Dedicated computer for online banking

[fritz]

Quote:

Originally Posted by Mulligan I hear this are extremely secure and need no virus protection as everything is done through google and the net with no operating programs on the laptop. It is literally wiped clean every time you turn it off. You can get a google chrome book for as little as $199. I am going to get one soon to replace my aging compaq and the slothful Vista that is on it.

Troubles me that you'll be paying for a laptop that depends on the internet/google for apps and functionality. Like taking TV recording from the total freedom of VCRs in the old days, to the highly restrictive DVR's you pay a monthly rental to your Cable TV provider for these days (with most not capable of allowing personal storage off the system - they're encrypted). See the future of Cloud storage/access going rental DVR style. Another way of putting it is that the cell phone is free with a 2 year contract, but the monthly service will definitely cost you.....

The Samsung Chromebook Reviewed: Worth Buying, But Limited by Its Internet Dependency | MIT Technology Review

[Mulligan]

Quote:

Originally Posted by fritz Troubles me that you'll be paying for a laptop that depends on the internet/google for apps and functionality. Like taking TV recording from the total freedom of VCRs in the old days, to the highly restrictive DVR's you pay a monthly rental to your Cable TV provider for these days (with most not capable of allowing personal storage off the system - they're encrypted). See the future of Cloud storage/access going rental DVR style. Another way of putting it is that the cell phone is free with a 2 year contract, but the monthly service will definitely cost you..... The Samsung Chromebook Reviewed: Worth Buying, But Limited by Its Internet Dependency | MIT Technology Review

That is true. But for me I only use computers for surfing. Which source doesn't matter to me, Google is fine.

[imoldernu]

On the computer...
Just bought from Walmart online, a refurbished HP CompaQ no shipping.. for $148. Model dc5850. Not much more than the price of Windows 7.
These are off lease computers, that come and go into the refurbisher who strips, cleans and installs Windows 7 (spoke to the refurbisher... 3000/week) . There are many models and the offerings change daily.
Mine has a 2.3 Athlon processor, 4 MB of RAM, an 80 gig hard drive and comes with Windows set up and updated. I am more than pleased. Had a problem out of the box... Called the vendor, and had the replacement in hand in 4 days.
Backed by the Walmart guarantee, so no real worries. My last refurb was $100 and lasted for 5 years 'til I gave it away...

[lark_L]

You just boot your existing PC with a Linux LiveCD OS, here's a source (do a search for Live Medium). Burn a CD, boot of it and use the browser there.

Another option is to create a Webconverger USB stick or CD. The use of this just for online banking is discussed a lot in the forum .

Personally, I set up my PC to dual boot with WIndows and Puppy Linux. I use the Linux 99% of the time, as I don't have to worry so much about malware, viruses etc. etc. But occassionally, I need to WIndows software and go there.

Article, another

[bmcgonig]

I have my important stuff at Etrade. They gave me a security key that has a 6 digit number that chances every minute. I have to add this number to then end of my password to log in. Seems foolproof. Do any of the others offer this ?

[Unpaintedhuffhines]

Quote:

Originally Posted by bmcgonig I have my important stuff at Etrade. They gave me a security key that has a 6 digit number that chances every minute. I have to add this number to then end of my password to log in. Seems foolproof. Do any of the others offer this ?

This is very good, but not a panacea. Others offer this token-based approach, but not many. Your main threat in this scenario is a man-in-the-browser type attack, where some form of malware has gotten onto your machine, and the MITB is acting behind the scenes on your computer, which you have authenticated with the token you refer to. Most malware attacks windows devices just due to proliferation of those devices (and some would say inherent vulnerabilities). Ah, but you say "I don't go to gambling sites or porn sites, so my odds of getting my machine infected are very low!" Well, that sounds logical, but the problem is this: it's not those sites that are the problem. They have a vested interest in keeping their sites malware free, as they want you to come back and spend real money. The most problematic sites: religious blogs. Why? They lack the security expertise to keep their sites free from malware, plus they have an extremely large following. A perfect place for a Trojan if I'm a fraudster trying to steal from you. So, stay away from religion, and only go to porn and gambling sites! Lol. This of course is a joke!

Ack! What to do? Lots of good suggestions here - dedicated devices, Linux OS, chromebook, etc. I prefer to use one of the most secure and easy to use devices: iPad over 4G (or personal wifi). It's not a malware free device, but it's the closest you'll probably get that is still easy to use and widely supported by the sites you need to get to. For me this works, because I constantly check on all things finance related, and I travel extensively. I couldn't be restricted to one stay-at-home device.

