Dedicated computer for online banking

[Unpaintedhuffhines]

I have my important stuff at Etrade. They gave me a security key that has a 6 digit number that chances every minute. I have to add this number to then end of my password to log in. Seems foolproof. Do any of the others offer this ?

This is very good, but not a panacea. Others offer this token-based approach, but not many. Your main threat in this scenario is a man-in-the-browser type attack, where some form of malware has gotten onto your machine, and the MITB is acting behind the scenes on your computer, which you have authenticated with the token you refer to. Most malware attacks windows devices just due to proliferation of those devices (and some would say inherent vulnerabilities). Ah, but you say "I don't go to gambling sites or porn sites, so my odds of getting my machine infected are very low!" Well, that sounds logical, but the problem is this: it's not those sites that are the problem. They have a vested interest in keeping their sites malware free, as they want you to come back and spend real money. The most problematic sites: religious blogs. Why? They lack the security expertise to keep their sites free from malware, plus they have an extremely large following. A perfect place for a Trojan if I'm a fraudster trying to steal from you. So, stay away from religion, and only go to porn and gambling sites! Lol. This of course is a joke!

Ack! What to do? Lots of good suggestions here - dedicated devices, Linux OS, chromebook, etc. I prefer to use one of the most secure and easy to use devices: iPad over 4G (or personal wifi). It's not a malware free device, but it's the closest you'll probably get that is still easy to use and widely supported by the sites you need to get to. For me this works, because I constantly check on all things finance related, and I travel extensively. I couldn't be restricted to one stay-at-home device.

 

[bmcgonig]

This is very good, but not a panacea. Others offer this token-based approach, but not many. Your main threat in this scenario is a man-in-the-browser type attack, where some form of malware has gotten onto your machine, and the MITB is acting behind the scenes on your computer, which you have authenticated with the token you refer to.

This seems very unlikely. Even if the MITB was watching specifically for my Etrade account, it would have 1-2 seconds to use that password. And they could only use it once. So maybe I dont understand what you mean?

 

[Rustward]

This seems very unlikely. Even if the MITB was watching specifically for my Etrade account, it would have 1-2 seconds to use that password. And they could only use it once. So maybe I dont understand what you mean?

I'm not BMC, but he probably means that because the "man" is "in" the browser, he does not even need the password. You provided it for him.

 

[Unpaintedhuffhines]

Rust, correct. Once authenticated, he opens his own hidden browser window and does the bad thing that he does.

 

[bmcgonig]

Has not thought of that. Thanks

 

[noelm]

I would just buy a cheap windows laptop. I did what you mention in your OP but thought it was silly (but I have 2 laptops anyways). Since I am a keyboard jockey, I spent a good 6 hours min. on the machine, visiting hundreds of site (99.99% are non-shady), still you never know what will get installed on your machine without your knowledge. So I dug into some security bulletins and have a routine before doing banking work.

I have CCleaner (with CEnhancer), PrivaZer to clean all internet activities, Super Antispyware. I run all 3 of these before doing any banking work. So far so good.

I recommend against Chromebook. AFAIK, you can not store locally and I certainly do not want my financial documents in the cloud.

 

[fritz]

Another very good security program that I use (didn't mention in my earlier post) is KeyScrambler.

KeyScrambler Personal - CNET Download.com

I posted CNET link about it for review, but you can also download the free personal version 3.0 direct from QFX

QFX Software - Download KeyScrambler

I have Windows 7 premium (32 bit) and version 3.0 works fine with it - some complaints about version 3.0 not working with it at CNET. I have been using KeyScrambler personal (free) version for many years with other computers and Widows OS programs and it has always successfully encrypted keystrokes while on line (KeyScrambler box pops up in tray when browser activated and you can see KeyScramber in action when you type). Free version works with most popular browsers.

 

[smjsl]

Another very good security program that I use (didn't mention in my earlier post) is KeyScrambler.

KeyScrambler Personal - CNET Download.com

I posted CNET link about it for review, but you can also download the free personal version 3.0 direct from QFX

QFX Software - Download KeyScrambler

I have Windows 7 premium (32 bit) and version 3.0 works fine with it - some complaints about version 3.0 not working with it at CNET. I have been using KeyScrambler personal (free) version for many years with other computers and Widows OS programs and it has always successfully encrypted keystrokes while on line (KeyScrambler box pops up in tray when browser activated and you can see KeyScramber in action when you type). Free version works with most popular browsers.

Awesome! Thanks for mentioning this. I will start using it as well!

For financial passwords, I never store them anywhere digitally. I have a relatively easy part I memorize and more complex part of each password that I write down on 2 pieces of paper stored separately. This way, I don't have to trust any program to store them for me or deliver them to my browser carefully enough without leaving traces in memory, etc.

