Do you have or recommend a Financial Only PC?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Do you have or recommend a Financial Only PC?

Post by TheTimeLord »

I was watching the show "American Greed" on CNBC about a hacking scam. In an interview during the show it was recommended you have a financial PC, a PC you only use to access financial accounts no web surfing. Then I started Goggling around the topic of what happens if your accounts are drained from cuber fraud and theft and it sounded like if you aren't taking steps to insure your account security you could have an issue recovering your funds. So now I am considering buying a mid price laptop to be a financial only machine, the only machine I will use to access my accounts. Anyone else thinking this way or already have a setup?
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
Jeff7
Posts: 329
Joined: Sat Nov 24, 2012 1:30 pm

Re: Do you have or recommend a Financial Only PC?

Post by Jeff7 »

I haven't heard of anything like this.
I wouldn't expect people to try to break into individual PCs. The good hauls would be had from places that store credit card information from thousands or millions of users. About all you can do then is use a long, strong, and randomized password and hope that they're using good security and encryption on their end. (A good password doesn't mean squat if it's stored on their server in plain text or a very weak hash. They should be storing it using a strong hash. If someone breaks through the perimeter defenses, it'd be nice to know that they only made off with a bunch of unusable data.)

And if your PC was to be compromised, it wouldn't matter if it's a separate system or not. One way or another, it'd have to connect to the Internet if you're using it to access online accounts.
skepticalobserver
Posts: 1116
Joined: Tue Jul 29, 2014 11:29 am

Re: Do you have or recommend a Financial Only PC?

Post by skepticalobserver »

I've been considering doing this. If it means anything, Clark Howard has been a long time proponent of using a "financial only" PC.
User avatar
BL
Posts: 9874
Joined: Sun Mar 01, 2009 1:28 pm

Re: Do you have or recommend a Financial Only PC?

Post by BL »

Why mid-priced?

How about a Chromebook? cheap, light, supposedly virus-free forever.
User avatar
Topic Author
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Do you have or recommend a Financial Only PC?

Post by TheTimeLord »

Jeff7 wrote:I haven't heard of anything like this.
I wouldn't expect people to try to break into individual PCs. The good hauls would be had from places that store credit card information from thousands or millions of users. About all you can do then is use a long, strong, and randomized password and hope that they're using good security and encryption on their end. (A good password doesn't mean squat if it's stored on their server in plain text or a very weak hash. They should be storing it using a strong hash. If someone breaks through the perimeter defenses, it'd be nice to know that they only made off with a bunch of unusable data.)

And if your PC was to be compromised, it wouldn't matter if it's a separate system or not. One way or another, it'd have to connect to the Internet if you're using it to access online accounts.
I think you are missing the point and there are 2 I can think of. The biggest I would assume is if the machine is never used to surf web sites and only used for financial transactions it would be unlikely to download the malware or be probed for the information needed for these hacks. The second was something I noticed in some of the posting about insurance reimbursement which was the fact if the transactions originated from your PC they blame you for the breach. Strangely enough I was already thinking of doing this even prior to seeing the show or doing the research.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
User avatar
Topic Author
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Do you have or recommend a Financial Only PC?

Post by TheTimeLord »

BL wrote:Why mid-priced?

How about a Chromebook? cheap, light, supposedly virus-free forever.
Because I get irritated at crappy performance even if only occasionally using something. Plus not a fan of Google knowing everything I do. Lastly, it would likely be usable for a longer period of time.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
Mike Scott
Posts: 3579
Joined: Fri Jul 19, 2013 2:45 pm

Re: Do you have or recommend a Financial Only PC?

Post by Mike Scott »

I do but then I already had a couple of old laptops collecting dust.
jebmke
Posts: 25479
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Do you have or recommend a Financial Only PC?

