A good setup for secure online banking and shopping

Hi all. I'm trying to sort out a setup for secure online banking and shopping. I've seen lately many posts talking about EMET and AppGuard, plus see that many people just use Sandboxie or SB plus another non-AV/IS app.

My question is if you can safely give your credit card number under those kind of protections. I mean, I see that SB is good at not letting the malware touch your OS. But while you are shopping you may have been infected in a previous website and not have even noticed it. Am I right?

AppGuard seems like a bulletproof configuration, even some people argue you could go only with it. But is it safe to say that AppGuard protects against loggers and other ways to capture your banking activities?

I've been a Prevx user before FF4 came into play and IIRC it has a SafeOnline module that it's very good for banking. Is it still this way in its new reincarnation WSAC?

I'd be very thankful to see some recommendations because I recently was robbed (and refunded) my CC number but I cannot confirm if online because it's still under investigation by the police.

 

Hi there,
There are many possibilities, and virtualization along with other layers can be fairly effective. Please check the following thread from post #461 to #464:
https://www.wilderssecurity.com/showthread.php?t=293075&page=19

Sandboxie can also be tightly configured to trap anything in the sandbox. Before doing anything one has to make sure to have a clean system to start with.

 

Hi,

I see you have avast internet security in your sig. IMO avast! will be enough to take care of your online banking. It has SafeZone.

The avast! SafeZone is a special web browser in avast which allows you to browse the web in a private, secure environment, invisible to the rest of your system.

If you do your banking or shopping on-line, or other security-sensitive and financial transactions, you can be sure that your personal data cannot be monitored by spyware or key-logging software. Unlike the avast! Sandbox, which is intended to keep everything contained inside so that it cannot harm the rest of your system, the SafeZone is designed to keep everything else out.The SafeZone includes some other security features in addition to the basic "inside out" sandbox, such as vpn service,secure DNS etc.

And afaik if you live in the United States, you also get avast! CreditAlert.

You can also check the thread: https://www.wilderssecurity.com/showthread.php?t=309604&highlight=trusteer rapport

 

Yes you are right, but there are a couple of things you can do. First, you can tightly configure Sandboxie to control what is allowed to run inside the sandbox and connect to the Internet, which should prevent malware from running inside the sandbox at all. Second, you should always empty the sandbox (if using only one) before banking and shopping, and again afterwards before resuming general web surfing; alternatively, if using the paid version of Sandboxie, you can set up a dedicated sandbox for banking and shopping, separate from the one you use for web surfing.

AppGuard should prevent malware from infecting the system in the first place, but will do little to prevent any malware that is already installed from being able to capture your banking activities. Applications like Prevx SafeOnline and Trusteer Rapport were developed for exactly this purpose.

Yes, it is still the case in the WSA Essentials and Complete products. It's too early to say how effective the new Identity Protection component of WSA is because the feature set and the way it works is a little different to SafeOnline so a direct comparison can't be made. There hasn't been sufficient testing yet against banking malware by the independent testing organizations to know for sure how good WSA is in this area, plus it has only just been released and is still evolving.

Some combination of virtualization and policy restriction provides a good basis for security (Sandboxie has both for sandboxed applications). AppGuard, which you mentioned, provides system-wide policy restriction and partners well with a lightweight virtualization application like Returnil or Shadow Defender. If you want to tighten things further then look to adding something that will secure the browser session against visibility from the outside (this probably won't work in conjunction with a sandboxed browser session using Sandboxie though). A two-way firewall with effective outbound application control may also help to prevent any malware from making an outbound connection.

 

Keep in mind Sandboxie negates the use of Trusteer Rapport. A most important tool for OLB & shopping.

When I followed OLB up I settled on Sandbox > NO & Trusteer Rapport > YES. Also I'm using Prevx Facebook Safeonline Free. Not too sure if Trusteer & Safeonline overlap.

 

Just burn a non-rewritable CD with Puppy Linux (or another Linux live cd from your preference), and use it for online banking and shopping

 

In the last half year, Puppy Linux has worked well that way for me.
http://puppylinux.org/main/Overview and Getting Started.htm

 

By changing to linux that only offers support at his end doesn't it? Where as Rapport also prevents phishing via website authentication to ensure that account credentials are passed to genuine sources only. Serious stuff for online shopping.

I think Trusteer Rapport or similar software must be part of the suite.

 

AaLF, you may be right about Puppy Linux only protecting the user's computer, and it might be possible to be fooled by fake sites, and information could be passed along from within the browsing session. But at least for me it's probably not an issue since the sites where I shop are easily recognizable as genuine, and it would be impossible to fake the sign-in process at my bank. Also I restart the browser before and after any transaction.

