Security concerns

[Surfdaddy]

Up until a few years ago, I had funds from over four families. I felt more comfortable having my eggs in "multiple baskets". After reading a lot of posts, I came to the conclusion that my fears were probably unfounded, and I've consolidated most of my savings into two fund families, with 85% of those funds in one family.

With the fairly recent and increasing concerns about malware, etc., I wonder again about the wisdom of having all funds together. Let's say I'm not worried about Vanguard having internal failures of accounting, etc, which would cause my funds to be lost (something like Madoff-lite). But what about malware? I've even heard it suggested that you should have a dedicated PC ONLY for accessing your online accounts, and you do no email or browsing on that PC. The problem of course is that even if you are careful, you never really know if some keylogger might have embedded itself and is happily transmitting your passwords to some other site.

Anybody concerned about this, or have other perspectives (to be more or less worried)?

 

[Alan]

Yes, it concerns me, but I travel a lot and am encouraged that even using my same laptop, I get security challenge questions when attempting to access my accounts from a new location.

I have an on-line account with a UK bank and I recently listened to a BBC Money program on the radio and they said that all UK banks follow the same practice of never asking you enter your whole password on-line. You only ever ever get asked to enter 3 characters from the password, and it's a different 3 each time.

eg when I log on it might ask "Please enter the 2nd, 4th and next to last digits in your passcode"

Also, you should always have your banks bookmarked or in your favorites list so that you never type in the same of the website. Many banks also allow you to save your username so you rarely have to type your name in either.

All these precautions help to defeat any key-loggers that get by your anti-virus / anti-malware software, and also help defeat phishing programs.

The program I listened to had a caller who said he'd accessed his bank in his usual way and had been prompted to enter his whole pass code, so he called the bank (HSBC) who told him they never asked for a complete password - ever. Turned out that his usual way of getting to the HSBC website was put the name in his Google search bar. (not recommended)

 

[easysurfer]

Unfortunately, I think it's difficult to only have one PC solely for online accounts, now browsing. If one has enough self-discipline, perhaps. But that having two cars, but for one of them, never aking that car on the freeway.

Instead, I think the best approach make sure your computer is up to date with a good password manager to create/store security passwords, antivirus and anti-keylogging software. One can also use a virtual keyboard program to enter the master password in the password managing software with a mouse instead of keystrokes. I have a virtural keyboard program. Yet, I find that I get lazy at times and just type the password in (old habits die hard ).

 

[MichaelB]

Reasonable protection for your computer (up to date antivirus & anti-malware), safe browsing and computing practices, understanding the law, your responsibilities and the liabilities of the financial custodian should do. Beyond that, too much focus may not materially improve one's security. For most people, too much complexity leads to decreased effectiveness - writing down passwords and such.

IIRC most fraud affecting individuals is carried out by family members.

Pay attention, check accounts regularly, make sure your contact information is always current, understand and comply with the security measures of your financial institutions. They have immediate direct liability for unauthorized electronic withdrawals and have more at stake. Among the once I have dealt with there are clear differences and some (USAA, Vanguard) are more effective than others .

 

[Katsmeow]

Instead, I think the best approach make sure your computer is up to date with a good password manager to create/store security passwords, antivirus and anti-keylogging software. One can also use a virtual keyboard program to enter the master password in the password managing software with a mouse instead of keystrokes. I have a virtural keyboard program. Yet, I find that I get lazy at times and just type the password in (old habits die hard ).

What are some good password manager programs? I perhaps have an outmoded view of them. It just seemed to me that having a piece of software that had all my passwords in it would be wise since if someone got into that software then they had everything. Yet, as I try to use more and more passwords it does get difficult to remember them all.

 

[MichaelB]

What are some good password manager programs? I perhaps have an outmoded view of them. It just seemed to me that having a piece of software that had all my passwords in it would be wise since if someone got into that software then they had everything. Yet, as I try to use more and more passwords it does get difficult to remember them all.

I like roboform - although it does cost and they are trying to move to a yearly charge. I use it for passwords (and form filler) for non-financial stuff - which is still over 100 usernames and passwords - and keep the 4 financial ones to myself (and DW). I still can't bring myself to use a password manager for my financial accounts.

 

[easysurfer]

What are some good password manager programs? I perhaps have an outmoded view of them. It just seemed to me that having a piece of software that had all my passwords in it would be wise since if someone got into that software then they had everything. Yet, as I try to use more and more passwords it does get difficult to remember them all.

You can go to a site like download.com (password manager downloads - Free software downloads and software reviews - CNET) and try them out for one that fits your needs.

The master password is sort of like if you have a physical key box with keys to various locks for you house/car (your front door, back door, car keys, storage room, etc.). The box holds a copy of all the keys, but you hold a master key (preferable, put in a safe or a good hiding place).

The password manager works with the same principle. One strong master password or pass phrase that holds all your passwords. Of course, you want a program that automatically encrypts your password file (any good password manager should do this) so they can't be read if someone steals or you lose the password file.