If someone steals my piece of paper, they won't be able to use it without my "relatively easy" part (plus they won't even understand what accounts that piece is for, what user name I use, etc.)... and I figure it's unlikely that whoever steals or finds the paper is a good computer hacker.

 

[smjsl]

For all those using Lunix, how do you secure it? There are viruses for Linux too, just like for Apple OSes and any other OS. Sure, there are not as many as for Windows, but is that really good enough to protect your life savings?

 

[Mulligan]

I would just buy a cheap windows laptop. I did what you mention in your OP but thought it was silly (but I have 2 laptops anyways). Since I am a keyboard jockey, I spent a good 6 hours min. on the machine, visiting hundreds of site (99.99% are non-shady), still you never know what will get installed on your machine without your knowledge. So I dug into some security bulletins and have a routine before doing banking work.

I have CCleaner (with CEnhancer), PrivaZer to clean all internet activities, Super Antispyware. I run all 3 of these before doing any banking work. So far so good.

I recommend against Chromebook. AFAIK, you can not store locally and I certainly do not want my financial documents in the cloud.

I am seriously thinking of getting a Chromebook, but I admit I am not a computer genius. So let me ask this question to make sure I understand correctly. You are only recommending against Chromebook because you can not store locally and don't want info in the cloud. My intentions are only to conduct transactions online, and print and file documents in my paper file, not store anything anywhere. Chromebooks used in this manner would be a perfectly safe option then because of their setup, and internal safety controls, correct?

 

[smjsl]

I am seriously thinking of getting a Chromebook, but I admit I am not a computer genius. So let me ask this question to make sure I understand correctly. You are only recommending against Chromebook because you can not store locally and don't want info in the cloud. My intentions are only to conduct transactions online, and print and file documents in my paper file, not store anything anywhere. Chromebooks used in this manner would be a perfectly safe option then because of their setup, and internal safety controls, correct?

I am not a security expert but... I figure Chromebook is still a computer running some software in memory, connected to internet. It would allow complex software run on the computer from the websites (else many websites would not work on your computer). I imagine if you happen to end up on some bad website by accident (e.g. website pretending to be your bank or brokerate), it could do some damage by uploading whatever user id / pw you use to connect to the cloud or user name password you type in during that session, etc.

Also, found this link regarding security for Chromebooks:
Is Google's Chromebook impervious to viruses? | Homeland Security News Wire

Regarding storage, I wonder if you could use a flash drive if you needed to.

 

[ERD50]

For financial passwords, I never store them anywhere digitally. I have a relatively easy part I memorize and more complex part of each password that I write down on 2 pieces of paper stored separately. This way, I don't have to trust any program to store them for me or deliver them to my browser carefully enough without leaving traces in memory, etc.

If someone steals my piece of paper, they won't be able to use it without my "relatively easy" part (plus they won't even understand what accounts that piece is for, what user name I use, etc.)... and I figure it's unlikely that whoever steals or finds the paper is a good computer hacker.

This is the system that I'm setting up for my important passwords. I like the KISS principle, and prefer not to have them stored on some other system. This just seems so simple and secure. Even keeping the unique part in a spreadsheet would seem to be OK, you need to couple them with the memorized 'key' to be of any use (I'm using two simple keys - KEY#1&complex-unique&KEY#2).

For everything else, I use the same easy to remember password for all, a mnemonic for something easy to remember, like "This Website Does Not Require Security Paranoia", TwdnrsP980 , cap the first/last, add a few digits you can recall easily.

-ERD50

 

[ERD50]

For all those using Lunix, how do you secure it? There are viruses for Linux too, just like for Apple OSes and any other OS. Sure, there are not as many as for Windows, but is that really good enough to protect your life savings?

We get regular security updates on Linux, so it is being patched and kept secure. I have about 50 patches waiting for me right now, probably issued in just the past 2 weeks. Mostly for java/flash, but a few others.

But a distinction is required - there are security vulnerabilities and security breaches. So these are patches for vulnerabilities - maybe some little flaw that might allow someone to get in under some circumstances. But that doesn't mean anyone has actually demonstrated that happening - that would be a security breach. And then, the breach would have to be delivered somehow. AFAIK, there have not been any wide-spread security breaches of a Linux system, and very few on the Mac OS. There was a widely publicized one on Mac OS a few years back, but IIRC, it required some action on the user's part to initiate, and it never spread far, and was patched pretty quickly. I have not heard of any since then. With the increased popularity of Mac and IOS, it's hard for me to believe that these OS are relying on 'security by obscurity', that may still be part of it, but I tend to think that they are inherently more secure (but not 'bullet-proof'). I will say no more, it might awaken a bunny.

