Author Topic: Banking Security  (Read 1445 times)

0 Members and 1 Guest are viewing this topic.

Offline Lindley

  • Contributor
  • Posts: 18
  • Country: gb
Banking Security
« on: February 28, 2020, 11:03:12 am »
Hi All,

Been following the post below -" Most secure operating system?" which is one for the most clued up folk, but not much help for the average user.

Wondered what advice there is for increasing our online banking security method ?

We are using an old  laptop just for banking, it has a 'clean' W10 v1909 install, with all the Windows settings set for maximum privacy.

Our main bank strongly suggests we use Trusteer Rapport, so that limits us to using Firefox, Chrome or Edge, though we just use Firefox.
( we did ask our bank about using Linux, but they said it was not one of their tested systems , so could not comment)

Other than Firefox we only have Defender running along with PrivaZer cleaner and use free scanners like Malwarebytes,Sophos and Eset.

We do not use Email on it, but do have Sumatra PDF reader to view statements etc and Libre Office to keep our 'books' in order.
 
No web sites are accessed other than the pre defined banking sites.

Could we do better within our limited abilities/knowledge ?   any advice appreciated .
 

Offline jfiresto

  • Frequent Contributor
  • **
  • Posts: 304
  • Country: de
Re: Banking Security
« Reply #1 on: February 28, 2020, 01:21:55 pm »
Has your bank set you up to use Transaction Authentication Numbers (TANs)? Mine happened to call me this morning, to finish setting up a two-factor authenticated account using a TAN generator reading QR codes from whatever browser I am using. The generator is a separate, hand held unit tied to my bank card, like the one you see in the middle of this image:



The generator is supposed to secure transactions even if the computer or data link have been compromised.
 
The following users thanked this post: Lindley

Offline Lindley

  • Contributor
  • Posts: 18
  • Country: gb
Re: Banking Security
« Reply #2 on: February 28, 2020, 02:35:31 pm »
Hi,

Yes, thanks,  our main bank does use a system similar to yours, but other financial places like credit card providers are  not always as secure, though they are now starting to provide more safeguards.

It was more if we can make our PC or our methods any more secure, like ensuring we only use wired connections, ( which we do) and not wifi.

We have tried Paid for Security suites in the past, but are we just making our details more available  for to them to harvest ?
 
The following users thanked this post: Electro Detective

Offline MarkR42

  • Regular Contributor
  • *
  • Posts: 71
  • Country: gb
Re: Banking Security
« Reply #3 on: February 28, 2020, 02:46:29 pm »
Sounds like the steps you've taken so far are very good, far better than most people.

The main way to prevent nearly all banking attacks, is to

* Not have your endpoint compromised - which in practice means not downloading malware, which means you're already ok. Definitely don't let kids play games or download all sorts of stuff on it. Malware typically contains keyloggers or remote control apps.
* Not fall for phishing attacks of various types - where attackers contact you to try to gain control by social engineering, etc.

Of course it's pretty inconvenient not having email on the same machine as banking, but I suppose, you can't be too careful.

Also watch out, for a machine that you only power on occasionally, has a lot less time to do updates and may get behind. Especially with e.g. Windows or Firefox which will usually only install updates if you restart them, not if you just keep the machine in a power-saving (hibernated etc) mode.

Paid security suites only attempt to make things slightly safer if you are likely to get your endpoint compromised (e.g. detecting malware, blocking Bad Things from happening).
 
The following users thanked this post: Lindley

Offline Lindley

  • Contributor
  • Posts: 18
  • Country: gb
Re: Banking Security
« Reply #4 on: February 28, 2020, 03:39:21 pm »


Also watch out, for a machine that you only power on occasionally, has a lot less time to do updates and may get behind. Especially with e.g. Windows or Firefox which will usually only install updates if you restart them, not if you just keep the machine in a power-saving (hibernated etc) mode.




Yes good point, though we have got into the habit of  starting  it up a hour before we visit any sites to do those updates as its such a slow machine  :D

Had though about VPN but not sure how the banks react if you try to contact them that way or, as have read in the magazines (web user/computer active, uk mags) , some VPNs are actually not that secure and can  have the data havested by the providers and others!

Not being obsessive, just don't want to miss any ways to keep safe, with such fast changing things its hard to keep up these days.
 