 

My bank offers dual authentication for online banking - in addition to entering the logon credentials the bank sends a text message to my phone with a one time numeric code. If my user name and password are stolen I am still protected because the bad guys would have to have my phone as well to logon. They also offer an email notification feature for all online transactions so I know in minutes when there has been account activity. These options are in addition to AV and sandboxing, of course. There is also the matter of a VPN if you ever use open WiFi. Hope this helps.

 

Sandboxie + HIPS such as OA with something like Online Banking

 

Before you get too involved about setting up maximum security prior to shopping online, you should consider that a major source of personal financial theft is totally and completely beyond your control.

Not that I want to darken your day, but you may want to go here:

http://www.informationweek.com/news/galleries/security/attacks/229300675

In all probability your CC information is already on a pirate list somewhere. But as it is in a database of millions of other stolen credentials you may be passed by. Safety in numbers, I guess.

Be vigilant, but don't be obsessive.

 

Good example of an "attack vector" that has nothing to do with PC security. Instant email notification for all account transactions is a useful response to the possibility that one's CC number is already out there. At least you know immediately when there is activity not initiated by you and can act to minimize the fraud. This perhaps is another reason to never use an ATM card for transactions since I've heard the losses are not immediately and automatically covered by the bank.

 

Depending on the bank, a debit card loss may not be covered at all.

But to point, I recently had an unauthorized charge. I have a credit card from a Major oil company- only used purchasing gas, and always swiped at the pump. A few months ago when I went online to pay my bill, I noticed a charge for $1200. This was for a one way flight from Beijing to Toronto (I live in neither place). Called the Fraud Reporting number and it was taken care of Stat.

If I had used that card for an online purchase I no doubt would have suspected sloppy security on my end instead of what actually happened, a data breach by them.

 

Please do not use super lubricant oils, supersonic cereals or sandboxie, because it is not a remedy against the intrusion vectors

1A. When using public connections
Easiest and shortest route to on-line security use a trusted (scrambled) VPN service (see www.bestvpnservice). When you use your netbook to do on-line banking/shopping at third party locations.

1B Viable option when only using at home connections
The data transport from your PC to any public or private access point (e.g. your router)

==> Passwords of your router/firewall should be changed, name of your SSID changed, encryption enabled using a long key phrase
==> It should ALLWAYS be encrypted when wireless, wired connections are very hard to breach

*** Raises the bar for man in the middle attacks


2. Hardening your system from intrusion directed at tapping info from keyboard or screen.
==> use a dedicated anti-keylogger or HIPS containg an proven anti keyloger.

*** Prevents the infection against personal keyloggers and intrusions, IMO it is much more usefull for a hacker to either plant something in the neigbourhood of public wireless access points (option 1) or redirect browser traffic (option 3), so yes this step is usefull for paranoids, but an anti keylogger does not protect you from attack vectors 1 and 3 (and 4)


3. Hardening your browser against the rest of your system and connection checking whether your are actually talking to the IP-address mentioned in the certificate (browser traffic redirect or / man in the browser).
As mentioned Trysteer Rapport or PrevX/WebrootSecure anywhere

4. Instruct the user to only buy from HTTPS sites, explain the signs and warnings, see https://www.google.com/support/chrome/bin/answer.py?answer=95617&hl=en-US


My home situation
a) My wife promised she would not use her smartphone for shopping etc
b) We are only booking from home, or when travelling using a secure VPN on our android 7inch tablet
c) My router/firewall is hardened and secured
d) My Wife has WebRootSecureAnywhere on laptop
e) We use Chrome, because I like the https indications

 

I resurrected my 10 year old IBM laptop, installed Slitaz linux on it and use it solely for banking and shopping. Slitaz is quite amazing, even on 10 year old hardware it boots in 20 seconds so its quick and easy to boot up and do my business.

 

Hi all and thanks a lot for your tips! Very appreciated!

I'm trying now WSAC to see how it goes. Sandboxie never worked for me under my Win7 x64 (many error codes).

Thanks again!

 

Doraemon you might have a program that's conflicting with Sandboxie. I've used Sandboxie with Windows 7 x 64 since 7 came out without having error codes.

 

Knos Or LPS on bootable disc

 

Someone had mentioned ChromiumOS in a VM or LiveCD/USB. It's essentially just Chromium/Chrome with a file manager, video player, and a few other things.

It has a very strong vulnerability track record (two critical vulns ever) and it should serve your banking purposes just fine.

 

ZoneAlarm Extreme Security is one of the most complete suites to protect against such risks. it has ID protection and it alerts frequently about everything you do with your card. Plus add Spyshelter and your are good to go.
I am planning to extand my ZA virus plus firewall to ZAE

 

if you do online shopping then you must set up a Paypal account.
this way you don't leave your credit card number everywhere.

also, avoid using your credit card in the real world as much as possible.

as for online banking i too recommend a Linux live disk.

 

Puppy Linux

Lightweight Portable Security (LPS)

Chrome OS

 

Knos Demo !!!!!