I've also got an open source virus scanner, ClamTK, that I run manually when I think of it, which is almost never. I get some false positives (very old pdfs) never anything else.

-ERD50

 

[smjsl]

keeping the unique part in a spreadsheet would seem to be OK, you need to couple them with the memorized 'key' to be of any use (I'm using two simple keys - KEY#1&complex-unique&KEY#2).

I personally would be paranoid about a hacker downloading that spreadsheet and if they knew / guessed / found out its meaning, they could potentially use it to crack rest of password, since they'd know the complex part already... (I believe you can seed password cracking programs with a starting string, and maybe there are other ways too.)

 

[Lsbcal]

I personally would be paranoid about a hacker downloading that spreadsheet and if they knew / guessed / found out its meaning, they could potentially use it to crack rest of password, since they'd know the complex part already... (I believe you can seed password cracking programs with a starting string, and maybe there are other ways too.)

What if the spreadsheet has a very strong password itself? I think Excel allows a 15 characters.

 

[Lsbcal]

...(snip)...
I don't store any passwords on our computer, and Firefox is set to wipe all data (including passwords) when closed. Also use CCleaner to wipe data history upon Firefox close.
...

How does one set Firefox to wipe all data when closed?

I just recently found out about the need to use a Master password in FF.

 

[rbmrtn]

For all those using Lunix, how do you secure it? There are viruses for Linux too, just like for Apple OSes and any other OS. Sure, there are not as many as for Windows, but is that really good enough to protect your life savings?

Anything connected to the internet is vunerable to something. However linux by design is more secure. The main reason is users are not allowed root privileges , same as windows users not running with administrator rights. Windows 7 does a better job at implementing some unix style security under the hood.

I would be more worried about the institution you are connected to being hacked.

 

[ERD50]

Originally Posted by ERD50
keeping the unique part in a spreadsheet would seem to be OK, you need to couple them with the memorized 'key' to be of any use (I'm using two simple keys - KEY#1&complex-unique&KEY#2).

I personally would be paranoid about a hacker downloading that spreadsheet and if they knew / guessed / found out its meaning, they could potentially use it to crack rest of password, since they'd know the complex part already... (I believe you can seed password cracking programs with a starting string, and maybe there are other ways too.)

Yes, that's possible, but maybe I overstated it a bit when I said "simple keys". I would use something relatively complex for the KEY#1 and KEY#2, but still easy to remember like a mnemonic for a phrase that I would know.

Some examples:

KEY#1 might be WhTkNtDaH245 (We have Three kids Named Tom dick And harry. 2-4-5 is the letters in the first 3 words)

KEY#2 might be MfIciV273 (My favorite Ice cream Is vanilla, then #'s)

Combine Key#1 and Key#2 with your unique code for that institution to make up the entire password.

So if those two keys are kept separate from the spreadsheet, but I keep them on a piece of paper somewhere away from other financial stuff, and I can share it with DW, I think that is tough enough to crack that no one would try hard enough. They would use other means or seek out others (like the bear and hiker joke, I only have to outrun the other guy, not the bear).

-ERD50

 

[noelm]

I am seriously thinking of getting a Chromebook, but I admit I am not a computer genius. So let me ask this question to make sure I understand correctly. You are only recommending against Chromebook because you can not store locally and don't want info in the cloud. My intentions are only to conduct transactions online, and print and file documents in my paper file, not store anything anywhere. Chromebooks used in this manner would be a perfectly safe option then because of their setup, and internal safety controls, correct?

Yes.
I have not used Chromium OS personally so I am not aware of any malware issues. If there are none, you are safe (and actually perfect for your needs).

 

[smjsl]

What if the spreadsheet has a very strong password itself? I think Excel allows a 15 characters.

I am sure this is much better indeed... Still, virus / malware could intercept data in memory potentially, i.e. after your spreadsheet is opened / password is entered; or perhaps they could be excel specific to get to excel data...

 

[fritz]

How does one set Firefox to wipe all data when closed?

I just recently found out about the need to use a Master password in FF.

These are my FF setups -

Under tools, options:
Content - check block pop up windows
Privacy - check "tell websites I do not want to be tracked". Select "Never remember history" - or select "Use custom browsing mode for history" and "Always use private browsing mode". Check accept cookies from sites (uncheck accept third party cookies). Custom is for if you have issues with websites not working properly w/o allowing cookies. I end up mostly using the latter setting because of this issue (can easily change this setting between Never and Custom).

Private Browsing - Browse the web without saving information about the sites you visit | Firefox Help

Under security uncheck "remember passwords for sites".

