Online Banking Security

It's irrelevant, because whether or not one does online transactions has nothing to do with it. To make it clear, and most likely there was some confusion, I didn't say what you mentioned is irrelevant, only that the fact I don't do online transactions is irrelevant. Or, is it relevant?

 

No, you didn't mangle my words. There are a lot of "ifs."

As far as personal bad experiences, you probably WON'T know at the moment it's happening. How could you? I couldn't.

And no, the defenses are not sophisticated. Block scripts. Update the browser & plugins. Simple common sense when browsing & clicking. Delete history & cookies upon closing the browser.

My fundamental point is that there are risks. Everyone is free to do their own risk assessment and decide that any given vulnerability is not worth the effort to defend against or isn't likely to happen. I have no problem whatsoever if everyone in this thread decides it's too much of a bother to block scripts (it's a common complaint, I get that).

What I take issue with is anyone who decides that you don't need to worry about these vulnerabilities because they don't exist. They do. It's wrong to say they don't. Understand the reality, then make a decision based on that reality. Don't make a decision based on a lack of information.

Some may be more biased than others. The OWASP link (top ten vulnerabilities) is as unbiased as they come. OWASP is an open source, not-for-profit project dedicated to cleaning up the crappy websites we've been talking about. Here's a link that's also as unbiased as possible from The Linux Documentation Project:

http://tldp.org/HOWTO/Secure-Programs-HOWTO/cross-site-malicious-content.html

I'm going to stop now. I've either made my case or not. If I continue I'll just be repeating myself even more.

 

So you did get affected at least once while doing online banking or shopping? If yes, would you mind describing the circumstances and what you think happened?

 

I think she's saying that it would be difficult to know that you've been effected at the time. Not that she has herself in the past been effected without being able to tell.

 

Brandi expresses my thoughts. I don't think I'm smart enough to accurately assess the risks of online banking, and because of that, it's no trouble to add precautions. In 5 min I can add UFW with basic configuration, add NoScript to a browser, add enforce profiles to Apparmor, and add Norton DNS. And, as far as I know, there's not much of a downside to these security settings. They may be overkill but who cares.

I have thoroughly enjoyed this discussion!

Jim

 

Yes, but I just wanted to know whether she was affected or not. AFAIK, not a single Wilders member on any OS has reported being affected.

 

I'll answer your question. I have no idea. Before I started caring about computers, my facebook account was hacked. Could have been some kind of browser exploit, I don't have the foggiest idea. But somehow, someone got my credentials and posted spam on my page. I changed my password and all was fine. One of my old email accounts was sending spam to my contacts- again that could have been the result of a malicious browser exploit or something else entirely. But somehow a malicious entity gained access to my email account and my contacts. I quit using that account but I suppose a password change would have fixed it.

 

hi,

As veteran member like tlu and mrk, it seems that we repeat the same song about the fight Security/Insecurity.Sorry to do the same...

As said Bruce Schneier, "Security is a Process", and it is impossible to control 100% of this process
There is several third parties involved in online banking/shopping:this is a client/server side scenario with OS/Browser-server/web site.
The goal is to mitigate risks for every side of this process.
The host/pc/client side:an hardened distro with SeLinux or grsecurity kernel patch for instance that helps in kernel rootkit prevention by preventing /dev/kmem, /dev/mem writing, use of virtual keyboard, vpn service and hardened browser settings and addons like no script etc...

there is a lot of choice available as a live cd or installed distro, i can mention for instance Fortress Linux ( http://www.fortresslinux.org/ ), LPS ( http://spi.dod.mil/lipose.htm ), UPR ( https://www.privacy-cd.org/en/home-mainmenu-71/55-was-ist-ubuntu-privacy-remix )
or Porteus ( https://porteus.org/ ).

