Financial Chromebook?

[Katsmeow]

Quote:

Originally Posted by ExFlyBoy5 I don't see much point in using a separate machine. Use a strong (very strong!) passwords and 2FA when available. I personally will not do financial business with anyone who DOESN'T have 2FA. I am anxious for more financial sites to start using the physical keys (I use this w/ my Google accounts and LOVE IT) as a primary 2FA.

I do use strong passwords. I do use a password manager and for there sites use randomly generated strong passwords. I don't save the master password for the password manager of course. I do use 2FA for places that allow it and my investment accounts and bank do.

For your physical key do you use a Yubikey? I have thought about doing that.


Does anyone use Fidelity Symantic Validation and ID protection? I have regular 2FA turned on but haven't used that. Fidelity does say it adds a final layer of protection.

I follow all of their general recommendations. I found this link that goes a step farther and says to consider using a dedicated device that does no web surfing or email.

https://institutional.fidelity.com/a...L=/9893541.PDF

It does recommend considering using a password manager. It also recommended a dedicated email account for financial accounts. I guess if I got a Chromebook this would seem to be indicating to use the Chromebook only to go to website of financial accounts and to actually receive my email for those accounts on my regular computer?

[OldShooter]

Quote:

Originally Posted by davef I follow a similar pattern. The one difference is I use a password manager on a Kingston thumb drive. I do not want to trust it at an on-line storage. A person must have the thumb drive to get my password. If stolen, they would need to know both the password to the thumb drive and the one to the password manager. They would only get 5 (could be 10) chances to enter the drive before the data is destroyed. I keep a second kingston too if one is lost or stolen.

Sounds like a fairly strong system.

My main objection to pwd managers is "Who watches the watchers?" IOW (1) how do I know that the pwd manager company employees can be trusted and (2) it is obvious that hackers will be working hard, looking for a big reward, if they can find a way to crack one or more of the popular pwd managers.

Remembering passwords is not a huge burden IMO. I use a simple system based on the web sites' URL plus some standard extra characters. I also don't worry too much about security for web sites like this one where someone who figures out my credentials really can't do me any harm anyway.

[JustCurious]

I don't think it's worth it. If you only access your financial accounts on a Chrome OS device (Chromebook or Chromebox) then your access is very secure, much more secure than using a Windows computer. I don't think there is a need for a separate dedicated Chrome OS device.

I also recommend (1) setting up the Advanced Protection Program for the Google account that you use to log in to the Chromebook or Chromebox which will protect your Google account and the associated Gmail, and (2) use a strong password for your financial accounts, and (3) use two step verification or two factor authentication if it is offered by your financial account provider and avoid using SMS texting as the second factor if you can avoid it, and (4) set up notifications of account activity to be sent to your Gmail and check it regularly. If you do all of these things your account access will be very, very secure and using a separate Chrome OS device just for financial accounts is overkill.

I signed up for the Advanced Protection Program and I use security keys to secure my Google account. Any security key will work, Yubikey is a reputable option, I have security keys from Yubikey as well as other manufacturers and they all work equally well for securing my Google account.

[Sunset]

Quote:

Originally Posted by OldShooter Sounds like a fairly strong system. My main objection to pwd managers is "Who watches the watchers?" IOW (1) how do I know that the pwd manager company employees can be trusted and (2) it is obvious that hackers will be working hard, looking for a big reward, if they can find a way to crack one or more of the popular pwd managers. Remembering passwords is not a huge burden IMO. I use a simple system based on the web sites' URL plus some standard extra characters. I also don't worry too much about security for web sites like this one where someone who figures out my credentials really can't do me any harm anyway.

My password manager is only on MY computer, it does not access the web (as far as I know) the encrypted database it uses is on my machine.
So unless the employees, added code to pass back to a server the passwords, etc, they have no access to it.

Problem with your method is, should someone get 2 or 3 of your passwords from some simple forum sites or store sites, they can easily guess your algorithm for bank or brokerage sites.
Otherwise you need to keep a paper list of all the different characters you add to the extracted web site URL you use.

[jim584672]

Quote:

Originally Posted by OldShooter Sounds like a fairly strong system. My main objection to pwd managers is "Who watches the watchers?" IOW (1) how do I know that the pwd manager company employees can be trusted and (2) it is obvious that hackers will be working hard, looking for a big reward, if they can find a way to crack one or more of the popular pwd managers. Remembering passwords is not a huge burden IMO. I use a simple system based on the web sites' URL plus some standard extra characters. I also don't worry too much about security for web sites like this one where someone who figures out my credentials really can't do me any harm anyway.

The password manager should be open source and been around a while, that way the code is known, that is how you trust it. It is all a moot point if your OS is compromised by some malware/virus/keylogger.

[Katsmeow]

Quote:

Originally Posted by JustCurious I don't think it's worth it. If you only access your financial accounts on a Chrome OS device (Chromebook or Chromebox) then your access is very secure, much more secure than using a Windows computer. I don't think there is a need for a separate dedicated Chrome OS device.

