Financial Chromebook?

[Katsmeow]

So I am pondering whether to get a separate financial Chromebook. That is, a Chromebook used just to go to any websites for financial stuff. I have never had any problems, but wonder whether it is prudent or overkill. And, if I do it, can I use the Chromebook for anything else.

I currently visit the website of my investment accounts and bank on an almost daily basis. I just like to check in on everything. I have a separate thread about email addresses and I have decided to set up a separate email address that I will use for those investment accounts and the bank. It will not interact with my other email accounts.

While I have seen some places recommend doing this, others say it isn't necessary. I am actually coincidentally getting a new computer next month (currently on order waiting to ship). I use Bit Defender and do a quick scan every day. I use gmail for my email (well I have had a domain that I had gmail fetch the mail).

While I understand the reasoning for a financial only computer, I am not sure that it is really necessary. I am very careful where I go and what I do on the computer. I guess the biggest fear would be a keylogger. I understand the advantages of a Chromebook but not sure it really is necessary given the security I have in place on my computer.

The negatives to a separate Chromebook.

1. I log in to financial accounts daily so I would need to do this often so would want the Chromebook nearby but I don't have a good place for it near my other computer.

2. Cost. Chromebooks aren't expensive really but it would still be money I was spending in order to spend 5 minutes each day online. This is exacerbated if I literally can't use the Chromebook for anything else.

3. My interaction with financial sites is often just to do stuff like download statements or confirmations. I usually keep those in PDF form. Not sure how to get them from the Chromebook to my main computer if there is no interaction between the two.

I did some Google searching on this and some people advocate that even on a financial Chromebook as long as you keep the email address separate it is OK to go to at least some website and to use Google apps. If I could, for example, use the Chromebook to watch youtube that might be useful (I would not use the financial email to log in).

Some people advocated setting up a separate profile on the Chromebook and then using that one to go to websites. I could perhaps see that if you were just going to them and not downloading anything.

Or I could just use my new computer with my new "financial" email that I keep separate from others and rely on Bit Defender to keep the computer safe (note I have actually never had any problem or virus or keylogger, etc on my computer...this is all just hypothetical).

Any thoughts by those who opted to do this or not? If I can do it, do you think I could use the Chromebook to watch youtube or just visit some websites potentially on a separate profile? Or just continue to use my main computer?

 

[njhowie]

I believe that it's really not worth it.

However, if you do feel more secure doing it, it's a very small price to pay for that comfort - nothing wrong with that. But, if you are going to do it, you have to stick to the approach. Lots of times folks will have a good idea like this, but then, they'll want to do something "just once". Next thing you know, it's another thing "just once". Before you know it, the original purpose is defeated and you're using it for all kinds of stuff.

3. My interaction with financial sites is often just to do stuff like download statements or confirmations. I usually keep those in PDF form. Not sure how to get them from the Chromebook to my main computer if there is no interaction between the two.

A few options:
1. Email to your personal account on your main computer.

2. Use Google Drive where your main account would specifically permit your Chromebook profile to share. Use it only for transferring files. After you've downloaded to your main computer, delete from Google Drive.

3. Use a secure storage service like fidsafe.com, which Fidelity provides. Even more secure - do the same as with #2 - use it only for the duration to transfer files, then delete them.

If I can do it, do you think I could use the Chromebook to watch youtube or just visit some websites potentially on a separate profile? Or just continue to use my main computer?

Absolutely not. If your objective is to keep it secure, then don't use it for visiting any site other than those where your financial information is located. Visit any other website, or use it for anything else, even just once, and you've defeated the entire purpose and potentially compromised the machine. For this reason, I don't think it's really worth it. At some point, even if inadvertently, you're going to do something which you shouldn't. If I were doing this, I would specifically set up the browser to only allow visiting those individual websites where I have financial data and block all other internet sites - everything. If you start dealing with a new financial institution, you'd have to go in to the settings and specifically add the new site before being allowed to visit it.