Post by jebmke »

Three zero cost solutions. (1) Bootable USB flash drive with a non-persistent Linux installation. (2) Dual boot your existing PC with another OS (Linux is free), (3) Install VirtualBox or another free VM software and run Linux in a VM.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
nomas
Posts: 50
Joined: Sat Oct 27, 2007 10:15 am

Re: Do you have or recommend a Financial Only PC?

Post by nomas »

I have an older computer running Window 7 and I only use it when accessing my bank, credit card, and investment accounts, and also the Social Security website. When I'm not accessing the accounts the computer is turned off.
Enkidu
Posts: 211
Joined: Mon Jun 02, 2014 8:48 am

Re: Do you have or recommend a Financial Only PC?

Post by Enkidu »

I have been using a laptop with Linux only to access my financial accounts for about a year. I use my Windows desktop or iPad for everything else. I can take the laptop with me if I travel for a week or more and think that I may need to access my financial accounts. So far this has worked well and I do feel safer.
User avatar
Topic Author
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Do you have or recommend a Financial Only PC?

Post by TheTimeLord »

jebmke wrote:Three zero cost solutions. (1) Bootable USB flash drive with a non-persistent Linux installation. (2) Dual boot your existing PC with another OS (Linux is free), (3) Install VirtualBox or another free VM software and run Linux in a VM.
Years back I built a multi-boot PC where I used a removable bay to swap out boot drives for different operating systems. What I am not sure about a multi-boot machine with a single drive is if there will still be readable information from my accounts on the hard drive when I am booted up normally that could be used to identify account and financial institutions. But I would assume this would work like alarm systems in homes. It is not that it can't be circumvented it just isn't worth the trouble with so many unprotected homes available.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
User avatar
Topic Author
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Do you have or recommend a Financial Only PC?

Post by TheTimeLord »

Enkidu wrote:I have been using a laptop with Linux only to access my financial accounts for about a year. I use my Windows desktop or iPad for everything else. I can take the laptop with me if I travel for a week or more and think that I may need to access my financial accounts. So far this has worked well and I do feel safer.
Part of me is wondering if a tablet using the institutions financial apps might not be the safest way to go.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
User avatar
Ice-9
Posts: 1579
Joined: Wed Oct 15, 2008 12:40 pm
Location: MD

Re: Do you have or recommend a Financial Only PC?

Post by Ice-9 »

jebmke wrote:Three zero cost solutions. (1) Bootable USB flash drive with a non-persistent Linux installation. (2) Dual boot your existing PC with another OS (Linux is free), (3) Install VirtualBox or another free VM software and run Linux in a VM.

I actually go the Linux Virtual Machine route with Virtual Box. Just wanted to add that this installation is also (1) encrypted and (2) my VirtualBox settings are such that things from the guest cannot be copy/pasted to the host. Feel a little more secure with those two things.

If I need to access financial accounts at work (where I don't have VirtualBox installed), I use this live DVD: http://www.spi.dod.mil/lipose.htm
If Lightweight Portable Security is good enough for the military to give to their members when they connect from outside locations, I figure it's probably a good choice for a live DVD for online finances as well. A great feature of LPS is that it doesn't connect to your computer's hard drive at all, so any malware on your regular use computer shouldn't affect your live-DVD session in LPS.
lazyday
Posts: 3849
Joined: Wed Mar 14, 2007 10:27 pm

Re: Do you have or recommend a Financial Only PC?

Post by lazyday »

TheTimeLord wrote:
BL wrote:Why mid-priced?

How about a Chromebook? cheap, light, supposedly virus-free forever.
Because I get irritated at crappy performance even if only occasionally using something. Plus not a fan of Google knowing everything I do. Lastly, it would likely be usable for a longer period of time.
A new Chromebook should have fine performance for most web browsing tasks. They are faster than windows machines with the same cpu.

The speedy Acer C720 with a Haswell Celeron was $150 on Black Friday, and can probably be had for $200 easily today.

If you don't want google to know anything, then don't use them for email, storage, etc. It's not like they track your browsing. LG had a television that phoned home and got caught; I'm sure google would get caught if they tried spying.

