Banking Security

[Lindley]

Hi All,

Been following the post below -" Most secure operating system?" which is one for the most clued up folk, but not much help for the average user.

Wondered what advice there is for increasing our online banking security method ?

We are using an old  laptop just for banking, it has a 'clean' W10 v1909 install, with all the Windows settings set for maximum privacy.

Our main bank strongly suggests we use Trusteer Rapport, so that limits us to using Firefox, Chrome or Edge, though we just use Firefox.
( we did ask our bank about using Linux, but they said it was not one of their tested systems , so could not comment)

Other than Firefox we only have Defender running along with PrivaZer cleaner and use free scanners like Malwarebytes,Sophos and Eset.

We do not use Email on it, but do have Sumatra PDF reader to view statements etc and Libre Office to keep our 'books' in order.
 
No web sites are accessed other than the pre defined banking sites.

Could we do better within our limited abilities/knowledge ?   any advice appreciated .

[jfiresto]

Has your bank set you up to use Transaction Authentication Numbers (TANs)? Mine happened to call me this morning, to finish setting up a two-factor authenticated account using a TAN generator reading QR codes from whatever browser I am using. The generator is a separate, hand held unit tied to my bank card, like the one you see in the middle of this image:



The generator is supposed to secure transactions even if the computer or data link have been compromised.

[Lindley]

Hi,

Yes, thanks,  our main bank does use a system similar to yours, but other financial places like credit card providers are  not always as secure, though they are now starting to provide more safeguards.

It was more if we can make our PC or our methods any more secure, like ensuring we only use wired connections, ( which we do) and not wifi.

We have tried Paid for Security suites in the past, but are we just making our details more available  for to them to harvest ?

[MarkR42]

Sounds like the steps you've taken so far are very good, far better than most people.

The main way to prevent nearly all banking attacks, is to

* Not have your endpoint compromised - which in practice means not downloading malware, which means you're already ok. Definitely don't let kids play games or download all sorts of stuff on it. Malware typically contains keyloggers or remote control apps.
* Not fall for phishing attacks of various types - where attackers contact you to try to gain control by social engineering, etc.

Of course it's pretty inconvenient not having email on the same machine as banking, but I suppose, you can't be too careful.

Also watch out, for a machine that you only power on occasionally, has a lot less time to do updates and may get behind. Especially with e.g. Windows or Firefox which will usually only install updates if you restart them, not if you just keep the machine in a power-saving (hibernated etc) mode.

Paid security suites only attempt to make things slightly safer if you are likely to get your endpoint compromised (e.g. detecting malware, blocking Bad Things from happening).

[Lindley]

Also watch out, for a machine that you only power on occasionally, has a lot less time to do updates and may get behind. Especially with e.g. Windows or Firefox which will usually only install updates if you restart them, not if you just keep the machine in a power-saving (hibernated etc) mode.

Yes good point, though we have got into the habit of  starting  it up a hour before we visit any sites to do those updates as its such a slow machine 

Had though about VPN but not sure how the banks react if you try to contact them that way or, as have read in the magazines (web user/computer active, uk mags) , some VPNs are actually not that secure and can  have the data havested by the providers and others!

Not being obsessive, just don't want to miss any ways to keep safe, with such fast changing things its hard to keep up these days.

[rdl]

Don't overlook your router. Most cheap consumer routers are lucky if they ever get a firmware update. Many never get security patches and you might not even hear about it if they did.

[retiredcaps]

In addition to what you wrote, I have

- all my passwords saved using keepass2
- my hard drive is encrypted
- I backup all my files to encrypted usb drives or external hard drives
- I use chrome to read pdf files not some external pdf program like sumatra (Firefox can also read pdf)
- I use ublock origin on chrome to block ads where possible malware can hide
- I only used wired connections for banking (no wifi)
- I would NOT use a VPN or TOR for banking.  You have no idea if the VPN can be trusted.
- I run Lubuntu.  Updates take minutes, not hours like Windows 10.
- I NEVER save anything in the "cloud" or use services like onedrive
- I NEVER use any cloud applications like Word, Excel, etc.

[retiredcaps]

Other than Firefox we only have Defender running along with PrivaZer cleaner and use free scanners like Malwarebytes,Sophos and Eset.