[bmcgonig]

[QUOTE=Unpaintedhuffhines;1285349]This is very good, but not a panacea. Others offer this token-based approach, but not many. Your main threat in this scenario is a man-in-the-browser type attack, where some form of malware has gotten onto your machine, and the MITB is acting behind the scenes on your computer, which you have authenticated with the token you refer to.

This seems very unlikely. Even if the MITB was watching specifically for my Etrade account, it would have 1-2 seconds to use that password. And they could only use it once. So maybe I dont understand what you mean?

[Rustward]

[QUOTE=bmcgonig;1285351]

Quote:

Originally Posted by Unpaintedhuffhines This seems very unlikely. Even if the MITB was watching specifically for my Etrade account, it would have 1-2 seconds to use that password. And they could only use it once. So maybe I dont understand what you mean?

I'm not BMC, but he probably means that because the "man" is "in" the browser, he does not even need the password. You provided it for him.

[Unpaintedhuffhines]

Rust, correct. Once authenticated, he opens his own hidden browser window and does the bad thing that he does.

[bmcgonig]

Has not thought of that. Thanks

[noelm]

I would just buy a cheap windows laptop. I did what you mention in your OP but thought it was silly (but I have 2 laptops anyways). Since I am a keyboard jockey, I spent a good 6 hours min. on the machine, visiting hundreds of site (99.99% are non-shady), still you never know what will get installed on your machine without your knowledge. So I dug into some security bulletins and have a routine before doing banking work.

I have CCleaner (with CEnhancer), PrivaZer to clean all internet activities, Super Antispyware. I run all 3 of these before doing any banking work. So far so good.

I recommend against Chromebook. AFAIK, you can not store locally and I certainly do not want my financial documents in the cloud.

[fritz]

Another very good security program that I use (didn't mention in my earlier post) is KeyScrambler.

KeyScrambler Personal - CNET Download.com

I posted CNET link about it for review, but you can also download the free personal version 3.0 direct from QFX

QFX Software - Download KeyScrambler

I have Windows 7 premium (32 bit) and version 3.0 works fine with it - some complaints about version 3.0 not working with it at CNET. I have been using KeyScrambler personal (free) version for many years with other computers and Widows OS programs and it has always successfully encrypted keystrokes while on line (KeyScrambler box pops up in tray when browser activated and you can see KeyScramber in action when you type). Free version works with most popular browsers.

[smjsl]

Quote:

Originally Posted by fritz Another very good security program that I use (didn't mention in my earlier post) is KeyScrambler. KeyScrambler Personal - CNET Download.com I posted CNET link about it for review, but you can also download the free personal version 3.0 direct from QFX QFX Software - Download KeyScrambler I have Windows 7 premium (32 bit) and version 3.0 works fine with it - some complaints about version 3.0 not working with it at CNET. I have been using KeyScrambler personal (free) version for many years with other computers and Widows OS programs and it has always successfully encrypted keystrokes while on line (KeyScrambler box pops up in tray when browser activated and you can see KeyScramber in action when you type). Free version works with most popular browsers.

Awesome! Thanks for mentioning this. I will start using it as well!

For financial passwords, I never store them anywhere digitally. I have a relatively easy part I memorize and more complex part of each password that I write down on 2 pieces of paper stored separately. This way, I don't have to trust any program to store them for me or deliver them to my browser carefully enough without leaving traces in memory, etc.

If someone steals my piece of paper, they won't be able to use it without my "relatively easy" part (plus they won't even understand what accounts that piece is for, what user name I use, etc.)... and I figure it's unlikely that whoever steals or finds the paper is a good computer hacker.

[smjsl]

For all those using Lunix, how do you secure it? There are viruses for Linux too, just like for Apple OSes and any other OS. Sure, there are not as many as for Windows, but is that really good enough to protect your life savings?

[Mulligan]

Quote:

Originally Posted by noelm I would just buy a cheap windows laptop. I did what you mention in your OP but thought it was silly (but I have 2 laptops anyways). Since I am a keyboard jockey, I spent a good 6 hours min. on the machine, visiting hundreds of site (99.99% are non-shady), still you never know what will get installed on your machine without your knowledge. So I dug into some security bulletins and have a routine before doing banking work. I have CCleaner (with CEnhancer), PrivaZer to clean all internet activities, Super Antispyware. I run all 3 of these before doing any banking work. So far so good. I recommend against Chromebook. AFAIK, you can not store locally and I certainly do not want my financial documents in the cloud.