Instead, take advantage of the security capabilities which most financial sites provide nowadays and you should be fine. First and foremost, use two-factor authentication on all sites along with a strong password. It would be very difficult for a hacker to defeat this. The difference between a strong password and a weak one is simply a couple of additional uppercase and special characters. We're talking on the order of millions of years to crack. Use a different strong password on each site, and you're good.

Lastly, most all financial institutions have additional security controls in place and provide fraud coverage in the event that you are hacked.

 

[Katsmeow]

I believe that it's really not worth it.

Thank you for the thoughtful detailed response. Exactly the type of info I am looking for.

1. Email to your personal account on your main computer.

Yes, I could do that. I guess the idea though was to never use that email to email anything except to the financial institutions (which basically never happens).

2. Use Google Drive where your main account would specifically permit your Chromebook profile to share. Use it only for transferring files. After you've downloaded to your main computer, delete from Google Drive.

In my research, I found some complaints that seemed to question this. The draw of the Chromebook is supposedly it is more secure than other OS. However some say that if you share a Google drive with your other computer (and emails) that this does allow in a point of vulnerability. Not really sure if so.

3. Use a secure storage service like fidsafe.com, which Fidelity provides. Even more secure - do the same as with #2 - use it only for the duration to transfer files, then delete them.

This might work.

Absolutely not. If your objective is to keep it secure, then don't use it for visiting any site other than those where your financial information is located. Visit any other website, or use it for anything else, even just once, and you've defeated the entire purpose and potentially compromised the machine. For this reason, I don't think it's really worth it.

The reason I mentioned Youtube specifically is you would be using the Google App. Supposedly part of the draw of the Chromebook is that it is safer than your ordinary Windows computer so you could use the app without risk particularly if you used a separate profile. So, you could theoretically have a situation where something that would be risky on a Windows computer is not risky on the Chromebook. But, I don't really know...

Instead, take advantage of the security capabilities which most financial sites provide nowadays and you should be fine. First and foremost, use two-factor authentication on all sites along with a strong password. It would be very difficult for a hacker to defeat this. The difference between a strong password and a weak one is simply a couple of additional uppercase and special characters.

Oh, I do all that. I used a generated strong password. I guess my main fears are twofold:

1. I fear a keylogger. I do everything I can to avoid it including running a scan every morning and I have set up everything to avoid it. But, I am sure someone has to be one of the first people to get something like that.

2. SIM swapping. That one really worries me since there is not much I can do to prevent it. I mean I can have a PIN with my cell carrier which I do have. But I have read of people having it happen nonetheless. All of these 2FA things that rely on cell phone stuff bothers me. That said, presumably I would notice this in time to contact financial institutions before anything could really happen.

 

[jim584672]

If you are really concerned with privacy and security consider a Linux distribution. Chromebooks give data to Google, Windows gives data to Microsoft.

 

[target2019]

If you are really concerned with privacy and security consider a Linux distribution. Chromebooks give data to Google, Windows gives data to Microsoft.

Jim,
If OP were to dual boot new computer (Windows 10 / Linux) how difficult to set up a shared folder on that computer where Linux could save data accessible by Windows (if he needs to add in older financial PDFs, etc.? Last evening I was thinking that would be a simpler solution. It would also be more secure than Chromebook (with gmail profile) + Windows 10.

I agree with you that Linux is more secure. Which browser would you use with Linux to maximize security when on financial site(s)?

Interesting challenge for OP.

 

[Z3Dreamer]

Don't have a Chromebook, but I have an Android tablet for financial, only, stuff. Some financial institutions have apps that behave slightly different than logging on through the browser. For example, last time I checked Wells Fargo website it will NOT allow you to deposit checks. Their Android app, will. I also have the Chase app installed because I believe the web loggin does not have all the functionality but I don't remember what it is missing.

So, the question is: Will the financial apps run on a Chromebook? If not, do you need them?

 

[The Cosmic Avenger]

What about a Lunux VM on Katsmeow's current computer? IIRC, anything done while on the VM couldn't even be keylogged by the boot OS, right? I know that's probably harder to set up, but it's a cheaper (and IMO more convenient) option if she can find a trusted friend or relative who can set that up for her.