You could just use guest mode if you don't even want a user with a google id.
KyleAAA
Posts: 9499
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do you have or recommend a Financial Only PC?

Post by KyleAAA »

Some people here do that (I don't). A simpler solution would just be to use a bootable Linux CD or a VM instead of having to purchase a separate physical machine.
User avatar
Toons
Posts: 14467
Joined: Fri Nov 21, 2008 9:20 am
Location: Hills of Tennessee

Re: Do you have or recommend a Financial Only PC?

Post by Toons »

No specific financial Pc. I do financial transactions including TaxAct online via,chromebook,windows computer,Android phone or Nexus 7 tablet,whatever is most convenient at the time. :happy

Chromebook is my favorite device(4 GB DDR3L SDRAM is worth the price difference) :happy

http://www.amazon.com/Samsung-Chromeboo ... mebook+4gb
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee
jebmke
Posts: 25479
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Do you have or recommend a Financial Only PC?

Post by jebmke »

Ice-9 wrote:
jebmke wrote:Three zero cost solutions. (1) Bootable USB flash drive with a non-persistent Linux installation. (2) Dual boot your existing PC with another OS (Linux is free), (3) Install VirtualBox or another free VM software and run Linux in a VM.

I actually go the Linux Virtual Machine route with Virtual Box. Just wanted to add that this installation is also (1) encrypted and (2) my VirtualBox settings are such that things from the guest cannot be copy/pasted to the host. Feel a little more secure with those two things.

If I need to access financial accounts at work (where I don't have VirtualBox installed), I use this live DVD: http://www.spi.dod.mil/lipose.htm
If Lightweight Portable Security is good enough for the military to give to their members when they connect from outside locations, I figure it's probably a good choice for a live DVD for online finances as well. A great feature of LPS is that it doesn't connect to your computer's hard drive at all, so any malware on your regular use computer shouldn't affect your live-DVD session in LPS.
What distro are you using in the VM? I am running an older W7 laptop. I have a Ubuntu bootable flash which works fine stand alone but would prefer a smaller footprint and resource-light version for the VM.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Do you have or recommend a Financial Only PC?

Post by Epsilon Delta »

TheTimeLord wrote:I think you are missing the point and there are 2 I can think of. The biggest I would assume is if the machine is never used to surf web sites and only used for financial transactions it would be unlikely to download the malware or be probed for the information needed for these hacks.
If you never use a machine on the web how do you use it to perform financial transactions?

The financial companies are claiming that their computers would never spread a virus or install malware, because financial companies are quite unlike all the other companies on the web, which are in business purely to make money and so can't be trusted.

Unfortunately for that argument Sony owns a bank.

So what we have is a situation where financial institutions are trying to save a $10 of postage a year and telling customers to buy a $200 PC exclusively to access their web site.
User avatar
Topic Author
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Do you have or recommend a Financial Only PC?

Post by TheTimeLord »

Epsilon Delta wrote:
TheTimeLord wrote:I think you are missing the point and there are 2 I can think of. The biggest I would assume is if the machine is never used to surf web sites and only used for financial transactions it would be unlikely to download the malware or be probed for the information needed for these hacks.
If you never use a machine on the web how do you use it to perform financial transactions?

The financial companies are claiming that their computers would never spread a virus or install malware, because financial companies are quite unlike all the other companies on the web, which are in business purely to make money and so can't be trusted.

Unfortunately for that argument Sony owns a bank.

So what we have is a situation where financial institutions are trying to save a $10 of postage a year and telling customers to buy a $200 PC exclusively to access their web site.
Well the obvious answer would be use a tablet and apps instead of the web but if you think that financial institutions are only equally as dangerous as other sites you still improve your odds by accessing fewer sites, if they are better then great. Could you cite a case where a bank or financial institution downloaded malware to customer computers that was used for draining accounts?
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
Jeff7
Posts: 329
Joined: Sat Nov 24, 2012 1:30 pm

Re: Do you have or recommend a Financial Only PC?

