Seeking Advice in Using Firefox for Netbanking

I am using Firefox for all my netbanking.

I run Ubuntu as guest and Vista is my Host, using Virtualbox.

I use Ubuntu Firefox to access all my bank websites, my credit card data and transfer money etc.

What exactly do I need to be concerned about? Keyloggers? Sniffers?

Is there anything else that can affect my guest Ubuntu activity and steal my Banking login details?

Thanks so much for any advice.

 

This is your threat model:

1) None, or Bad encryption which would allow a Man In The Middle to watch your transactions.

2) That your ISP is not really showing you your bank, but another website designed to look like your bank and thus perform Cross Site Scripting attacks. This can be thwarted with requiring SSL and performing OCSP/Revoke lookups on the certificate.

3) Man In The Browser Attacks whereby a website you visit can implant a bug in your browser to monitor everything it sees and send back that information, even if you are using HTTPS.

4) Attacks from your host OS against your guest OS to monitor the transactions taking place inside it, or manipulating/injecting the stream leaving it. Turn off bridging with the network adapter, and make sure the bank uses HTTPS the whole time.

------------------ THEREFORE -----------------

1) Use a clean OS VM every time and only visit the bank website that you trust, and do not allow it to run scripts if possible.

2) Make sure the connection is HTTPS the whole time you are logged into the bank.

 

Ouch, there seems to be some concerns for sure.

But yeah, I run a clean OS as far as I know, many well known programs report my PC as clean. And I use Noscript addon in firefox and I will make sure it's always HTTPS.

Thanks XeroBank.

 

I am not using wireless broadband, so I guess that Eavesdropping link is not applicable to me.

regarding perspectives, can that link be trusted? Why isn't Perspectives at the offical firefox addon website?

What if the Perspectives FF addon was really written by student criminal hackers and is a nasty script that points your browser to criminal websites that then obtain your personal details?

Could be a trojan or a security extension in disguise.

 

Well, I do not trust anyone in the world. I don't even trust myself 100%.

If a human being is approached by large criminal organisations and offered a large amount of money, humans will risk everything.

Just because someone works for a well known or reputable place, doesn't mean anything. History has shown that even in some of the biggest and well known and reputable companies and organisations, a person has committed crimes and ripped of the public and its shareholders.

You are dealing with humans here my friend, don't underestimate the lenghts some people will go to make money, it's called greed.

A world renown institution such as Carnegie Mellon is never immune from having people work in it that could commit law breaking acts such as writing a piece of software that will redirect a person to a criminal website that looks like the banks website.

Don't so be so naive and gullible. Must be cautious of everyone, no matter where they work and no matter who they are.

 

There sure seems to be a lot of fluff and little explanation on how this wonderful addon works. Let me explain it real quick in plain english:

1. You request a website.
2. This addon sees your request.
3. It then notifies other servers of your request.
4. They all do a request at the same time.
5. If they get back different results, someone may be injecting / MITM either you or them.

The bottom line is that it is a plugin that spies on you, and tells CM what you are doing. That doesn't sound so awesome to me.

 

I agree that there are many wonderful people in the world. My point is this... you can never be 100% certain who the wonder people are, and who is trying to deceive you or trick you for their personal gain.

I do not even trust myself 100%, and would never trust anyone else completely. I am cautious of everyone and do my due-diligence into everyone I deal with. And even then I am very very cautious.

 

I agree. And the other thing that concerns me is that any updates etc to the plugin could be doing anything in the future.

And I am in congruent thought with you when you said, "That doesn't sound so awesome to me." It just adds another "spy" in the link.

 

Maybe its time you started with your own book on trust and the meaning of life...

More seriously, being a world class academic organisation does give it more credibility. It is a matter of signalling.

 

How do you know with certainty that I haven't already completed a book on trust and the meaning of life?

Sure, it does give it more credibility than a few guys in a garage. However, history has proven that many "credible" people and organisations have been infected with deceptive conduct.

 

Truthseeker,

using your logic.

Why should we give you _any_ ideas, because you could be a security crack looking for new attack types by gathering ideas and information from well protected users.

See where this ends?

End of useful security discussion. Trust nobody. Live alone. Don't even speak to anyone. Become a hermit. Move onto Himalayas.

 

You could have, but you might have trouble getting it published. Just stick to your guns, us a live cd and ssl connection.

 

Not entirely. But to be cautious and do extensive due-diligence and research, especially when it involves financial and personal issues.

 

Yeah, at the end of the day, the Linux LiveCD is the way to go I think. Good point. And manually enter all my banks websites and hope that it hasn't been hijacked.

 

Is there any way to defend against DNS poisoning and other man-in-the-middle attacks in this scenario?

I think the already mentioned Perspectives Firefox add-on could help in this regard (while of course, it creates its own set of problems).

Of course, if one is so diligent about security, it should be easy to profile 'perspectives' dll network behavior for one month and see what it does. I'm sure somebody's disassembling the pre-compiled version as I write this. The source code is also freely available.

In fact, for better or worse, I think similar kind of distributed white-hat network app will be needed for ordinary users/browsers, because otherwise it looks like the criminals are winning. Whether it ends up being something that universities cooked up (like Perspectives), a Microsoft only solution or something else - I don't know. But I see evolution pushing us to that direction - or to extinction of online safety in any reasonable manner for ordinary users at least.

Overall I think it's easier to keep one's own system clean and hard enough to hack so that online banking can be as safe as manageable for a well-versed security aware person.

But in regards to MITM-attacks, which currently are fortunately that common as of yet, it is much more difficult. IMHO. YMMV. ETC.

 

Thanks for your input halcyon, appreciate it, Cheers.