BTW, some of the anti virus programs are full of vulnerabilities.  Tavis Ormandy at Google found a lot of them.

https://en.wikipedia.org/wiki/Tavis_Ormandy

The wiki page is dated, but he and the Project Zero team regularly find vulnerabilities in popular software that is supposed to keep Windows safe.

When I ran Windows, the only program I used to scan was Malwarebytes for people who had been infected.

And I haven't run Windows in almost 6 years now, but I never heard of PrivaZer cleaner. Looking at their webpage, I don't see anything that explains how their code works, what data they may collect about you, etc?

https://privazer.com/en/

[tggzzz]

For your own computer, boot from a readonly livedisk. That way you get a "new" computer every time. All linux distributions have livedisks.

There are many other attack vectors....

DNS rerouting can allow a MITM attack, and can be difficult to detect.

Phone companies are only too willing to transfer your mobile phone number to another SIM, thus reducing the value of that type of 2FA.

For this topic and many others, read comp.risks, a low-volume high signal-to-noise ratio usenet group. You can read and search the first 35 years of archives at https://catless.ncl.ac.uk/Risks/

[Electro Detective]

Besides what OP is already doing = 
the banks should supply a standalone customized client browser that only works for that bank,
and their debt slave customers log in with a password,
and answer random chosen questions only they know the answer to.

With that in place, scammers and hackers can suck hard on a big male cat pee impregnated paper bag 

Unfortunately none of that helps when prosperous banks hire 'cheap wage' dishonest data harvesting employees,
who handball customers details to their low life friend/family members working at 'COLD CALL CENTRAL'
those predictable pretend friend creeps with ubiquitous accents 

and bank I.T. losers that watch too many bank h@ckR movies 

[Lindley]

Hi,

Thanks all, plenty to follow up on there.

Retiredcaps  - The only thing we do not do is put all our key passwords  into a password manager, have read in the last year or so many have been attacked, plus the old saying, never put all your eggs in one basket .
Bit like the scam victims you see on tv who, despite all the warnings,  still  put all there life savings  / pension funds into one scheme, then left devastated when it all goes wrong.

[tggzzz]

the banks should supply a standalone customized client browser that only works for that bank,

I wouldn't touch any such thing with a bargepole. Too many chances for the development staff to not understand security or to let malefactors know how to circumvent/break/trojan it.

Unfortunately none of that helps when prosperous banks hire 'cheap wage' dishonest data harvesting employees,
who handball customers details to their low life friend/family members working at 'COLD CALL CENTRAL'
those predictable pretend friend creeps with ubiquitous accents 

Many of the bank security processes are designed to protect againsr theft/froaud by their own staff. They don't always succeed.

[rdl]

Definitely use a browser that works with uBlock Origin and NoScript. Learn how to use both, the default settings can be made better. uBlock Origin is very powerful and much more than just a simple ad-blocker.

If privacy is important, don't use Google's Chrome browser. Actually, just don't use it ever.

[MarkR42]

Re: VPN

There is usually no benefit to using a VPN for banking.

VPNs are usually used to hide / confuse your identity to an origin-server (e.g. web site). As you are identifying yourself to the bank anyway, there is no point in doing that. VPNs also hide which site you are visiting from a network eavesdropper, but I doubt that visiting your bank is really something that you need to hide so much.

Also, you might trigger the bank's own intrusion detection system because they won't be expecting users to connect through a VPN, and widely-used VPNs use well known egress IP addresses.

The only case where a VPN might be helpful is if your bank prohibits connections (even for securely identified users) from certain countries, in which case you could use a VPN while travelling to those countries. However, if those countries are so dodgy that the bank bans users from them, it might be a better idea to avoid using your bank completely when there.

[retiredcaps]

Retiredcaps  - The only thing we do not do is put all our key passwords  into a password manager, have read in the last year or so many have been attacked, plus the old saying, never put all your eggs in one basket .

Tavis has found bugs in lastpass.

https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved.html/

Certainly, keepass2, which I use, is likely to have some undiscovered bug or vulnerability, but the keepass2 encrypted master password file is saved locally on my encrypted hard drive.  It's never stored in the cloud.

https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/

https://www.cvedetails.com/product/23054/Keepass-Keepass.html?vendor_id=12214

[Masa]

Having separate PC that is used only for banking is very good. I would keep extra software installed on that PC to a minimum.