Post by Jeff7 »

TheTimeLord wrote:I think you are missing the point and there are 2 I can think of. The biggest I would assume is if the machine is never used to surf web sites and only used for financial transactions it would be unlikely to download the malware or be probed for the information needed for these hacks. The second was something I noticed in some of the posting about insurance reimbursement which was the fact if the transactions originated from your PC they blame you for the breach. Strangely enough I was already thinking of doing this even prior to seeing the show or doing the research.
I guess that's possible.
I'm mostly malware-free for quite a long time.:) I did snag a rootkit at work once, but it didn't last long. My usage habits probably don't qualify as "average" though.


Concerning the "if the transactions originated from your PC they blame you for the breach," a laptop is still a personal computer. It just happens to be portable. (Whether or not these postings are accurate, I cannot say.)
User avatar
Topic Author
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Do you have or recommend a Financial Only PC?

Post by TheTimeLord »

Jeff7 wrote:
TheTimeLord wrote:I think you are missing the point and there are 2 I can think of. The biggest I would assume is if the machine is never used to surf web sites and only used for financial transactions it would be unlikely to download the malware or be probed for the information needed for these hacks. The second was something I noticed in some of the posting about insurance reimbursement which was the fact if the transactions originated from your PC they blame you for the breach. Strangely enough I was already thinking of doing this even prior to seeing the show or doing the research.
I guess that's possible.
I'm mostly malware-free for quite a long time.:) I did snag a rootkit at work once, but it didn't last long. My usage habits probably don't qualify as "average" though.


Concerning the "if the transactions originated from your PC they blame you for the breach," a laptop is still a personal computer. It just happens to be portable. (Whether or not these postings are accurate, I cannot say.)
I am not following on your laptop comment. Could you clarify?
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
Woodshark
Posts: 709
Joined: Fri Jan 07, 2011 3:09 pm

Re: Do you have or recommend a Financial Only PC?

Post by Woodshark »

I do have an older PC that is only used online for financial access. For all other online/web surfing/ email etc., I have three other PC's/laptops that I use.
miles monroe
Posts: 1290
Joined: Mon Jan 20, 2014 11:14 am

Re: Do you have or recommend a Financial Only PC?

Post by miles monroe »

clark howard has recommended a "financial site only" computer in the past. no email. no web surfing. just (for example) your bank, schwab, vanguard. not even this site.

very important if you run a small business as the protections are different than for individuals.
User avatar
Dutch
Posts: 1277
Joined: Thu Jun 27, 2013 2:12 pm

Re: Do you have or recommend a Financial Only PC?

Post by Dutch »

Epsilon Delta wrote:
TheTimeLord wrote:I think you are missing the point and there are 2 I can think of. The biggest I would assume is if the machine is never used to surf web sites and only used for financial transactions it would be unlikely to download the malware or be probed for the information needed for these hacks.
If you never use a machine on the web how do you use it to perform financial transactions?
+ 1

That would make it so safe, that it would be unusable.
User avatar
midareff
Posts: 7711
Joined: Mon Nov 29, 2010 9:43 am
Location: Biscayne Bay, South Florida

Re: Do you have or recommend a Financial Only PC?

Post by midareff »

My concerns (rightly or wrongly) are far more centered on the institution's security than that of my PC. I use LastPass for strong unique passwords, check accounts every few days, have all transactions noticed to my email, run anti-virus and anti-malware software and rarely use the machine for anything other than finance, medical research and/or offline photography work at home. When not in use the machine is shut down OFF. I don't use Dropbox, don't send financial records through email, don't open emails from those I don't know and don't go to links I don't know are legit. If in doubt I don't go there. As far as phones and tablets I could use them with my LastPass password but never do at a $$ site.

There is a line between being careful and/or paranoid, I'm thinking I'm near it but still on the careful side.
nordlead
Posts: 739
Joined: Thu Sep 12, 2013 9:09 am

Re: Do you have or recommend a Financial Only PC?