Offline rdl

  • Super Contributor
  • ***
  • Posts: 2967
  • Country: us
Re: Banking Security
« Reply #5 on: February 29, 2020, 02:35:16 am »
Don't overlook your router. Most cheap consumer routers are lucky if they ever get a firmware update. Many never get security patches and you might not even hear about it if they did.
 
The following users thanked this post: Lindley

Offline retiredcaps

  • Super Contributor
  • ***
  • Posts: 3449
  • Country: ca
Re: Banking Security
« Reply #6 on: February 29, 2020, 05:36:39 am »
In addition to what you wrote, I have

- all my passwords saved using keepass2
- my hard drive is encrypted
- I backup all my files to encrypted usb drives or external hard drives
- I use chrome to read pdf files not some external pdf program like sumatra (Firefox can also read pdf)
- I use ublock origin on chrome to block ads where possible malware can hide
- I only used wired connections for banking (no wifi)
- I would NOT use a VPN or TOR for banking.  You have no idea if the VPN can be trusted.
- I run Lubuntu.  Updates take minutes, not hours like Windows 10.
- I NEVER save anything in the "cloud" or use services like onedrive
- I NEVER use any cloud applications like Word, Excel, etc.
 
The following users thanked this post: Lindley

Offline retiredcaps

  • Super Contributor
  • ***
  • Posts: 3449
  • Country: ca
Re: Banking Security
« Reply #7 on: February 29, 2020, 05:44:47 am »
Other than Firefox we only have Defender running along with PrivaZer cleaner and use free scanners like Malwarebytes,Sophos and Eset.
BTW, some of the anti virus programs are full of vulnerabilities.  Tavis Ormandy at Google found a lot of them.

https://en.wikipedia.org/wiki/Tavis_Ormandy

The wiki page is dated, but he and the Project Zero team regularly find vulnerabilities in popular software that is supposed to keep Windows safe.

When I ran Windows, the only program I used to scan was Malwarebytes for people who had been infected.

And I haven't run Windows in almost 6 years now, but I never heard of PrivaZer cleaner. Looking at their webpage, I don't see anything that explains how their code works, what data they may collect about you, etc?

https://privazer.com/en/
 
The following users thanked this post: Lindley

Online tggzzz

  • Super Contributor
  • ***
  • Posts: 11735
  • Country: gb
    • Having fun doing more, with less
Re: Banking Security
« Reply #8 on: February 29, 2020, 08:32:56 am »
For your own computer, boot from a readonly livedisk. That way you get a "new" computer every time. All linux distributions have livedisks.

There are many other attack vectors....

DNS rerouting can allow a MITM attack, and can be difficult to detect.

Phone companies are only too willing to transfer your mobile phone number to another SIM, thus reducing the value of that type of 2FA.

For this topic and many others, read comp.risks, a low-volume high signal-to-noise ratio usenet group. You can read and search the first 35 years of archives at https://catless.ncl.ac.uk/Risks/
There are lies, damned lies, statistics - and ADC/DAC specs.
Glider pilot's aphorism: "there is no substitute for span". Retort: "There is a substitute: skill+imagination. But you can buy span".
Having fun doing more, with less
 
The following users thanked this post: Mp3, Lindley

Offline Electro Detective

  • Super Contributor
  • ***
  • Posts: 2713
  • Country: au
Re: Banking Security
« Reply #9 on: February 29, 2020, 09:52:51 am »
Besides what OP is already doing =  :-+
the banks should supply a standalone customized client browser that only works for that bank,
and their debt slave customers log in with a password,
and answer random chosen questions only they know the answer to.

With that in place, scammers and hackers can suck hard on a big male cat pee impregnated paper bag  :o

Unfortunately none of that helps when prosperous banks hire 'cheap wage' dishonest data harvesting employees,
who handball customers details to their low life friend/family members working at 'COLD CALL CENTRAL'
those predictable pretend friend creeps with ubiquitous accents  ::)

and bank I.T. losers that watch too many bank h@ckR movies  :palm:

 
The following users thanked this post: Lindley

Offline Lindley

  • Contributor
  • Posts: 18
  • Country: gb
Re: Banking Security
« Reply #10 on: February 29, 2020, 10:41:27 am »
Hi,

Thanks all, plenty to follow up on there.