So to be clear...if I get a Chromebook you think it is OK to have the financial accounts on it but to also use it for other things? I have a desktop computer I use most of the time and I have an iPad. But I could see potentially using a Chromebook to maybe watch Youtube videos or do light web surfing (only going to well known sites, not just any random place). I could do that on a separate profile if necessary. That would make getting the Chromebook a bit more appealing.

Quote:

Originally Posted by OldShooter . My main objection to pwd managers is "Who watches the watchers?" IOW (1) how do I know that the pwd manager company employees can be trusted

One reason I feel OK using a password manager is because the password manager doesn't have my master password. An employee can't give someone something that they don't have.

Quote:

Originally Posted by Sunset Quote: My password manager is only on MY computer, it does not access the web (as far as I know) the encrypted database it uses is on my machine. So unless the employees, added code to pass back to a server the passwords, etc, they have no access to it. Problem with your method is, should someone get 2 or 3 of your passwords from some simple forum sites or store sites, they can easily guess your algorithm for bank or brokerage sites.

This is why I don't use those kinds of passwords for sites that are highly sensitive (such as financial accounts). They are OK for stuff like forum log ins. But I couldn't possibly remember all of my passwords for sensitive stuff. The most sensitive being financial accounts and the passwords to my email accounts. The most sensitive is my master password but I don't save that one anywhere and is the only password that I need to remember.

[JustVisitingThisPlanet]

I use all the majors (ChromeOS, Windows, Mac, Linux) and went with tightly secured Linux for storing documents and primary financial activities. I also setup my own private cloud using ResilioSync that acts like Dropbox across other Linux systems (one at my partner's place and a Raspberry Pi at one of my sisters in another city), where files are encrypted in transit and stored encrypted at rest on all other nodes. The primary Linux box is also isolated from public internet so that only a jump box at home can get into the financial Linux box.

There is no such thing as truly secure but it's reasonably secure enough that hackers are more likely to go after someone else less secure. Some might consider it overkill.

If using public cloud, would at minimum use 2 factor authentication but would also store files encrypted.

[JustCurious]

Quote:

Originally Posted by Katsmeow So to be clear...if I get a Chromebook you think it is OK to have the financial accounts on it but to also use it for other things?

Yes, I think it's perfectly ok, that is what I do. And to be very clear, it's not that you will "have the financial accouts on it," rather, you will be accessing your financial accounts from it. I only use Chromebooks and a Chromebox for personal use, I no longer own any Windows computers. The Chromebox is my primary desktop in my home office, and I have a Chromebook for portable use. I also have an Pixel 3 phone and a Pixel Slate tablet and I do all of my personal computing on those devices, primarily the Chromebox and Chromebook, and that includes accessing financial accounts. As long as you follow my previous suggestions I think you will be very, very safe in terms of accessing your financial accounts, much safer than the vast majority who do not use Chrome OS devices and who do not take advantage of the Google Advanced Protection program and do not use two factor authentication.

[Katsmeow]

Quote:

Originally Posted by JustCurious Yes, I think it's perfectly ok, that is what I do. And to be very clear, it's not that you will "have the financial accouts on it," rather, you will be accessing your financial accounts from it.

Correct I was using shorthand. The point being that if I was too access my financial accounts I would do it from the Chromebook, but I might use the Chromebook for some limited other things.

Quote:

As long as you follow my previous suggestions I think you will be very, very safe in terms of accessing your financial accounts, much safer than the vast majority who do not use Chrome OS devices and who do not take advantage of the Google Advanced Protection program and do not use two factor authentication.

I am already doing all those things except Google Advanced Protection. That seems a good idea. I could use it with my iPhone plus get a physical key.

Now the question is: If I do all those things (including Google Advanced Protection) does using a Chromebook (recognizing I may use it occasionally for other things) give me any protection above and beyond what I get using Windows 10? That if, if I have a Windows 10 computer, scanning it regularly, keeping software up to date, using 2FA, using strong protections, using Google Advanced protection -- do I get any additional protection through using a Chromebook or am I OK with the Windows 10 computer.

I don't really need a Chromebook if it doesn't add significant protection since I already have an iPad Pro and it covers most of my needs when I travel and don't have a desktop available. I even have an old notebook of DH's that is Windows (Surface Pro from a few years ago) that I can use if I absolutely need to use Windows programs.

Oh -- for the Linux fans: I am not going to do Linux. It adds a layer of complexity and learning curve that I am not interested in.

[JustCurious]

Quote:

Originally Posted by Katsmeow Now the question is: If I do all those things (including Google Advanced Protection) does using a Chromebook (recognizing I may use it occasionally for other things) give me any protection above and beyond what I get using Windows 10?

In my opinion, yes.

[grayv]

use the guest login on chromebook. shutdown and restart every time you use it.


keep chromebook updated.



save docs to a usb stick.