Post by nordlead »

I don't worry about it. Then again, I take precautions to make sure my home network is secure.

I have had a few viruses over the last 9 years, but none over the past 4. I'm pretty sure every case was self inflicted (wife clicked a link one time, I did a mispelled search and downloaded the wrong thing, etc...). Any instance of unexpected behavior with unknown processes running is now resolved by a system restore from an image (haven't had to do that). I store no personal data on my client PCs, all of that data is stored on a server in my basement.

So, due to the fact that it would take a targeted attack to get through my setup and stick around long enough to learn something, I'm more concerned about the lack of security at financial institutions. I mean, I'm one of billions of PCs on the internet, so random attacks make sense. Chase on the other hand is one of the biggest banks in the world, it makes sense to do a targeted attack against them. The lack of two-factor authentication means spear fishing works at places like Chase, where the entire thing could have been avoided by requiring two-factor authentication for outside access to internal servers.
User avatar
Topic Author
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Do you have or recommend a Financial Only PC?

Post by TheTimeLord »

An example of what you are trying to guard against.

http://www.wiki-security.com/wiki/Parasite/ZeusTrojan/

The Zeus Trojan is a Trojan that infects Windows computers and steals banking information and other details from PC users. Zeus Trojan, which is known by many aliases including PRG, Zbot and Infostealer, has already infected as many as 3.6 million PCs in the United States alone. The Zeus Trojan infection has also spread to other parts of the globe, compromising machines located in Egypt, Mexico and Turkey. While this malicious program is known to infect Microsoft Windows computers exclusively, PC security researchers, in 2012, have discovered a variant of the Zeus Trojan that attacks Blackberry and Android mobile phones. In 2009, security analysts found that the Zeus Trojan has infiltrated more than 74,000 accounts of banks and businesses including Amazon, Oracle, NASA and the Bank of America. In 2010, more than 100 conspirators in the U.S., the UK and Ukraine have been arrested by the FBI. Despite this, several versions of the Trojan have persisted, the latest being the one discovered lately to have infected Androids and Blackberries.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
User avatar
Ice-9
Posts: 1579
Joined: Wed Oct 15, 2008 12:40 pm
Location: MD

Re: Do you have or recommend a Financial Only PC?

Post by Ice-9 »

jebmke wrote:
Ice-9 wrote:I actually go the Linux Virtual Machine route with Virtual Box. Just wanted to add that this installation is also (1) encrypted and (2) my VirtualBox settings are such that things from the guest cannot be copy/pasted to the host. Feel a little more secure with those two things.
What distro are you using in the VM? I am running an older W7 laptop. I have a Ubuntu bootable flash which works fine stand alone but would prefer a smaller footprint and resource-light version for the VM.
Until about a year ago, for a couple of years, I used Lubuntu, which was very easy to set up from the ISO and practically working fine out of the box.

For the past year, I've actually been using Debian for my financial VM, which I'll admit had a few extra setup steps, as they don't do everything for you that the 'buntu installer does. For example, I remember I had to adjust the configuration file for which apps can do sudo commands, and maybe one or two other additional configuration steps.

Both Lubuntu and Debian are pretty small footprint and light on resources. Another light option might be LXLE, which is based on Lubuntu and which I actually use for a (non-finance) laptop.
nordlead
Posts: 739
Joined: Thu Sep 12, 2013 9:09 am

Re: Do you have or recommend a Financial Only PC?

Post by nordlead »

if I was going the VM or USB route, I'd probably use puppy linux. It is super lightweight and makes Lubuntu look bloated.
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Do you have or recommend a Financial Only PC?

Post by Ged »

I would not use a tablet or phone to access a financial institution. These operating systems are not very robust.

Best would be a bootable Linux CD or a write protected USB. The brilliant thing about that approach is that there no persistent writable storage around for someone to attack.
User avatar
Ice-9
Posts: 1579
Joined: Wed Oct 15, 2008 12:40 pm
Location: MD

Re: Do you have or recommend a Financial Only PC?