And njhowie, thanks for the mention of FidSafe, I hadn't heard of it before.

 

[jim584672]

Jim,
If OP were to dual boot new computer (Windows 10 / Linux) how difficult to set up a shared folder on that computer where Linux could save data accessible by Windows (if he needs to add in older financial PDFs, etc.? Last evening I was thinking that would be a simpler solution. It would also be more secure than Chromebook (with gmail profile) + Windows 10.

I agree with you that Linux is more secure. Which browser would you use with Linux to maximize security when on financial site(s)?

Interesting challenge for OP.

Linux can read the NTFS file system so it isn't a problem. OP could use a shared drive with Veracrypt disk encryption. Both OSes can read the Veracrypt volume.

Another option use Linux with Virtualbox to run Win 10 as a virtual machine. Since I don't really trust Win 10 I wouldn't use Win 10 to run a Linux VM.


Linux running Win 10 in Virtualbox:

 

[OldShooter]

Quite complicated I think. Why not limit yourself to financial institutions that give a 100% guarantee against hacking? Schwab does this.

 

[samm]

So I am pondering whether to get a separate financial Chromebook. That is, a Chromebook used just to go to any websites for financial stuff. I have never had any problems, but wonder whether it is prudent or overkill. And, if I do it, can I use the Chromebook for anything else.

I have 2 Chromebooks but do NOT recommend for security purposes. I think that Windows PCs are better because you can install financial software and use excel.

I suggest a second windows 10 laptop that can be hidden away when not in use.

 

[savory]

Can someone explain how a computer with various programs makes financial accounts more vulnerable ? I am under the impression that the institution will be hacked in order to find my password/penetrate my accounts. Or, my credit card will find its way to a reader.

I am not well informed about this hacking technique. Can someone explain how this would work. And, if I I used just one computer for everything, what I might want to consider to protect my financial accounts from being hacked?

Thanks

 

[Katsmeow]

One question for this of you who have a Chromebook. One thing I do with investment accounts (it to download statements or confirmations). I would then need to send those to my Windows PC. Anyway, with a Chromebook can I download those statements and then send them somewhere? If I can't download them then a Chromebook wouldn't work as I need someway to get those statements.

Responses to others:

If you are really concerned with privacy and security consider a Linux distribution. Chromebooks give data to Google, Windows gives data to Microsoft.

Honestly, I am not that concerned with the privacy aspect. My sole concern is the safety of my money.

As for Linux I did look online and found nothing to suggest that a pure Linux OS would be safer for this purpose that Chrome OS (which is ultimately based on Linux). Honestly, if I had to run Linux to do this I would simply give it up and keep using my Windows desktop.

Don't have a Chromebook, but I have an Android tablet for financial, only, stuff. Some financial institutions have apps that behave slightly different than logging on through the browser. For example, last time I checked Wells Fargo website it will NOT allow you to deposit checks. Their Android app, will. I also have the Chase app installed because I believe the web loggin does not have all the functionality but I don't remember what it is missing.

So, the question is: Will the financial apps run on a Chromebook? If not, do you need them?

If I have a dedicated Chromebook for the purpose of logging onto my financial accounts I won't be running any financial apps on the Chromebook. The only app I was considering running was possibly YouTube just to view stuff.

I have 2 Chromebooks but do NOT recommend for security purposes. I think that Windows PCs are better because you can install financial software and use excel.

I will not be using any financial software on the Chromebook. I will be using financial software and excel on my Windows desktop.

You seem to imply that the Chromebooks are less security than a Windows machine. That flies in the face of everything I have read? How is a Chromebook less secure? Remember I will not be using apps on this.

Can someone explain how a computer with various programs makes financial accounts more vulnerable ? I am under the impression that the institution will be hacked in order to find my password/penetrate my accounts. Or, my credit card will find its way to a reader.

I am not well informed about this hacking technique. Can someone explain how this would work. And, if I I used just one computer for everything, what I might want to consider to protect my financial accounts from being hacked?