[Katsmeow]

Quote:

Originally Posted by grayv use the guest login on chromebook. shutdown and restart every time you use it. keep chromebook updated. save docs to a usb stick.

If I do this, do you think I can safely use some Apps on the Chromebook or do things other than simply going to the financial sites?

[grayv]

no apps on the chromebook. just chrome browser. but should be very safe.



https://www.zdnet.com/article/google...book-remotely/

[JustVisitingThisPlanet]

BTW you can install Libreoffice on Chromebooks if turning on Linux mode. A pretty good free replacement for MS Office. I use it full time now across all OSs.

[samm]

The latest Chrome Security risk news

https://www.reuters.com/article/us-a...-idUSKBN23P0JO

[JustVisitingThisPlanet]

Quote:

Originally Posted by samm The latest Chrome Security risk news https://www.reuters.com/article/us-a...-idUSKBN23P0JO

All browsers that allow extensions have this issue. Only use extensions from sources you'd trust, which for me is only a few.

On ChromeOS, you can also install other browsers via Android or Linux support.

[target2019]

Quote:

Originally Posted by samm The latest Chrome Security risk news https://www.reuters.com/article/us-a...-idUSKBN23P0JO

Browsers are a serious weakness. Maybe use the command line?

But seriously, I think it's just a matter of time before <insert_OS_name_here> becomes more popular, and a bigger target.

[ExFlyBoy5]

Quote:

Originally Posted by Katsmeow For your physical key do you use a Yubikey? I have thought about doing that.

Yep, it's a Yubikey. I have two...one is a USB and the other is Bluetooth version that I have locked up as a spare.

[jim584672]

For those using Windows 10 Professional there is a built in virtual machine called Hyper V which will perform better than Virtualbox. This will let you run a different OS, or even another Win 10 instance in a virtual environment. In case of a virus or malware it will only destroy the virtual machine and not your main system.

So set up a Win 10 machine where you only do sensitive financial stuff, seems like a way to reduce your risk.

[Katsmeow]

From reading this and other research, it seems that there are a range of protections possible. In these I am limiting myself to Windows 10 and a Chromebook as I don't feel I have the knowledge for Linux or some other options suggested.

1. What I would consider the base with Windows 10. Use a strong password.
Don't reuse passwords and use a password manager. Use a unique user name you don't use anywhere else. Add basic 2FA. Be careful with how you use email. Watch for phishing attempts. Be careful with attachments. Be careful browsing. Look for spoof websites. Be careful what you download. Keep your computer and browser and programs updated. Monitor accounts and set up alerts and email. I am in the process of changing some of my emails that I am using and I am resetting some passwords. You want your financial accounts set up so that they let you know when you do that. Set up a PIN with your cell phone carrier. Set up 2FA for your cell phone carrier also. Set up 2FA for your email accounts. Use software on your computer that scans it regularly for viruses, malware and other threats. Have a secure password for your home network.

Honestly, I think that if you do all the above you are safer than the vast majority of people and that should be "enough". But, a level above that would be to add to the above:

2. Set up a separate email for your financial accounts. Use an authenticator app whenever you can. If a Fidelity customer, use Symantic VIP access. Get a physical Yubikey (or some other brand) and use both on your computer and your phone.

A layer beyond that:

3. Get a separate computer for going to your financial accounts. Don't visit them on the internet except on that computer (note that if you deposit checks online you may need to use a phone app to do it). This could be a Windows computer. But, a stronger alternative is a Chromebook. You could use Chrome apps and go to some websites (known safe sites not just general websurfing). Preferably you would do this things using a separate profile or as guest. No, your Chromebook is not being solely used for the financial accounts, but it is still probably safer than a Windows 10 computer because Chrome OS is safer. The advantage of this alternative is that your Chromebook can double as an occasional laptop for you.

And beyond that:

4. Use the Chromebook solely for visiting your financial accounts.

Conclusion:

All of these add protections. I don't think that anything beyond 1 is actually strictly necessary. 2 is fairly easy to implement and just costs the cost of the Yubikey. 3 and 4 add considerable cost and I am not sure the incremental value is worth it particularly if you are someone already doing 1 and 2. 3 and 4 seems more useful for those people not willing to do 1 and 2 on their main computer. That is, if you don't want to do the 1 and 2 precautions on your main computer then moving financial accounts to a separate Chromebook (or even Windows computer) makes more sense. I am not sure they are worth it if you are already doing 1 and 2 on your main computer.

I haven't decided entirely yet. I am doing 1 and some of 2 already (I don't have a physical Yubikey but that seems worth doing). I could see doing 3 as well. I don't currently have a notebook (although I do have an iPad) so getting one that I could occasionally use as such while doing the financial on there would seem to still add a layer. (To be clear I would never use the notebook on public WiFi). But, again I am not sure the incremental benefit for someone doing 2 is worth it.