Right now, I'm using a simple program called MyPadlock. It's only version 1.0, but very easy to use. But could you some areas of improvement, I like that it has a drag/drop feature of your user names/passwords.

Before MyPadlock, I had been using a program called AnyPassword which I was totally happy with, but the free version isn't Windows 7 compatible and the paid version, to me seems more complicated than needed. When I got a netbook that uses Win 7, I didn't want to have a program for Win 7, then one for XP on my desktop.

I've also tried Password Safe which I liked too. Works in both XP and Win 7.

 

[Dimsumkid]

If you're really concerned, most financial institutions still support telephone services to check your accounts, make trades, etc. If you use an old fashioned wired land line, this will prevent anyone from picking up any information. Don't use a wireless unencrypted phone when calling.

 

[PaddyMac]

I avoid logging into my bank or brokerage accounts over wifi when traveling unless it's vital. It can wait until I get home and on a land line. That's why Morningstar service is handy - you can see your balances but you can't give away an important password where funds can be transferred!

 

[target2019]

There are no guarantees, unfortunately. For online accounts, you have a long list of potential failure points. It begins at your keyboard, and ends somewhere in the institution. You've mentioned two items out of thousands.
I'm not sure that reducing the number of institutions helps lessen the probability of loss. Unless you picked up on something specific. Let's say an account rep provided your spouse with a piece of information not to be provided. That might suggest their internal controls, training and procedures were lacking.
As for the security on one PC at your home, that is an approach. It would be wired (NOT wireless), physically isolated, have installed protection of various kinds, and so on. Still, it could be stolen!
I work in a secure area and we have closed spaces. I have heightened awareness, but am realistic. Rather than using a password program, I store all information in an encrypted area of my hard drive (TrueCrypt). Initially, I did this to protect my contact database, which contains information on hundreds of accounts and passwords. If stolen, someone will have to guess the 13 character master password. I also store tax information, etc. in that space.
As for keyloggers, that is a category of software, and no longer includes just apps that record key presses. A keylogger can operate in many ways. These programs can access your clipboard, capture the contents of what you paste or type into fields, or even capture a portion of the screen where you've typed in some information.

 

[SomedaySoon]

Well I don't want to scare anybody, but this malware is getting very dangerous, very fast. I work as a software engineer for a subsidiary of a MAJOR defense contractor and use their supplied (encrypted) laptop. In February that laptop was breached and a keylogger installed on it (a large number of laptops where targetted at the company, not just mine). It was immediately replaced (the original sent in to the corporate CERT group for forensic analysis) and then we added RSA devices to harden the security even more. I was targetted again this week (as well as a few others at my company) and another keylogger was identified by network monitoring as coming from my laptop. Since I was travelling, I also immediately called my financial institution and put a freeze on my accounts. I don't think I did any personal business on that laptop, but wasn't 100% sure.

I'm still evaluating what I will do going forward. I have upped the security on my personal machine, ran multiple virus/malware scans (all clean) and reviewed all the firewall settings on the home router, but I have not unfrozen my accounts yet. I have never had any problems on my personal machines, and these attacks have all been against my employers network, but I don't have a comfortable feeling any more.

 

[BigNick]

Do any of these major malware worries run on anything other than Windows ? I thought Windows Seven was going to be super secure and put an end to them for ever ?

 

[target2019]

Well I don't want to scare anybody, but this malware is getting very dangerous, very fast. I work as a software engineer for a subsidiary of a MAJOR defense contractor and use their supplied (encrypted) laptop. In February that laptop was breached and a keylogger installed on it (a large number of laptops where targetted at the company, not just mine). It was immediately replaced (the original sent in to the corporate CERT group for forensic analysis) and then we added RSA devices to harden the security even more. I was targetted again this week (as well as a few others at my company) and another keylogger was identified by network monitoring as coming from my laptop. Since I was travelling, I also immediately called my financial institution and put a freeze on my accounts. I don't think I did any personal business on that laptop, but wasn't 100% sure.

Curious as to what identified the keylogger on your machine.

 

[MBAustin]

Take a look at Passpack as a password manager, it is free for personal use with a decent # of passwords.

 

[krm1312]

...then we added RSA devices to harden the security even more.

If your financial institution offers key fobs, they are one of the best security mechanisms. An attacker must know not only your username and password (usually), but also physically possess the fob to access your account(s).

 

[GregLee]

I'm not convinced that computer system security for home or small scale users, like me, is worth worrying about, beyond a few obvious things when you set a system up. I administered at work from 1 to 4 Unix systems for over 20 years, never giving the problem much time or attention, and had only one real problem --- some sort of rootkit, I guess, that I couldn't get rid of without reloading the operating system. Even then, no users were inconvenienced, or even noticed a problem.

On my home systems -- 2 computers (one Linux and one Microsoft) and other things on a wifi network with weak security -- I've never had a problem. When setting up the systems, I told them, yes, do automatically install security updates to the operating systems and any programs using the network (e.g., Firefox). But that's not something I have to attend to now --- it just happens.

