Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Security IT Technology

UK Govt Warns Not To Access Online Banking on Windows 7 (ibsintelligence.com) 80

The UK's National Cyber Security Centre (NCSC) is warning people of using online banking or accessing sensitive accounts from devices running Windows 7 from Tuesday, 14 January, when Microsoft ends support for the operating system. From a report: The NCSC, the government body for cybersecurity, is encouraging people to upgrade from Windows 7 as soon as possible, due to Microsoft's 2019 decision to stop providing technical support for the software. "The NCSC would encourage people to upgrade devices currently running Windows 7, allowing them to continue receiving software updates which help protect their devices," the NCSC spokesperson said. "We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts. They should also consider accessing email from a different device."
This discussion has been archived. No new comments can be posted.

UK Govt Warns Not To Access Online Banking on Windows 7

Comments Filter:
  • Please Upgrade (Score:5, Insightful)

    by SirAstral ( 1349985 ) on Monday January 13, 2020 @01:12PM (#59616356)

    from an OS that you might get compromised in to and OS where the compromises are all built-in by the manufacturer! It's better for everybody... except you of course but individuals do not matter... only the groups.

    • Re:Please Upgrade (Score:5, Insightful)

      by Anonymous Brave Guy ( 457657 ) on Monday January 13, 2020 @01:29PM (#59616450)

      Exactly. I'll consider using Windows 10 for important and sensitive work once it no longer includes mandatory telemetry and I can fully control my own system.

      • Re:Please Upgrade (Score:5, Insightful)

        by bill_mcgonigle ( 4333 ) * on Monday January 13, 2020 @01:34PM (#59616490) Homepage Journal

        > once it no longer includes mandatory telemetry

        You need to get the right corporate edition, or use one of the scripts on Github to strip out the crapware.

        > and I can fully control my own system.

        Oh, man - this is Windows, not Gentoo - that ain't gonna happen.

      • Hahaha!

        This is meant funny. It has to be. Why is this modded Insightful?

      • Comment removed based on user account deletion
        • I made my own "no bloat" edition from LTSB too. You have to install updates manually (dism) because they fail on removed components. Since this is a big pain in the ass I figured that I might as well just use 7 or 8.1 while software supports it.

          You'll be missing patches all the same and 10 has a way larger attack surface than the other ones.

        • IT breaks Windows Store though. Believe it or not in the past year or so many corporate apps are moving to the Windows App Store. It is problem for us as we disabled it for security and not having hte power to monitor stuff. Now it is biting us in the ass as we need to re-image the PC to get the Windows Store back on to run them.

          As WIndows 7 goes EOL the last holdouts will start to go to UWP as it cuts support costs drastically.

        • by AmiMoJo ( 196126 )

          Looks like they removed more than just the crap though.

          No Windows Defender. I'd rather have that than some 3rd party crapware anti-virus software.

          Also System Restore is gone. Now when you get a bad update it will hose your system and there is no way to recover it because you can't roll back to before it was installed.

          They removed the calculator app. Sound Recorder. The VP9 codec. Why? Saving a few megabytes of disk space that I'll have to turn over to some alternative calculator app anyway.

          I'd be amazed if

      • by antdude ( 79039 )

        W7 has some telemetries too. :(

        • In Windows 7, there was a radical concept that the owner or administrator of a system could choose which updates they wanted to install, and thus decline to make changes to their system that were not in their interests.

    • I'm more comfortable giving my neighbour a key to my house than leaving the house unlocked. The compromises in this case only give access to a specific entity. The advice to upgrade stands.

      If you care about your security then your upgrade may include a change of OS, but in any case sticking with Windows 7 for "privacy" reasons would be bordering insanity.

    • > from an OS that you might get compromised in to and OS where the compromises are all built-in by the manufacturer!

      It's like taking a bomb with you onto a plane for safety's sake; What are the odds that there will be TWO bombs on any given plane, right? If you bring your own you're practically guaranteed to be safe!
      =Smidge=

    • What a bunch of biased horsecrap. Note I am not saying it is right or ok that God forbid consumers should gulp have an expectation of privacy that technology ignores and abuses for corporate benefit.

      But your phone, TV, and every new appliance spies on you. There is even a company that puts out hidden sounds outside your hearing range from your TV that your phone apps listen to and respond to spy on what you are watching. Creepy stuff.