I am seriously thinking of getting a Chromebook, but I admit I am not a computer genius. So let me ask this question to make sure I understand correctly. You are only recommending against Chromebook because you can not store locally and don't want info in the cloud. My intentions are only to conduct transactions online, and print and file documents in my paper file, not store anything anywhere. Chromebooks used in this manner would be a perfectly safe option then because of their setup, and internal safety controls, correct?

[smjsl]

Quote:

Originally Posted by Mulligan I am seriously thinking of getting a Chromebook, but I admit I am not a computer genius. So let me ask this question to make sure I understand correctly. You are only recommending against Chromebook because you can not store locally and don't want info in the cloud. My intentions are only to conduct transactions online, and print and file documents in my paper file, not store anything anywhere. Chromebooks used in this manner would be a perfectly safe option then because of their setup, and internal safety controls, correct?

I am not a security expert but... I figure Chromebook is still a computer running some software in memory, connected to internet. It would allow complex software run on the computer from the websites (else many websites would not work on your computer). I imagine if you happen to end up on some bad website by accident (e.g. website pretending to be your bank or brokerate), it could do some damage by uploading whatever user id / pw you use to connect to the cloud or user name password you type in during that session, etc.

Also, found this link regarding security for Chromebooks:
Is Google's Chromebook impervious to viruses? | Homeland Security News Wire

Regarding storage, I wonder if you could use a flash drive if you needed to.

[ERD50]

Quote:

Originally Posted by smjsl For financial passwords, I never store them anywhere digitally. I have a relatively easy part I memorize and more complex part of each password that I write down on 2 pieces of paper stored separately. This way, I don't have to trust any program to store them for me or deliver them to my browser carefully enough without leaving traces in memory, etc. If someone steals my piece of paper, they won't be able to use it without my "relatively easy" part (plus they won't even understand what accounts that piece is for, what user name I use, etc.)... and I figure it's unlikely that whoever steals or finds the paper is a good computer hacker.

This is the system that I'm setting up for my important passwords. I like the KISS principle, and prefer not to have them stored on some other system. This just seems so simple and secure. Even keeping the unique part in a spreadsheet would seem to be OK, you need to couple them with the memorized 'key' to be of any use (I'm using two simple keys - KEY#1&complex-unique&KEY#2).

For everything else, I use the same easy to remember password for all, a mnemonic for something easy to remember, like "This Website Does Not Require Security Paranoia", TwdnrsP980 , cap the first/last, add a few digits you can recall easily.

-ERD50

[ERD50]

Quote:

Originally Posted by smjsl For all those using Lunix, how do you secure it? There are viruses for Linux too, just like for Apple OSes and any other OS. Sure, there are not as many as for Windows, but is that really good enough to protect your life savings?

We get regular security updates on Linux, so it is being patched and kept secure. I have about 50 patches waiting for me right now, probably issued in just the past 2 weeks. Mostly for java/flash, but a few others.

But a distinction is required - there are security vulnerabilities and security breaches. So these are patches for vulnerabilities - maybe some little flaw that might allow someone to get in under some circumstances. But that doesn't mean anyone has actually demonstrated that happening - that would be a security breach. And then, the breach would have to be delivered somehow. AFAIK, there have not been any wide-spread security breaches of a Linux system, and very few on the Mac OS. There was a widely publicized one on Mac OS a few years back, but IIRC, it required some action on the user's part to initiate, and it never spread far, and was patched pretty quickly. I have not heard of any since then. With the increased popularity of Mac and IOS, it's hard for me to believe that these OS are relying on 'security by obscurity', that may still be part of it, but I tend to think that they are inherently more secure (but not 'bullet-proof'). I will say no more, it might awaken a bunny.

I've also got an open source virus scanner, ClamTK, that I run manually when I think of it, which is almost never. I get some false positives (very old pdfs) never anything else.

-ERD50

[smjsl]

Quote:

Originally Posted by ERD50 keeping the unique part in a spreadsheet would seem to be OK, you need to couple them with the memorized 'key' to be of any use (I'm using two simple keys - KEY#1&complex-unique&KEY#2).

I personally would be paranoid about a hacker downloading that spreadsheet and if they knew / guessed / found out its meaning, they could potentially use it to crack rest of password, since they'd know the complex part already... (I believe you can seed password cracking programs with a starting string, and maybe there are other ways too.)

[Lsbcal]

Quote:

Originally Posted by smjsl I personally would be paranoid about a hacker downloading that spreadsheet and if they knew / guessed / found out its meaning, they could potentially use it to crack rest of password, since they'd know the complex part already... (I believe you can seed password cracking programs with a starting string, and maybe there are other ways too.)

What if the spreadsheet has a very strong password itself? I think Excel allows a 15 characters.