Thanks

There are several potential things, many of which relate to email or web browsing, although it could be programs. Two key ones:

1. You can get a keylogger on your machine. You can get one through an attachment from an email. You can get it from a webpage script simply by visiting an infected site. (This is why you should scan your computer daily to find anything like this). You can fall for a phishing email which sends you to a dangerous site.

2. Programs can contain malware which do bad things. You can download a program that has some malicious code in it. It could distribute a virus or a trojan or have ransomware, etc.

I am not worried about, say, having Excel on the same computer as my financial stuff. The worry is the small app you downloaded that maybe has malware in it.

 

[OldShooter]

Can someone explain how a computer with various programs makes financial accounts more vulnerable ? I am under the impression that the institution will be hacked in order to find my password/penetrate my accounts. Or, my credit card will find its way to a reader.
I am not well informed about this hacking technique. Can someone explain how this would work. And, if I I used just one computer for everything, what I might want to consider to protect my financial accounts from being hacked?

Thanks

Actually the main risk for a user is "phishing" emails designed to trick the user into visiting a web site, often one designed to look just like a financial institution's web site and asking for a userid and pwd. More from https://www.us-cert.gov/publications/virus-basics:

"Most users get viruses from opening and running unknown email attachments. Never open anything that is attached to an email message unless you know the contents of the file. If you receive an attachment from a familiar email address, but were not expecting anything, you should contact the sender before opening the attachment. If you receive a message with an attachment and you do not recognize the sender, you should delete the message.


"Selecting the option to view your email messages in plain text, not HTML, will also help you to avoid a virus."​

IMO having a separate computer is unnecessary but if you do want to go that route it should be a computer with no email capability, in or out. It should also not be routinely left connected to a network with other computers.


As I said, my first line of defense is banking institutions' guarantees. Zero effort, zero cost. I do have a policy however, that I do not access financial information or have financial apps on cell phones or tablets that might be stolen or lost. I also do not have any financial logins memorized in browsers or password managers. In fact, I do not use password managers at all.

 

[jim584672]

As for Linux I did look online and found nothing to suggest that a pure Linux OS would be safer for this purpose that Chrome OS (which is ultimately based on Linux). Honestly, if I had to run Linux to do this I would simply give it up and keep using my Windows desktop.

Chrome OS is tied to the hip with Google. Any data going up to the Google cloud is seen by Google. Plus it tracks a lot of telemetry like location, and other stuff. Chrome OS is not Linux, it uses the Linux kernel and that is it.

Windows is a black box since we can't see the source code, so who really knows what it is sending back to Microsoft. Everyone attacks it with viruses and malware. I have never used an anti-virus with Linux or heard of anyone getting infected, and I have used it since it came out.

 

[Sunset]

What about a Lunux VM on Katsmeow's current computer? IIRC, anything done while on the VM couldn't even be keylogged by the boot OS, right? I know that's probably harder to set up, but it's a cheaper (and IMO more convenient) option if she can find a trusted friend or relative who can set that up for her.

It's pretty easy to set up a VM, I use them all the time for work.

I use VirtualBox, you just install it on your machine. Then start it up and load an OS into it.

"Presently, VirtualBox runs on Windows, Linux, Macintosh, and Solaris hosts"

Here is the website: https://www.virtualbox.org/

Once you have it set up. You can export the machine (with all it's data) to back it up. This allows you to move it to another machine.

 

[aja8888]

As I said, my first line of defense is banking institutions' guarantees. Zero effort, zero cost. I do have a policy however, that I do not access financial information or have financial apps on cell phones or tablets that might be stolen or lost. I also do not have any financial logins memorized in browsers or password managers. In fact, I do not use password managers at all.

Strong point here.

Last year, a friend of mine got his Chase bank account hacked. Bank won't reveal how it was done. He got tagged for $25K, but the bank made good on it.

My friend works in IT for a big company.

 

[Sunset]

Can someone explain how a computer with various programs makes financial accounts more vulnerable ? I am under the impression that the institution will be hacked in order to find my password/penetrate my accounts. Or, my credit card will find its way to a reader.