Browser add-ons -

click&clean - will wipe all history upon close (use with CCleaner program). Also provides a button you can select that will wipe everything immediately w/o closing browser (belt and suspenders effort when leaving questionable site).
ghostery - blocks 3rd parties (web bugs) while on page
Better Privacy - super cookie safeguard (erases LSO flash cookies - set on close)
WOT (Web of Trust) rates each page you visit and will temporarily prevent you from accessing a suspect page - to let you determine if you want to go to it (has a get me out of here warning and the WOT symbol turns red).

Addtl. FF browser add-ons (good ones to have) -

Adblock plus, Adblock plus pop-up, and Padlock. These block a lot of those annoying ads, and padlock shows (customizable) lock in URL bar for safety when accessing "https" sites. Also have Pocket which is like adding a web page to your favorites, but doesn't mess up your bookmarks. Simply click on the pocket tab in the url and it saves the page for later in a separate location.

Some might have better methods (welcome), but all of this is free and work for me - for a long time now.

 

[Lsbcal]

I am sure this is much better indeed... Still, virus / malware could intercept data in memory potentially, i.e. after your spreadsheet is opened / password is entered; or perhaps they could be excel specific to get to excel data...

A few more thoughts on making this even more robust:
1) bury your info within innocuous spread sheet data
2) do not use keywords like "login" or "password"
3) Consider purchasing Keyscrambler an anti-keylogger. I don't currently have this myself.

 

[Lsbcal]

These are my FF setups -

...

Fritz, thanks for sharing this.

I guess wiping this stuff and not saving non-financial passwords would make things a bit inconvenient which is the price for somewhat better security. For instance, when I visit the library web site it wants my library card's bar code which would be a pain to enter each time. Financial sites do not seem to allow a password to be saved in FF but some do allow the login to be saved.

 

[fritz]

Awesome! Thanks for mentioning this. I will start using it as well!

For financial passwords, I never store them anywhere digitally. I have a relatively easy part I memorize and more complex part of each password that I write down on 2 pieces of paper stored separately. This way, I don't have to trust any program to store them for me or deliver them to my browser carefully enough without leaving traces in memory, etc.

If someone steals my piece of paper, they won't be able to use it without my "relatively easy" part (plus they won't even understand what accounts that piece is for, what user name I use, etc.)... and I figure it's unlikely that whoever steals or finds the paper is a good computer hacker.

Fritz, thanks for sharing this.

I guess wiping this stuff and not saving non-financial passwords would make things a bit inconvenient which is the price for somewhat better security. For instance, when I visit the library web site it wants my library card's bar code which would be a pain to enter each time. Financial sites do not seem to allow a password to be saved in FF but some do allow the login to be saved.

I have utilized smjsl's password method for creating/remembering passwords for a long time.

As mentioned in an earlier post - our financial passwords are stored on on a "well hidden" jump drive (in case of memory loss, or if my wife has to carry on with doing this task). It's in code itself...

These days, a lot of sites require passwords. It has become quite a burden to remember all of them. Like smjsl's method, I use a common password that's committed to memory (and on the "well hidden" jump drive), and add on a unique prefix and/or suffix to them - depending on the requirements of the website.

Exceptions to this rule are financial passwords, and what I call specific needs passwords. These are unique (don't have any of the common password component) to protect us from someone discovering one of our modified common use passwords and trying to hack away. Only have a few unique passwords to remember - the rest are smjsl's method.

I emailed our library card info to myself. I utilize Zimbra desktop (free) to obtain and store my gmail/yahoo email off line - I copy and paste the library numbers off the email to the library website when needed. There are other ways to do this - I sent you a PM.

 

[meierlde]

Another way to accomplish the same thing, is to get Windows 8 professional edition use HyperV, and a usb hard drive and use it as a pass thru hard drive(dedicated), load Windows XP the pass thru hard drive, (i.e. the windows 8 does not see the drive), then in essence you have a dedicated computer for the whatever purpose. (Of course you could also use VMware workstation as well) Virtualization is what most hosting companies now use to host web sites the physical server runs a number of copies of the OS and these copies host the various web sites. Actually its a very old idea IBM first introduced the concept on the 360 with Virtual Machine back in the 1960s. (Now I do admit its not for the faint of heart, you do need to understand what you are doing). Once installed you logon to the virtual machine as if you were logging on to another machine with remote terminal services (this works only on the professional editions of Win XP 7 and 8.)

Or perhaps a bit simpler just load windows on a USB memory stick and use it for financial issues, however you will need additional licenses for office and your anti-virus just as if it were a different physical machine (also applies above as well)