      This is not the same as being dangerous by running an unpatched system wit

  • by Big Bipper ( 1120937 ) on Monday January 13, 2020 @01:14PM (#59616368)
    Someone stuck a 7 at the end of the title by mistake
  • Isnâ(TM)t this the same government whose healthcare system to this day (January 2020) still has Windows XP machines? They paid Microsoft enormous amounts of money to keep XP alive until at least recently. Not sure if they are still paying.

  • Whenever I go to the doctors, libraries or other government services I see the familiar blue start orb in the corner of their computers, even in 2020. I bet on Wednesday the 15th of January they will still be using it. I think the banks should take the advice and lock the government out of their own money until they upgrade.

    People warned that Microsoft made Windows 10 an unviable operating system, and now we will see real word fallout from Microsoft's malice.
  • So Magic??? (Score:4, Insightful)

    by Holi ( 250190 ) on Monday January 13, 2020 @01:40PM (#59616518)
    So it's magic that Windows 7 all of sudden becomes insecure on Jan 14th? But it was fine on the 13th?
    • "Saving the best for last", there's a very real chance that hackers are sitting on a plethora of exploits and are waiting for stubborn users who don't want to switch to W10 to no longer be protected. Of course, because of W10's consecutive controversies MS will be the one blamed.
      • by jrumney ( 197329 )

        Didn't Microsoft issue a security fix [microsoft.com] for XP a few months back? If it is really critical, I'm sure they'll weigh up the PR impact and do the right thing.

        • Because of incompetent programmers, there are many systems in use that use old OSs out of necessity, because their software simply cannot run on a later system. These are usually public services.
    • Re:So Magic??? (Score:5, Insightful)

      by twocows ( 1216842 ) on Monday January 13, 2020 @01:54PM (#59616574)
      The biggest problems day one are going to be the plethora of zero-days that drop because now they can't be patched on most Win7 systems. But that'll be relatively minor compared to the longer-term issues.

      From January 14th until the end of time, every single exploit that gets discovered for Win7 will remain unpatched for systems without extended updates (unless MS caves for some really severe ones like they did with XP). That means that within a year, you'll have potentially hundreds of exploits of every type and severity affecting Windows 7. What's more, the CVEs disclosing these vulnerabilities will basically tell people who don't already know exactly where to start looking.

      Now, most home users are behind a NAT firewall, so they don't usually need to worry about just getting compromised sitting around doing nothing. However, if another compromised device gets on the network, if they decide to run a public-facing service (e.g. run a website), etc., they're at a huge risk. Also, the various software packages on their computer will eventually stop receiving updates. This might not matter for, say, Game 2019, but other random software like (just as an example) 7zip might stop getting updates, which makes it a target, which means they're likely to encounter drive-bys trying to get them to run exploits with those things (e.g. email from granny "hey open this zip file!" designed to exploit 7zip to compromise the rest of the system). And once Chrome or Firefox stops pushing updates to Win7, it'll be open season for drive-by attacks.

      If you're not using Windows 7 for anything particularly sensitive and you're not an attractive target and you're not running any common public-facing services and you isolate the system on its own vlan, you can probably secure Windows 7 to the point where it'll be mostly OK to use for the next few years. I wouldn't recommend it, but it's an option.

      However, the UK government's not talking to people capable of doing that, because those people wouldn't be getting tech advice from their government. The UK government is addressing the vast majority of people who don't understand any of this and maybe just heard this thing about Windows 7 being unsafe but don't know why. And to those people, the UK government's advice is very, very sound.
      • Now, most home users are behind a NAT firewall, so they don't usually need to worry about just getting compromised sitting around doing nothing.

        What generally comes along with MS not supporting an OS is MS not providing updates to OS apps, and 3rd parties dropping support for upgrades to their software as well.

        NAT protects against a lot of things but the reality is the most likely attack vector remains access via browser / other internet facing software. People using IE should consider themselves exploited on day zero.

      • They issued an update for XP after the official end date.

      • by antdude ( 79039 )

        NATs aren't true firewalls.

    • by sad_ ( 7868 )

      might just be, hackers might be holding onto exploits until after the 14th.
      knowing MS will not patch the system while they'll still have access to millions unupgraded pc's that stay vulnerable with no immenent fix.