Post by Ice-9 »

One other thing to note about my financial Linux VM, and I would do the same thing if I had a separate physical computer for finances as well:

Everytime I log into the VM, I update the software, the virus protection software, and scan the (small) home directory so just in case something does happen I can always say I did those steps before I last accessed the financial website.
On my Debian VM (and would be same for one of the 'buntus) that would be:

sudo apt-get update && sudo apt-get dist-upgrade
sudo apt-get clean
sudo freshclam
sudo clamscan -r /home

The above are usually always the most recent commands I've run in the VM, so I just hit the arrow key to add them rather than type them each time. Superfast way to CYA.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Do you have or recommend a Financial Only PC?

Post by Mudpuppy »

This advice stems from the fact that browsers and PCs, even ones with anti-virus, anti-malware, and up-to-date patches, can fall prey to malware. Even if you are cautious with your browsing habits, legitimate websites can and have been compromised in the past. The most notorious was the Zeus trojan already mentioned, but there were many variants and newer malware that can do things like a keylogging attack, an attack against password databases (one of the reasons I use KeePass is it's been the most free of such concerns), or even a live session hijacking (where it sees that you are logged into your bank account and it conducts a little wire transfer or ACH transaction under a "hidden" tab).

Yes, it is somewhat random if you get hit with such malware, but there is a real chance it will happen if you use the same machine for random web surfing and financial transactions (same machine, the malware can easily bypass tricks like "well I use Chrome for financial sites and Firefox for everything else"). That is why using a separate machine, a virtual machine (VM), or bootable media like a read-only USB drive or LiveCD is a common recommendation. It involves a setup cost, but then there's only a tiny bit of effort to completely thwart this attack vector.

This is an entirely different sort of concern than the concern a bank faces. A bank is concerned with targeted, information-backed attacks where the attackers are not just attacking the machines, they are also attacking the people through very sophisticated spear phishing attacks (above and beyond what you get as a consumer). These are generally called "Advanced Persistent Threats" by the major companies (although I'm not a fan of the name but that's a subject for another time). There's not much you can do to guard against these. Even companies have a hard time guarding against these because all you need is one employee who falls for it and clicks the email attachment. The brighter companies have done the corporate equivalent of "using a different machine" by putting the email and desktop activities on a different network segment than their critical infrastructure and have set it up so the different network segments are not directly accessible from one another.
User avatar
Aptenodytes
Posts: 3786
Joined: Tue Feb 08, 2011 7:39 pm

Re: Do you have or recommend a Financial Only PC?

Post by Aptenodytes »

Dutch wrote:
Epsilon Delta wrote:
TheTimeLord wrote:I think you are missing the point and there are 2 I can think of. The biggest I would assume is if the machine is never used to surf web sites and only used for financial transactions it would be unlikely to download the malware or be probed for the information needed for these hacks.
If you never use a machine on the web how do you use it to perform financial transactions?
+ 1

That would make it so safe, that it would be unusable.
No need to be pedantic. It is clear enough from the context that Web surfing here refers to visiting Web sites other than the financial institutions in question.
User avatar
Topic Author
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Do you have or recommend a Financial Only PC?

Post by TheTimeLord »

Ged wrote:I would not use a tablet or phone to access a financial institution. These operating systems are not very robust.

Best would be a bootable Linux CD or a write protected USB. The brilliant thing about that approach is that there no persistent writable storage around for someone to attack.
http://www.infoworld.com/article/284595 ... ipads.html
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
User avatar
dual
Posts: 1383
Joined: Mon Feb 26, 2007 6:02 pm

Re: Do you have or recommend a Financial Only PC?

Post by dual »

TheTimeLord wrote:Anyone else thinking this way or already have a setup?
I have used a finance-only PC for several years now. Here are some of the steps I took that I recall.