Retiredcaps  - The only thing we do not do is put all our key passwords  into a password manager, have read in the last year or so many have been attacked, plus the old saying, never put all your eggs in one basket .
Bit like the scam victims you see on tv who, despite all the warnings,  still  put all there life savings  / pension funds into one scheme, then left devastated when it all goes wrong. :palm:
 

Online tggzzz

  • Super Contributor
  • ***
  • Posts: 11735
  • Country: gb
    • Having fun doing more, with less
Re: Banking Security
« Reply #11 on: February 29, 2020, 03:36:38 pm »
the banks should supply a standalone customized client browser that only works for that bank,

I wouldn't touch any such thing with a bargepole. Too many chances for the development staff to not understand security or to let malefactors know how to circumvent/break/trojan it.

Quote
Unfortunately none of that helps when prosperous banks hire 'cheap wage' dishonest data harvesting employees,
who handball customers details to their low life friend/family members working at 'COLD CALL CENTRAL'
those predictable pretend friend creeps with ubiquitous accents  ::)

Many of the bank security processes are designed to protect againsr theft/froaud by their own staff. They don't always succeed.
There are lies, damned lies, statistics - and ADC/DAC specs.
Glider pilot's aphorism: "there is no substitute for span". Retort: "There is a substitute: skill+imagination. But you can buy span".
Having fun doing more, with less
 
The following users thanked this post: Lindley

Offline rdl

  • Super Contributor
  • ***
  • Posts: 2967
  • Country: us
Re: Banking Security
« Reply #12 on: February 29, 2020, 03:45:06 pm »
Definitely use a browser that works with uBlock Origin and NoScript. Learn how to use both, the default settings can be made better. uBlock Origin is very powerful and much more than just a simple ad-blocker.

If privacy is important, don't use Google's Chrome browser. Actually, just don't use it ever.
 
The following users thanked this post: Lindley

Offline MarkR42

  • Regular Contributor
  • *
  • Posts: 71
  • Country: gb
Re: Banking Security
« Reply #13 on: February 29, 2020, 07:18:33 pm »
Re: VPN

There is usually no benefit to using a VPN for banking.

VPNs are usually used to hide / confuse your identity to an origin-server (e.g. web site). As you are identifying yourself to the bank anyway, there is no point in doing that. VPNs also hide which site you are visiting from a network eavesdropper, but I doubt that visiting your bank is really something that you need to hide so much.

Also, you might trigger the bank's own intrusion detection system because they won't be expecting users to connect through a VPN, and widely-used VPNs use well known egress IP addresses.

The only case where a VPN might be helpful is if your bank prohibits connections (even for securely identified users) from certain countries, in which case you could use a VPN while travelling to those countries. However, if those countries are so dodgy that the bank bans users from them, it might be a better idea to avoid using your bank completely when there.
 
The following users thanked this post: Lindley

Offline retiredcaps

  • Super Contributor
  • ***
  • Posts: 3449
  • Country: ca
Re: Banking Security
« Reply #14 on: February 29, 2020, 07:39:17 pm »
Retiredcaps  - The only thing we do not do is put all our key passwords  into a password manager, have read in the last year or so many have been attacked, plus the old saying, never put all your eggs in one basket .
Tavis has found bugs in lastpass.

https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved.html/

Certainly, keepass2, which I use, is likely to have some undiscovered bug or vulnerability, but the keepass2 encrypted master password file is saved locally on my encrypted hard drive.  It's never stored in the cloud.

https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/

https://www.cvedetails.com/product/23054/Keepass-Keepass.html?vendor_id=12214
 
The following users thanked this post: Lindley

Offline Masa

  • Contributor
  • Posts: 20
  • Country: fi
Re: Banking Security
« Reply #15 on: April 13, 2020, 10:52:38 pm »
Having separate PC that is used only for banking is very good. I would keep extra software installed on that PC to a minimum.

Very important is to keep Windows and the web browser / PDF reader up to date. All software has bugs, including web browser and operating systems and all bugs haven't been discovered or fixed yet. Viruses use these bugs for their benefit.

You should also create a normal Windows user account with lower privileges, so an account that is not an administrator account, and normally always use that account. Only use administrator account when you need to install new software, etc. That way viruses that run with the users account are less of a problem, because when your account is not an administrator, it cannot so easily mess up important system files or installed programs.