I am not well informed about this hacking technique. Can someone explain how this would work. And, if I I used just one computer for everything, what I might want to consider to protect my financial accounts from being hacked?

Thanks

This month Wired Magazine has an article on the hacker who developed Krono's .

Krono's would use html injection to add fields to your bank login so it could capture your information from your machine. No need to hack the bank.

When you have a bunch of programs on your computer, you probably use the internet to look at: pictures, read news, read this forum and others, follow links to various other sites for more information.

One of those can contain a link or embedded code to make your machine download a virus.

 

[savory]

Actually the main risk for a user is "phishing" emails designed to trick the user into visiting a web site, often one designed to look just like a financial institution's web site and asking for a userid and pwd. More from https://www.us-cert.gov/publications/virus-basics:

"Most users get viruses from opening and running unknown email attachments. Never open anything that is attached to an email message unless you know the contents of the file. If you receive an attachment from a familiar email address, but were not expecting anything, you should contact the sender before opening the attachment. If you receive a message with an attachment and you do not recognize the sender, you should delete the message.


"Selecting the option to view your email messages in plain text, not HTML, will also help you to avoid a virus."​

IMO having a separate computer is unnecessary but if you do want to go that route it should be a computer with no email capability, in or out. It should also not be routinely left connected to a network with other computers.


As I said, my first line of defense is banking institutions' guarantees. Zero effort, zero cost. I do have a policy however, that I do not access financial information or have financial apps on cell phones or tablets that might be stolen or lost. I also do not have any financial logins memorized in browsers or password managers. In fact, I do not use password managers at all.

I follow a similar pattern. The one difference is I use a password manager on a Kingston thumb drive. I do not want to trust it at an on-line storage.

A person must have the thumb drive to get my password. If stolen, they would need to know both the password to the thumb drive and the one to the password manager. They would only get 5 (could be 10) chances to enter the drive before the data is destroyed. I keep a second kingston too if one is lost or stolen.

 

[ExFlyBoy5]

I have never used an anti-virus with Linux or heard of anyone getting infected, and I have used it since it came out.

There is quite a bit of misinformation on the "safety" of Linux. There are stories of these machines being hacked, and you have to be vigilant as a Linux user, as well. Here is an example (countless others if you search it out): https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/

I don't see much point in using a separate machine. Use a strong (very strong!) passwords and 2FA when available. I personally will not do financial business with anyone who DOESN'T have 2FA. I am anxious for more financial sites to start using the physical keys (I use this w/ my Google accounts and LOVE IT) as a primary 2FA.

 

[jim584672]

There is quite a bit of misinformation on the "safety" of Linux. There are stories of these machines being hacked, and you have to be vigilant as a Linux user, as well. Here is an example (countless others if you search it out): https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/

Isolated events can happen, but the number of instances is very, very small. In this case a distro, not all Linux systems, was compromised. That distro is maintained by one guy. If you are security concerned you would be running something like Red Hat Enterprise RHEL, not Mint. It is no comparison to Windows systems history of viruses. Generally attackers are not targeting Linux since it isn't widely used when they can target an OS that has a large user base like Windows.

Since open source code can be reviewed people can notice anything not right in the code base. This is a big advantage over closed source, which is basically saying "trust us".

If you want super secure I would look at Qubes OS, it runs everything in a virtual isolation. I have never used it but it looks interesting for those needed a super secure system.
https://en.wikipedia.org/wiki/Qubes_OS

 

[Katsmeow]

I don't see much point in using a separate machine. Use a strong (very strong!) passwords and 2FA when available. I personally will not do financial business with anyone who DOESN'T have 2FA. I am anxious for more financial sites to start using the physical keys (I use this w/ my Google accounts and LOVE IT) as a primary 2FA.

I do use strong passwords. I do use a password manager and for there sites use randomly generated strong passwords. I don't save the master password for the password manager of course. I do use 2FA for places that allow it and my investment accounts and bank do.

For your physical key do you use a Yubikey? I have thought about doing that.


