that there are credit unions out there that are proactive. Apparently, though, not all credit unions have been proactive.

P.S. 1 ENISA put the onus squarely on the financial instirutions and did not provide specific recommendations for organizations and consumers. Brian’s article filled in an important deficiency in the ENISA advisory. Namely, actions that business owners and consumers can take to protect themselves in the meantime.

P.S. 2 I agree with you that both organizations and consumers should be more selective as to which financial institutions they conduct business with. At a minimum, a shopping list for organizations and consumers with which to make comparisons of various financial institutions would be valuable.

to trust phone calls (and voice in that) ??? You must be kidding. [not even talking about recent flaws misusing phone communication by nasty ways]

To paraphrase you, I’m better glad to be not in US/be in Europe, and use mine ‘standalone smartcard reader with screen’ (different names for the device) produced by verified company and given to me by my bank, to be used together with bank’s chip card, and can choose level of security, for example whether to use one-time code for InternetBanking login only, or for each txn, or even to ‘sign’ the values/amount/recipient account in the specific money transfer.

[yes, aware of potential risks (like producer of device can be compromised, as stated in post above) , but would be bank's problem, not mine]

One of the issues is that institutions view security controls as a tax as opposed to a competitive enabler. Some organizations have found they need to pay that tax because it is cheaper than the alternative, but the large ones haven’t. Someone like you who has the influence could solicit policies/controls that protect SBS customers from various institutions and publicize the institutions that do a great job, and that would matter. I could very easily see a google query for “safest bank for small businesses” having the first link be on your site with a list of progressive companies. You have enough audience (and enough media that follows you) that you really could draw attention to the good companies and create market conditions that reward protecting small business accounts