Firefox (and Thunderbird, and other browsers/email managers) incorporates a password manager. It's not necessary to have another. I did, for a while, use the Lastpass addon password manager, for Firefox, which was occasionally more convenient, but it started to make me uneasy having all my passwords stored elsewhere, so I went back to using just the Firefox manager, with all passwords stored only on my own system.

I think most time spent obsessing over system security is time wasted.

 

[SomedaySoon]

Curious as to what identified the keylogger on your machine

.

I don't know. I was just contacted by the company's network security that they were monitoring the system and multiple machines were sending packets to a foriegn IP. They isolated these machines and had them turned in. They were not able to "cleanse" the machines and they were then wiped clean.

 

[SomedaySoon]

If your financial institution offers key fobs, they are one of the best security mechanisms. An attacker must know not only your username and password (usually), but also physically possess the fob to access your account(s).

I'm not sure if it is general knowledge, but the RSA encryption was recently hacked and most companies are responding with additional mechanisms for security on top of the RSA device.

RSA's Secure IDs Hacked - What to Do - NYTimes.com

Look, I'm not saying that the sky is falling. I would just suggest that people ask their financial institutions what additional security mechanisms are available to them and then to utilize them. This is not something I am personally going to just ignore. The only accounts I've locked down are my "big" ones. I still do online banking and check my credit card balances online.

 

[chinaco]

There is no such thing as a completely secure computer... unless it is turned off.

After that... there are layers of security and hopefully those layers (technology and practices) guard against the bad guys. Technology.... firewalls, antivirus, etc. Practices... keeping the system patched, using secure accounts, etc.

One issue that is often overlooked by home users is to have administrative privileges on the account they use for general work (surfing, etc). In some cases this can allow the attacker to install software and update certain system areas.

A better practice is to use a limited privilege account (or guest access privileges). Those accounts do not allow the user to install software (or attackers that try to take control during their logged in session). Of course, the user cannot install software themselves so they would need to log in the an admin level account for computer maintenance tasks. This is a hassle, but IMO a worthwhile trade-off of convenience for security.

This practice is not fool proof but it can foil certain types of attacks. There are other ways attackers can compromise a computer that is in use with a limited privilege account... because scripts or exes can still be downloaded and run directly that might be able to take advantage of a weakness in the computer to install malware or perform tasks while the session is running.

 

[target2019]

Here is an article ('Tricked' RSA Worker Opened Backdoor to APT Attack) with more 'techy" stuff in it. Stay out of those Junk folders!!!

A well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems, a top technologist at the security vendor says in a blog.

 

[MichaelB]

White House Unveils Plan for Secure Online IDs

The White House on Friday outlined its plan for a secure online identification system intended to allow people to ditch the user ID/password setup for a "trusted identity" they would obtain from a private company that specializes in verifying identities.

White House Unveils Plan for Secure Online IDs | News & Opinion | PCMag.com

Seems the White House has been following this thread as well.

 

[target2019]

There is no such thing as a completely secure computer... unless it is turned off.

[edited out stuff here]

A better practice is to use a limited privilege account (or guest access privileges). Those accounts do not allow the user to install software (or attackers that try to take control during their logged in session). Of course, the user cannot install software themselves so they would need to log in the an admin level account for computer maintenance tasks. This is a hassle, but IMO a worthwhile trade-off of convenience for security.

This practice is not fool proof but it can foil certain types of attacks. There are other ways attackers can compromise a computer that is in use with a limited privilege account...

That computer you mention must also have the network cable disconnected, lest a magic packet be sent to wake the computer up.
The limited account idea is very good. I admin a small business network distributed to 8 locations. Where the employees have re-infected their computers several times, I have installed new systems with limited accounts. The new systems are humming along with no internet games or specialized screen savers installed. The business manager asked for the admin password, as it was limiting for them. I refused, and then was asked by the operations manager for updated list of all passwords. I sent them, included my warning that the admin password must not be given to anyone. I expect service calls to double as a result of this.

 

[M Paquette]

White House Unveils Plan for Secure Online IDs

White House Unveils Plan for Secure Online IDs | News & Opinion | PCMag.com

Seems the White House has been following this thread as well.

Ah, yeah, about that...

This becomes what a systems engineer would call a single point of failure.

The approach is vulnerable to a type of man in the middle attack which allows the attacker to take over your trusted ID for the duration of a session. Public WiFi networks are ideal for deploying this sort of attack. The method works well against RSA token devices and similar one-time 'secure' authentication mechanisms.

Then, of course, there will be the inevitable break-in to the secure online ID provider.

 

[GregLee]

I have 4 user names and corresponding passwords. I don't know that it is a good system --- it just sort of evolved over the years. I'd be interested in any critical comment. (1) my high security name/password I use for root on my home systems and for the systems at work I administered (before I retired), (2) my personal accounts at home and at work, (3a) one net name and (3b) another net name, both with the same password, which I use for forums and for purchasing accounts like Amazon. The (1) and (2) ids have never been exposed on the net.