Very important is to keep Windows and the web browser / PDF reader up to date. All software has bugs, including web browser and operating systems and all bugs haven't been discovered or fixed yet. Viruses use these bugs for their benefit.

You should also create a normal Windows user account with lower privileges, so an account that is not an administrator account, and normally always use that account. Only use administrator account when you need to install new software, etc. That way viruses that run with the users account are less of a problem, because when your account is not an administrator, it cannot so easily mess up important system files or installed programs.

I would not use password managers for banking.

[Mp3]

Option A)   Use a linux Live CD / USB. Some are specifically geared towards privacy and security, like Tails. (the better option IMO)

Option B) Simply use any hardened Linux distro, disable SSH server if it's enabled, and keep it updated as well as using a good password. Any of them will be superior to Windows 10 with an antivirus IMO.

Option C)   Clean install Windows 10 without internet connection, install some form of reputable internet security like ESET or Bitdefender ( I don't like Kaspersky, it intercepts HTTPS traffic ), install W10Privacy and tick all boxes you wish, apply, reboot, activate Bitlocker and Secure Boot, THEN install a browser and connect to internet, and keep it powered off or with internet disabled as much as possible,  and keep it updated as well as using a good password.

[Electro Detective]

It's a lot easier and secure to go to a bank branch that either has a computer you can use
and or get the teller or 'team member' to do it for you, and get a paper based receipt to verify the transaction

Make the   'evil internet     roamed by hackers and scammers'      THEIR problem, not yours

If banks want to push digital money, dump staff and close branches, rather than maintain transactions with time proven cash or gold,
let THEM and their IT security deal with digital robbers, constant browser security/update BS, and encryption passwords required sometimes long enough to span galaxies 
again > THEIR problem, not yours, you're just the customer expecting some reasonable service from professional debt vendors 

[Lindley]

@Masa  - thanks, yes do all that already.

@Mp3 - thanks, did originally consider Linux  but after contacting our main bank, they said they could not comment about Linux as its "not a system they have tested"  basically saying stick to Windows.
             they also push us to use Trusteer Rapport , which used to be a little problematic, but these days does seem to work much better, quietly in the background.

@Electro Detective - thanks, but here in the UK banks are closing their branches at an alarming rate and now with C-19 we are glad to can access our banking from home rather than having to drive into the    center of town, struggle to park, and then wait in long queues.

[Analingus]

I have seen a few posts on the security section here regarding password managers and the sentiment towards them comes off as negative towards them, is there a reason why? If one is using an open source, community approved PM and is using the program as inteneded, is that not the best way to be going about password security? Just curious and all this was seen in passing, so I may be off base.

[Lindley]

I have seen a few posts on the security section here regarding password managers and the sentiment towards them comes off as negative towards them, is there a reason why? If one is using an open source, community approved PM and is using the program as inteneded, is that not the best way to be going about password security? Just curious and all this was seen in passing, so I may be off base.

Just been reading a magazine article about flaws in PMs and  of course there have been several reported problems with them over the last couple of years, how many unreported ??

https://www.york.ac.uk/news-and-events/news/2020/research/expose-vulnerabilities-password-managers/

The old saying, do not put all your eggs in one basket !

Same as uploading to the Cloud, could it ever be 100% safe , even if encrypted, you never know when the service is pulled and your data possibly lost.

[alex_palvai]

Unless you don't care about security for your data , that's when its fine to use cloud.  Here is another critical vulnerability that's exposed (taking advantage of back end unauthenticated date on azure . Ton's of vulnerabilities on both Azure and AWS .

https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/

[james_s]

If you're really worried about it, install the OS of your choice in a VM, save a snapshot of the clean install and then use that VM only for your banking site. You can revert to a completely clean slate any time you want.

[Mr. Scram]

If you're really worried about it, install the OS of your choice in a VM, save a snapshot of the clean install and then use that VM only for your banking site. You can revert to a completely clean slate any time you want.

If your hypervisor or host isn't as clean your VM can't be considered safe. If it is it can be used instead.

[james_s]

Nothing is perfect, but if something is isolated in a VM it's pretty difficult to get any kind of cross contamination. If you only use the browser in the VM for banking then it's not going to have any cookies or sketchy browser extensions or anything like that. Using a clean VM is a bit like wearing a mask to prevent the spread of infection, it's not a panacea but it's another step away from being low hanging fruit.