  • by CaptAubrey ( 6299102 ) on Monday January 13, 2020 @01:42PM (#59616524)
    Face it, MS has learned there is a lot of money to be made selling subscriptions to software versus selling it outright. Look at Office 365 and the cash cow it has become. You think Windows 10 is bad, everything after it will be subscription based. You pay them yearly/monthly whatever, else you don't boot up. I'll be staying on Windows 7 for quite a while because of some Windows only software which the vendor has already announced there will be no further Windows support. I use Mint for day to day tasks, including banking.
    • I have been pondering how they will start the subscription. Will there be a one year/something free after you buy the PC or will they try to make the subscription setup part of the purchase process at the shop where you buy your PC? This is relevant to me as most laptops come with MS Windows installed ... it does not survive long as I will upgrade to Linux, but I don't want an argument when I buy the thing.

  • by twocows ( 1216842 ) on Monday January 13, 2020 @01:43PM (#59616528)
    Considering who their audience is, it might be good advice. Laypersons aren't going to understand things like their software will eventually stop getting updates and other devices on their network can trivially compromise their Win7 device. People who might actually know how to reasonably secure a system with an EOL OS likely aren't relying on the UK government for security advice.
    • Laypersons aren't going to understand things like software that was OK yesterday is not OK tomorrow, even if MS does not downgrade it for them.

      Which is understandable because, lets face it, your average 2007 car is probably more secure than today's models cos it can't be unlocked by any random person with a phone!

      Now tell granny its different for her laptop that took her 5 years to learn to use, and she is going to have to learn everything all over again - while grandad screams "you ain't gonna take my W

      • Grandma will be best served with an Ipad or Android tablet in such a case. Simple, easy to use once learned, can go to facebook and upload cat photos and view pics of her grandson dressed in bee outfits just fine.

        Windows was a shitty OS and overly complex and obsolete for all but business oriented legacy stuff these days.

        When XP went EOL many went to ipads and support issues went away.

        Part of me feels this is why Microsoft wants the WIndows App Store so they can be simpler to operate with less security, bug

        • When XP went EOL many went to ipads and support issues went away

          My experience was the opposite. People announced they were getting ipads, I said don't bother, you'll use it for a short time, get bored and annoyed at its limitations and then be asking about laptops. The bit I didn't predict was how much tech support I was expected to do to get things first onto, then off of these surprisingly consumer hostile iDevices.

  • by WaffleMonster ( 969671 ) on Monday January 13, 2020 @01:46PM (#59616538)

    Microsoft is still publically releasing patches for Windows XP. For example RDP remote exploit patches were released in May of 2019.

    • That's true. MS does keep issuing security patches for their very old stuff. Server software, too.
    • They've only released a handful of patches for very severe "wormable" remote exploits as far as I know. The RDP patch was for Bluekeep I think. They want to head off Bluekeep because of its severity, but you could combine a number of less severe exploits to get the same end result and those exploits would each have lower individual severity scores and therefore wouldn't have been patched.

      At this point, any patches XP gets are mainly to head off things that MS thinks will turn into a big deal and compromi
      • Yes, Microsoft is releasing patches to protect other people from you. They are not releasing ones to fix exploits that would just harm the XP user.
      • They've only released a handful of patches for very severe "wormable" remote exploits as far as I know. The RDP patch was for Bluekeep I think. They want to head off Bluekeep because of its severity, but you could combine a number of less severe exploits to get the same end result and those exploits would each have lower individual severity scores and therefore wouldn't have been patched.

        If the same exact outcome could be achieved by chaining exploits do you seriously believe Microsoft would have made a different calculation that didn't involve taking action to prevent the same exact outcome from occurring?

        People (customers, press...etc) don't care even a little bit about underlying modalities that enabled an attack they only care about real world results.

        • It's not about the process so much as the number of people it could affect. Stringing exploits together increases complexity and decreases the chance that the whole chain will work on any given device. Something like Bluekeep is a bigger threat numerically because of its relative simplicity -- more people will try to take advantage of it and it'll probably end up in a public exploit toolkit at some point.

          Many years ago, I read a column from a security consultant/journalist where he pointed out that getti
          • It's not about the process so much as the number of people it could affect. Stringing exploits together increases complexity and decreases the chance that the whole chain will work on any given device. Something like Bluekeep is a bigger threat numerically because of its relative simplicity -- more people will try to take advantage of it and it'll probably end up in a public exploit toolkit at some point.

            I was responding to the following assertion "They've only released a handful of patches for very severe "wormable" remote exploits as far as I know. The RDP patch was for Bluekeep I think. They want to head off Bluekeep because of its severity, but you could combine a number of less severe exploits to get the same end result"

            What you seem to be saying now is that your original statement was incorrect. You can't in fact simply combine exploits and get the same end result.