I would not use password managers for banking.
« Last Edit: April 13, 2020, 10:57:47 pm by Masa »
 
The following users thanked this post: Lindley

Offline Mp3

  • Frequent Contributor
  • **
  • Posts: 291
  • Country: us
Re: Banking Security
« Reply #16 on: April 14, 2020, 08:57:08 am »
Option A)   Use a linux Live CD / USB. Some are specifically geared towards privacy and security, like Tails. (the better option IMO)

Option B) Simply use any hardened Linux distro, disable SSH server if it's enabled, and keep it updated as well as using a good password. Any of them will be superior to Windows 10 with an antivirus IMO.

Option C)   Clean install Windows 10 without internet connection, install some form of reputable internet security like ESET or Bitdefender ( I don't like Kaspersky, it intercepts HTTPS traffic ), install W10Privacy and tick all boxes you wish, apply, reboot, activate Bitlocker and Secure Boot, THEN install a browser and connect to internet, and keep it powered off or with internet disabled as much as possible,  and keep it updated as well as using a good password.
« Last Edit: April 14, 2020, 09:00:23 am by Mp3 »
Pace ADS200, Jabe UD-1200, TS-100
HP 3478A, Fluke 45, UNI-T UT71A, several fused DT-830B
Power Design TP340 & Siglent SDS1052DL+
 
The following users thanked this post: Lindley

Offline Electro Detective

  • Super Contributor
  • ***
  • Posts: 2713
  • Country: au
Re: Banking Security
« Reply #17 on: April 14, 2020, 10:47:57 am »
It's a lot easier and secure to go to a bank branch that either has a computer you can use
and or get the teller or 'team member' to do it for you, and get a paper based receipt to verify the transaction

Make the   'evil internet  >:D   roamed by hackers and scammers'    :scared: :scared: :scared:  THEIR problem, not yours

If banks want to push digital money, dump staff and close branches, rather than maintain transactions with time proven cash or gold,
let THEM and their IT security deal with digital robbers, constant browser security/update BS, and encryption passwords required sometimes long enough to span galaxies  :o
again > THEIR problem, not yours, you're just the customer expecting some reasonable service from professional debt vendors  :popcorn:

« Last Edit: April 14, 2020, 10:51:37 am by Electro Detective »
 
The following users thanked this post: Lindley

Offline Lindley

  • Contributor
  • Posts: 18
  • Country: gb
Re: Banking Security
« Reply #18 on: April 14, 2020, 11:58:52 am »
@Masa  - thanks, yes do all that already.

@Mp3 - thanks, did originally consider Linux  but after contacting our main bank, they said they could not comment about Linux as its "not a system they have tested"  basically saying stick to Windows.
             they also push us to use Trusteer Rapport , which used to be a little problematic, but these days does seem to work much better, quietly in the background.

@Electro Detective - thanks, but here in the UK banks are closing their branches at an alarming rate and now with C-19 we are glad to can access our banking from home rather than having to drive into the    center of town, struggle to park, and then wait in long queues. :)
 

Offline Analingus

  • Newbie
  • Posts: 1
  • Country: us
Re: Banking Security
« Reply #19 on: April 18, 2020, 10:42:08 pm »
I have seen a few posts on the security section here regarding password managers and the sentiment towards them comes off as negative towards them, is there a reason why? If one is using an open source, community approved PM and is using the program as inteneded, is that not the best way to be going about password security? Just curious and all this was seen in passing, so I may be off base.
 

Offline Lindley

  • Contributor
  • Posts: 18
  • Country: gb
Re: Banking Security
« Reply #20 on: April 19, 2020, 09:09:35 am »
I have seen a few posts on the security section here regarding password managers and the sentiment towards them comes off as negative towards them, is there a reason why? If one is using an open source, community approved PM and is using the program as inteneded, is that not the best way to be going about password security? Just curious and all this was seen in passing, so I may be off base.

Just been reading a magazine article about flaws in PMs and  of course there have been several reported problems with them over the last couple of years, how many unreported ??

https://www.york.ac.uk/news-and-events/news/2020/research/expose-vulnerabilities-password-managers/

The old saying, do not put all your eggs in one basket !