Regarding the server side, the user has limited possibilities.
the most iimportant things is to choose a serious client that satisfies to PCI DSS common criteria: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard or https://www.pcisecuritystandards.org/
And to have a bank that uses several security measures and authentication factors to secure the transaction (the virtual keyboard for instance can be defeated on both sides).
Some banks for instance send an ID Number via sms to validate the transaction.
There is other method and material available like this usb antikeylogger http://www.eksitdata.com/_uk/index.asp

No client defense if the server is rooted and client database is stolen via an SQL Injection...and your credit card data will be then sold on carders boards for ten dollars before being used on yes cards in SPAIN...
And it is not necessary to list all possible attacks that have already been discussed here like all web application threats (XSS, CRSF...) and browsers variants (Man in the browser etc)
statically mrk is right because Linux is statically sure.
On the other hand, BrandiCandi is not wrong if we consider that absolute security does not exist and that most defenses can be bypassed.
Endless cat and mouse game and endless discussions...

rgds

 

I agree with both sides here. Brandi and Hungryman are right in that there are *nix vulnerabilities. But Mrk is right in saying that the vast majority of those vulns will not affect your average desktop user. If you look at the CVE's for remote root exploits, they almost always involve some arcane service that would usually only reside on a server machine. If you run a server, then yes, you need to be vigilant. If you run a desktop, not so much. You really only need a firewall and updates.

A desktop user should be worried about the browser. That's pretty much it. And there are tools you can use on *nix to make browser exploits much more difficult.

 

My bank site makes use of javascript so I had to allow the site with NoScript. I remember reading somewhere that even if allowing such sites, NoScript will still warn on detection of XSS injections
Is this true, or am I kidding myself ?

 

No, you're not

You might also consider the following feature:

 

Ah, thank you tlu, I feel so much safer now ! (aber ich brauch 'ne neue Brille).

 

well we think we are smart let find out

http://www.sonicwall.com/furl/phishing/index.php

thats was funny link above LOOL

 

Result:

 

hahahaha i am bad at security never reach above 1

hey by the way you use openDNS or norton DNS just wondering

 

I guess I was just lucky

I'm using OpenDNS with DNSCrypt.

 

thanks tlu

i just configure norton DNS looks good to me stay with it few more days and see

edit: by the way i tried opendns with DNScrypt in windows inside sandbox its awesome it even cut my isp dns as well

but one thing i find very strange in astaro gateway on my isp/opendns i face this while in norton no such thing

http://www.astaro.org/astaro-gatewa...-qos-ips/39092-strange-ips-rule-detected.html

 

Not sure what you mean by the bolded part. Can you elaborate?

 

hi
sorry i mean statistically...in relation to the malware industry which targets for the most part the Windows platform.

rgds

 

Just to follow another thread but in the right toppic
https://www.wilderssecurity.com/showthread.php?t=330438

The open source community provides ways to build his own LiveCD for critical tasks, especially online banking and shopping.
There is a Heise maintained project based on Ubuntu for German users called Bankix: http://www.heise.de/ct/projekte/Sicheres-Online-Banking-mit-Bankix-284099.html

If a LiveCD appears by default more secure than a Windows station, all systems are vulnerable to client/server attacks.
This includes network based (mostly MITM) and Web application based attacks (XSS/CSRF , Man in the Browser etc).
Therefore the most important factor is the choice of the Bank or merchant: Does the Bank support the security standards, which kind of authentification factors is used etc...
There is currently enought technology (software and hardware) to make transaction much more secure, and to mitigate all kind of risks ( example http://www.vasco.com/verticals/banking/onlinebanking.aspx ).
As pointed out by this (http://www.paymentssecurity.com/2012/05/the-merchant-dilemma.html#more ) article, the main dilemma remains in the server/Bank side as it is up to the client to connect fron a trusted and non-compromised machine, but on the other hand, it s up to the Bank/merchant to provide all the required security process to secure the transaction...
"Money Money Money..." as could sing Abba, Pink Floyd or Dire Straits..

Rgds

 

I'd say that sums it up nicely in a nutshell. Deal with a reputable bank and prevent unnecessary scripts through the browser and you're good to go.