            Many years ago, I read a column from a security consultant/journalist where he pointed out that getting the basics right and making sure you're not the low-hanging fruit will immunize you to the vast majority of attacks because the vast majority of attacks are untargeted drive-bys. Immunizing your systems to those threats is necessary but not sufficient to secure your network, though. The significance of getting rid of the biggest threat shouldn't be understated, but it also shouldn't be seen as the only necessary step. That's what I'm getting at here -- Microsoft is trying to curtail the most broad and severe threats, but there's still plenty of attack surface by which an XP system could be compromised, and probably pretty easily at this point.

            Here's [us-cert.gov] the vulnerability summary from just the week of January 6. Microsoft patches dozens of vulnerabilities with each of their monthly update rollups.

            My only point is that earlier versio

    • Microsoft is still publically releasing patches for Windows XP. For example RDP remote exploit patches were released in May of 2019.

      False. Microsoft is still publicly releasing patches for a select few truly severe exploits of Windows XP. Just because they patched the RDP remote exploit doesn't mean you're being secure. Running XP right now is like trying to stop the flood waters of malware armed only with a sieve.

      • False. Microsoft is still publicly releasing patches for a select few truly severe exploits of Windows XP. Just because they patched the RDP remote exploit doesn't mean you're being secure.

        Everything I said was factually correct. This talk about "secure" has no nothing to what I actually said.

        From my perspective "being secure" is a state of delusion. If people think running the latest and greatest version of Windows makes them secure they are dangerously mistaken.

        Running XP right now is like trying to stop the flood waters of malware armed only with a sieve.

        I remember when the time between giving a newly installed Windows XP system anywhere in the world a public IP address and the time to it being owned was measured in minutes.

        To this day Microsoft still seems willing to do what is ne

  • Surely the real problem is InternetExplorer. Just use a different browser.
  • How about, don't access your bank over open wi-fi.

    Or, don't click on any email links to access your bank.

    Or, don't even connect to the internet if you are still using Windows XP.

    But, don't use Windows 7? An operating system still being patched.

    Oi
  • I wouldn't be surprised if major UK banks started checking the user-agent string and throw up a warning to "presumed" Windows 7 users.

    Yes I realize this is considered by many to be a "bad" use of the user-agent string but sometimes "doing it wrong" is worth it if there is no way to "do it right" and "doing it the least wrong way" is better than "not doing it at all."

    • Sure, because the one thing someone still running windows 7 needs... is to be panicked by corporate entities into doing something quickly... like downloading a windows 8 torrent....

      You people are retarded.
  • I'm totes fine because I only do mobile banking on my phone, and I get my 2FA through text messages. No hackers gonna get MY money.

  • by dhaen ( 892570 ) on Monday January 13, 2020 @03:47PM (#59617060)
    Don't access Internet banking with Windows.7 day banking will always be available online.
  • There is absolutely zero cost to any government department for issuing this advice. From their perspective it is nothing more than arse covering.

    The only time such advice matters is when the banks start refusing connections from W7 machines. In the civilised world the banks are responsible for protecting the integrity of a banking app's connection. If it gets hacked, they are the ones that pay (although they use our money to do it) and theirs is the liability. When the banks deem that W7 is too insecure,

  • Most security these days is done at the application level. If your browser gets hosed, your entire Home folder is ripe for the picking. It doesn't matter what OS you use. So, just use some decent 3rd-party apps instead of the crap that came with Win7.

    • by tepples ( 727027 )

      Most security these days is done at the application level. [...] So, just use some decent 3rd-party apps

      What steps should a user take to assess whether a particular third-party app is "decent", trustworthy, or having any other desirable soft attribute?

  • I've said this before; I'll say it again. Open a secondary bank account if you want e-payments and e-banking. Win 7 is not the issue; any Windows, any OS, from desktop, laptop or smartphone -- don't put at risk your main account, don't e-enable it! Open another one, keep some money there and replenish it by occasional visits to your physical bank. Bonus: you get to flirt with that cute bank teller as well.
    • Open a secondary bank account if you want e-payments

      That can cost a lot of money, especially at major banks in the United States that require an acocunt holder to park several hundred dollars in each account as a minimum balance in order to avoid a $12 per month service fee just for having an account.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...