Same as uploading to the Cloud, could it ever be 100% safe , even if encrypted, you never know when the service is pulled and your data possibly lost.
 

Offline alex_palvai

  • Contributor
  • Posts: 40
  • Country: ca
Re: Banking Security
« Reply #21 on: April 25, 2020, 11:35:05 pm »
Unless you don't care about security for your data , that's when its fine to use cloud.  Here is another critical vulnerability that's exposed (taking advantage of back end unauthenticated date on azure . Ton's of vulnerabilities on both Azure and AWS .

https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 11984
  • Country: us
Re: Banking Security
« Reply #22 on: April 26, 2020, 12:11:51 am »
If you're really worried about it, install the OS of your choice in a VM, save a snapshot of the clean install and then use that VM only for your banking site. You can revert to a completely clean slate any time you want.
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9234
  • Country: 00
  • Display aficionado
Re: Banking Security
« Reply #23 on: April 26, 2020, 12:38:59 am »
If you're really worried about it, install the OS of your choice in a VM, save a snapshot of the clean install and then use that VM only for your banking site. You can revert to a completely clean slate any time you want.
If your hypervisor or host isn't as clean your VM can't be considered safe. If it is it can be used instead.
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 11984
  • Country: us
Re: Banking Security
« Reply #24 on: April 26, 2020, 12:42:49 am »
Nothing is perfect, but if something is isolated in a VM it's pretty difficult to get any kind of cross contamination. If you only use the browser in the VM for banking then it's not going to have any cookies or sketchy browser extensions or anything like that. Using a clean VM is a bit like wearing a mask to prevent the spread of infection, it's not a panacea but it's another step away from being low hanging fruit.
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9234
  • Country: 00
  • Display aficionado
Re: Banking Security
« Reply #25 on: April 26, 2020, 12:59:38 am »
Nothing is perfect, but if something is isolated in a VM it's pretty difficult to get any kind of cross contamination. If you only use the browser in the VM for banking then it's not going to have any cookies or sketchy browser extensions or anything like that. Using a clean VM is a bit like wearing a mask to prevent the spread of infection, it's not a panacea but it's another step away from being low hanging fruit.
If you don't want cookies or sketchy extensions its easier to use an incognito window, different browser or different Windows profile if you want to be thorough. A VM can be a great tool, but there doesn't seem to be a lot of added value there. Much of the advice here is reasonable or prudent computing but doesn't protect much against the likely dangers of online banking. Let's not get into a discussion about masks.  ;D
 

Offline Lindley

  • Contributor
  • Posts: 18
  • Country: gb
Re: Banking Security
« Reply #26 on: April 26, 2020, 08:34:08 am »
Much of the advice here is reasonable or prudent computing but doesn't protect much against the likely dangers of online banking.


Which does bring us back to my opening post - how can the average w10 PC user protect themselves against online banking dangers ....
 

Offline PKTKS

  • Frequent Contributor
  • **
  • Posts: 566
  • Country: br
Re: Banking Security
« Reply #27 on: April 26, 2020, 11:25:29 am »
Much of the advice here is reasonable or prudent computing but doesn't protect much against the likely dangers of online banking.


Which does bring us back to my opening post - how can the average w10 PC user protect themselves against online banking dangers ....

WON'T HAPPEN .. any time soon

By it very own nature I am still wondering after dealing
with that buzz model of MS since 80's  :

- WHY PEOPLE STILL CREDIT CONFIDENCE TO A CLOSED SOURCE CODE?
- WHY PEOPLE ALLOW a "by design" INSECURE OS to SELL SECURITY?
- WHY PEOPLE STILL TRUST  ANTI-VIRUS as a "normal" thing?

Ditched all MS insecure unreliable code by late 90s
Never used it again

All anti virus are gone - no virus - only source code available
running on a reasonable "trusted" system

And still there are things to consider

So why people still trust that  FUCKING OS made
to sell security and threats of malware and paid (ant) virus

FUCKED that in toilette  late 90s.

No chances taken - problems raised to reasonable level of safety

But i still wonder why people trust that opaque undisclosed buzz..
Just because they "say":  hey we care of you your family ..
or something like that?

They want our money. period. no matter consequences.

till I am concerned MS should go to hell
Paul
« Last Edit: April 26, 2020, 11:29:35 am by PKTKS »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf