Is linux safe for online banking?

[StrangerGuy]

Hi, I want to know that is online bank is safe in linux?
Linux os like mint,ubuntu and zorion i want to try.
Do there any software like trusteer rapport for safe online banking in linux
Thanks

[Cudni]

As safe as it can be.

[chrisretusn]

I bank on-line with Slackware Linux.

[lotuseclat79]

Hi StrangerGuy,

The question you should ask yourself is whether the Bank uses Windows software (probably guaranteed) which is what makes them crackable by the criminals that engage in thievery.

The security of Banks which almost all use Windows is horrible - there are very many bank intrusions that are not made public. It is not whether you access your bank via Linux (if their software can handle another browser than Internet Explorer), it is whether they have already been cracked into. If you ask them - they probably won't tell you the truth - that I would not expect any local branch office to know about anyway.

I only bank in person - never online - its a trust issue, and I do not trust banks that use Windows software.

-- Tom

[wat0114]

Quote:

Originally Posted by lotuseclat79

there are very many bank intrusions that are not made public.

If they're not made public, how do you know about them

The ones that have been made public, of late anyway, are DDoS attacks, which only cause inconvenience to customers; they are not actual "hacks" as some news sources have inaccurately claimed.

Linux should be fine to use, especially if Firefox w/NoScript is used, only allowing the banking domains.

[linuxforall]

I have a dedicated card for use online, that card is a debit card so I have the ability to keep a minimal amount and fill it when I need to buy something. Otherwise like Lotuseclat, I bank in person.

[Hungry Man]

Quote:

If they're not made public, how do you know about them

I worked for Citi bank. They have massive PR teams dedicated to this stuff. It's why you don't often read about bank robberies, and when you do it's usually buried in local news. Two of my co-workers had been in robberies at separate branches, it happens quite often.

Not sure how often banks are hacked, but they absolutely do bury stories.

[wat0114]

Quote:

Originally Posted by Hungry Man

Not sure how often banks are hacked, but they absolutely do bury stories.

What interests me is how often they are hacked, as in directly stealing funds or customer data. Probably next to nil with reputable banks at least. I would be willing to bet that most theft of any kind is likely social engineering in the form of phishing emails and reflected XSS via emails as well.

I see no problems banking online if the proper procedures are followed such as accessing the bank's site directly from a trusted machine, no email links, no public locations, and using some form of scripting control in the browser.

[Hungry Man]

Bank security is awful. ATMS run XP Professional SP2 and are network capable. Most attacks occur through hardware that attackers have attached to the ATMs.

I think banking online is fine. But I'd use no script.

[Kerodo]

Quote:

Originally Posted by wat0114

I see no problems banking online if the proper procedures are followed such as accessing the bank's site directly from a trusted machine, no email links, no public locations, and using some form of scripting control in the browser.

I see no problems with it either. For one thing, I don't think there is much anyone could do online without it being traced somehow, and secondly, I've been told by the banks that if any fraud ever did take place, they would reimburse what was taken or missing. So I think it's a non issue to some extent. If you read the bank's online info, they also "guarantee" your online safety and so on. In other words, if something goes wrong, they'll back it. How can you go wrong in that case?

Edit: So yes, I do think linux is plenty good for online banking...

[lotuseclat79]

Sure, Linux may work for online banking, but you need to ask yourself - is there a MITM (Man in the Middle) attack happening when you bank online?

-- Tom

[Kerodo]

Quote:

Originally Posted by lotuseclat79

Sure, Linux may work for online banking, but you need to ask yourself - is there a MITM (Man in the Middle) attack happening when you bank online?

-- Tom

Should we live in fear every day of something that most likely will never happen?

[lotuseclat79]

Hi Kerodo,

Your belief that a MITM attack most likely will never happen (while you are online banking) is at best naive and at worst naively dumb wishful thinking about a serious security issue.

Do you have any evidence to back up the POV that it most likely will never happen?

What security do you have in place that detects and prevents it?

The issue has nothing at all to do with fear - but rather, preparation for a worst case scenario.

-- Tom

[Kerodo]

Quote:

Originally Posted by lotuseclat79

Hi Kerodo,

Your belief that a MITM attack most likely will never happen (while you are online banking) is at best naive and at worst naively dumb wishful thinking about a serious security issue.

Do you have any evidence to back up the POV that it most likely will never happen?

What security do you have in place that detects and prevents it?

The issue has nothing at all to do with fear - but rather, preparation for a worst case scenario.

-- Tom

I have been doing online banking for over 6 years my friend, and never ever once have I had any problems or issues, and this done in Windows I might add. I'd call that a pretty good track record. And in addition to that, if anything ever did happen, my banks would replace the funds. So tell me, what is there to worry about?

I realize that a lot of people here at Wilders are paranoid in varying degrees, and that's fine. I have been online for over 17 years and never once been compromised or had any virus or malware issues...

Some like to worry, and some realize you don't need to.... To each his own, right?

[wat0114]

Quote:

Originally Posted by lotuseclat79

... about a serious security issue.

When banking from home, especially on a wired network ...how so?

[Hungry Man]

MITM attacks, while entirely viable, are not likely, as without access to things like what your ISP has access to you'll only be able to compromise specific users/ accounts.

So your ISP/Government could MITM you. And if you're on a large public network you're more vulnerable, again. But that's not as likely as keylogging malware (which still isn't that common because keylogging is unreliable for profit).

[linuxforall]

Quote:

Originally Posted by Hungry Man

I worked for Citi bank. They have massive PR teams dedicated to this stuff. It's why you don't often read about bank robberies, and when you do it's usually buried in local news. Two of my co-workers had been in robberies at separate branches, it happens quite often.

Not sure how often banks are hacked, but they absolutely do bury stories.

http://www.mid-day.com/news/2010/dec...ip-manager.htm

Not exactly related but still a sobering thought about so called bank security and don't forget Barings bank and HSBC in recent times.

[wat0114]

Quote:

Originally Posted by Hungry Man

MITM attacks, while entirely viable, are not likely, as without access to things like what your ISP has access to you'll only be able to compromise specific users/ accounts.

Makes sense, and kind of what I've figured.

[act8192]

Bank websites can be compromised. Mine was. In Windows.
iFrame containing script to connect to a russian trojan-installing site was caught by Avast and visible in Opera's source view. Whether the trojan would succeed installing in Linux, I don't know, probably not.

[Hungry Man]

Ubuntu comes with an Apparmor profile for Firefox, which I'd suggest enabling as it will prevent/restrict exploits. That + NoScript is ideal for banking.

[StrangerGuy]

Thanks all for your suggestion all I learn is better to go and pay bills at the center

[ComputerSaysNo]

As someone who has been the target of MiTM attacks i'll say a few things. They have Man In The Middle trigger machines that make it easy to MiTM, any agency worth their salt will have them. They also have stingray's (google it) for pulling wireless information where they can intercept all communications between your local cell tower and you.

Now they just really want to peak at what your doing, they really don't want to drain your bank account. Just peak at your email to see who your communicating with. So I wouldn't be worried about my money, anyway banks will replace the money in 99.99% of cases where fraud occurs. I also don't think western governments are allowed to by law raid your bank account unless your supporting terrorism or drugs so you should be in the clear.

There's a lot happening in this thread. It can all be summed up in two categories:
-Things that you can control as a banking customer.
-Things that you cannot control as a banking customer.

You can't control whether your bank properly secures the web applications they use on the web page. You can't control how the bank handles your account number and password. I don't see the point in worrying too much about the stuff you can't control.

What you can control is how you handle your password & account number and your own computer. So my advice to Stranger Guy is to just focus on that stuff:

1. Never ever conduct on-line banking from any public or free wifi. Ever. Under any circumstances. (That will avoid the man-in-the-middle attack mentioned.)

2. When you plan to bank on-line, first clear the internet history in whatever browser you're using. Start with a freshly-opened browser. Don't browse from Facebook to your bank. Open the browser, go directly to the bank, do your thing, then close the browser and clear the internet history again after you're done. This will reduce the chances of someone stealing your password/username through the browser. Many browsers can be configured to delete history upon exit automatically so you don't even have to think about it.

3. Keep your operating system and software updated always (whether it's Linux or not).

4. Like others said, you can block scripts in your browser. However, if your bank is anything like mine then they use 20+ scripts per page and it won't function properly if you don't allow the scripts. So theoretically it's a good idea to block scripts. But in practice I don't know how to do it effectively and still actually use the bank website. I had to whitelist all the scripts on my bank website in NoScripts.

5. DON'T use a live CD for banking. They cannot be updated so they're not more secure.

6. Make sure the password you use for your bank account is unique. Don't use it anywhere else. Use more than 9 characters (upper & lower case, numbers & special symbols) if you can.

[ComputerSaysNo]

Quote:

Originally Posted by BrandiCandi

5. DON'T use a live CD for banking. They cannot be updated so they're not more secure.
.

Disagree. A LIVE CD should be safe, if you only use it for banking. Not much you can do except MiTM a LIVE CD. You can't write to disk, can't write to BIOS as far as I'm aware.

[mack_guy911]

Quote:

Originally Posted by BrandiCandi

There's a lot happening in this thread. It can all be summed up in two categories:
-Things that you can control as a banking customer.
-Things that you cannot control as a banking customer.

You can't control whether your bank properly secures the web applications they use on the web page. You can't control how the bank handles your account number and password. I don't see the point in worrying too much about the stuff you can't control.

What you can control is how you handle your password & account number and your own computer. So my advice to Stranger Guy is to just focus on that stuff:

1. Never ever conduct on-line banking from any public or free wifi. Ever. Under any circumstances. (That will avoid the man-in-the-middle attack mentioned.)

2. When you plan to bank on-line, first clear the internet history in whatever browser you're using. Start with a freshly-opened browser. Don't browse from Facebook to your bank. Open the browser, go directly to the bank, do your thing, then close the browser and clear the internet history again after you're done. This will reduce the chances of someone stealing your password/username through the browser. Many browsers can be configured to delete history upon exit automatically so you don't even have to think about it.

3. Keep your operating system and software updated always (whether it's Linux or not).

4. Like others said, you can block scripts in your browser. However, if your bank is anything like mine then they use 20+ scripts per page and it won't function properly if you don't allow the scripts. So theoretically it's a good idea to block scripts. But in practice I don't know how to do it effectively and still actually use the bank website. I had to whitelist all the scripts on my bank website in NoScripts.

5. DON'T use a live CD for banking. They cannot be updated so they're not more secure.

6. Make sure the password you use for your bank account is unique. Don't use it anywhere else. Use more than 9 characters (upper & lower case, numbers & special symbols) if you can.

i disagree on 3 and 5 point 1st when i use live cd

i go direct to my bank site so even if its old system it dosent mean its Vulnerable and its not secure if thats rule then redhat and its clones are most Vulnerable system on earth but they are exatly oppsite

2nd i know my live cd is tamper proof because it writed even i use same cd on bank site or warez site they cant inject a rootkit in it where they can do that to updated so called fully patch system.

but yes i agree when you do banking just boot fresh live cd/dvd and do banking nothing else i find this more safer.

now to prove my point for shooping online banking it wont take me not more than 3-5 min let say i give you 15-20min or 30 mins and (i tell you my ipaddress) you have to find which OS i am using what vulnerabilities i have and how you attack on my system and then launch a real attack on specific target machine.

in This case i give you my IP address but in real world you have to find my Ip too

now i wonder can you be (Miss swordfish) i also play a background music for you if you like

any hacking can be done can be done 5-6 phases on specific target by the time you can reach 5 phase it would be 2-5 hours to months/years trust me

and i can tell because i join CEH because of inspiration of so called funny movie SwordFish where a Monkey Clicks on Keyboard and Mama Mia .............. Magic happens but in real world nothing happen LOOL

but after that now i know diffrence between real world and movies