Does anyone use Fidelity Symantic Validation and ID protection? I have regular 2FA turned on but haven't used that. Fidelity does say it adds a final layer of protection.

I follow all of their general recommendations. I found this link that goes a step farther and says to consider using a dedicated device that does no web surfing or email.

https://institutional.fidelity.com/app/proxy/content?literatureURL=/9893541.PDF

It does recommend considering using a password manager. It also recommended a dedicated email account for financial accounts. I guess if I got a Chromebook this would seem to be indicating to use the Chromebook only to go to website of financial accounts and to actually receive my email for those accounts on my regular computer?

 

[OldShooter]

I follow a similar pattern. The one difference is I use a password manager on a Kingston thumb drive. I do not want to trust it at an on-line storage.

A person must have the thumb drive to get my password. If stolen, they would need to know both the password to the thumb drive and the one to the password manager. They would only get 5 (could be 10) chances to enter the drive before the data is destroyed. I keep a second kingston too if one is lost or stolen.

Sounds like a fairly strong system.

My main objection to pwd managers is "Who watches the watchers?" IOW (1) how do I know that the pwd manager company employees can be trusted and (2) it is obvious that hackers will be working hard, looking for a big reward, if they can find a way to crack one or more of the popular pwd managers.

Remembering passwords is not a huge burden IMO. I use a simple system based on the web sites' URL plus some standard extra characters. I also don't worry too much about security for web sites like this one where someone who figures out my credentials really can't do me any harm anyway.

 

[JustCurious]

I don't think it's worth it. If you only access your financial accounts on a Chrome OS device (Chromebook or Chromebox) then your access is very secure, much more secure than using a Windows computer. I don't think there is a need for a separate dedicated Chrome OS device.

I also recommend (1) setting up the Advanced Protection Program for the Google account that you use to log in to the Chromebook or Chromebox which will protect your Google account and the associated Gmail, and (2) use a strong password for your financial accounts, and (3) use two step verification or two factor authentication if it is offered by your financial account provider and avoid using SMS texting as the second factor if you can avoid it, and (4) set up notifications of account activity to be sent to your Gmail and check it regularly. If you do all of these things your account access will be very, very secure and using a separate Chrome OS device just for financial accounts is overkill.

I signed up for the Advanced Protection Program and I use security keys to secure my Google account. Any security key will work, Yubikey is a reputable option, I have security keys from Yubikey as well as other manufacturers and they all work equally well for securing my Google account.

 

[Sunset]

Sounds like a fairly strong system.

My main objection to pwd managers is "Who watches the watchers?" IOW (1) how do I know that the pwd manager company employees can be trusted and (2) it is obvious that hackers will be working hard, looking for a big reward, if they can find a way to crack one or more of the popular pwd managers.

Remembering passwords is not a huge burden IMO. I use a simple system based on the web sites' URL plus some standard extra characters. I also don't worry too much about security for web sites like this one where someone who figures out my credentials really can't do me any harm anyway.

My password manager is only on MY computer, it does not access the web (as far as I know) the encrypted database it uses is on my machine.
So unless the employees, added code to pass back to a server the passwords, etc, they have no access to it.

Problem with your method is, should someone get 2 or 3 of your passwords from some simple forum sites or store sites, they can easily guess your algorithm for bank or brokerage sites.
Otherwise you need to keep a paper list of all the different characters you add to the extracted web site URL you use.

 

[jim584672]

Sounds like a fairly strong system.

My main objection to pwd managers is "Who watches the watchers?" IOW (1) how do I know that the pwd manager company employees can be trusted and (2) it is obvious that hackers will be working hard, looking for a big reward, if they can find a way to crack one or more of the popular pwd managers.

Remembering passwords is not a huge burden IMO. I use a simple system based on the web sites' URL plus some standard extra characters. I also don't worry too much about security for web sites like this one where someone who figures out my credentials really can't do me any harm anyway.

The password manager should be open source and been around a while, that way the code is known, that is how you trust it. It is all a moot point if your OS is compromised by some malware/virus/keylogger.