I wiped an old PC and did a clean install of the operating system (Windows 7--more on that later) with no crapware.
Then, I closed off all local networks, home networks, etc.
I installed Firefox and then added noscript and adblock software.
I set Firefox to clear all cookies on exit
I did not install Flash or any other addons.
I installed encryption software from Cypherix to keep my records. This encrypts my data on disk. I access the encrypted data with an old-fashioned, non-web based personal information manager called Infoselect. I use that as a password safe and also to store other records of my transactions with the finance company websites.

I only use the PC to access finance company websites. No email, ftp, or web surfing.

I used Windows 7 because companies like Vanguard require you to show that you took reasonable steps to secure your password and PC. I figured that anyone who ever checks this will be knowledgeable about Windows software but not necessarily about Linux, ChromeOS, etc so I can show I took reasonable steps more easily. I do download and install all critical updates promptly and run Windows Defender.

Some small hassles:
1. Some websites like Chase like to verify a PC without their cookies. I get them to telephone me with the access code.
2. I like to download tax data from finance sites when I do my taxes. I do not use the finance PC to do the taxes. Most finance sites do not require your account userid and password to download the data.They use codes on the 1099. But some do want the access info. In that case, I reset the password with the finance PC immediately after
I download the tax data.

p.s. I started a thread on how to do this some time back. For some reason, most of the respondents had not done it but they wanted to dissuade me from doing it since (a) they were sure either it was totally not necessary or (b) it was futile because no computer is invulnerable to a targeted attack by an army of hackers or (c) they were sure that if my computer were compromised all my losses would be reimbursed. I do not think any of these are true but you will get plenty of advice. I agree that no computer is invulnerable but making me a harder target is well worthwhile.
Bob.Beeman

Re: Do you have or recommend a Financial Only PC?

Post by Bob.Beeman »

There's a lot of good advice here. If I may presume to distill it:
  1. The real danger is in browsing to large numbers of web sites having unknown and possibly dangerous malware, emails that you may receive, etc. etc. The best cure is to use a separate computer only for finance. A virtual machine, booting from a separate disk drive, or from a separate partition on your hard drive, or through a Virtualization program are all just about as good.
  2. Make sure you NEVER go to any other sites using this virtual computer. If you think somebody in the family will be tempted to use it for other things, turn on "parental controls".
  3. Make sure no email client is installed on this VM, partition, or separate computer.
  4. Don't use "apps" to connect to banks, etc. Use well-known browsers only (e.g. Chrome, Firefox, Safari, or any of a few others - not IE). "Apps" often include poor security and or "features" designed to spy on you. Don't allow the website to store data in the browser (you have to allow cookies, but not from third-parties).
  5. Make sure Flash and Java are turned off in the browser, or preferably not installed at all. These are notorious vectors for introduction of malware.
  6. Make sure your firewall is set to "stealth" mode and is an active firewall that only lets things through if it is in response to something you originated.
  7. Update your OS regularly. Run an antiviral if you use Windows. The last virus I had on a Mac was in the mid-1980s and I only use an anti-viral to run periodic checks. Never have found one. You may not feel safe without an antiviral. If so, run one continuously.
  8. Resist the urge to run bank-recommended security applications such as "Trusteer Rapport". These are mostly junk (my opinion but supported by data), and often mess up your browser or OS.
In addition to this, I would only use Mac or Linux as an OS. Windows invented "ActiveX" - probably the biggest security disaster in history. Other OSs seem to do just fine without this. Google looks at all kinds of stuff on a ChromeBook, and we have only their philosophy "Don't be Evil". That's probably paranoid, but I DO wear a tinfoil hat when it comes to on-line security.

Most of these ideas are from the great posts in this thread that preceed this one.

Look both ways before crossing the web.

- Bob Beeman.
User avatar
LadyGeek
Site Admin
Posts: 95704
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Do you have or recommend a Financial Only PC?

Post by LadyGeek »

This thread is now in the Personal Consumer Issues forum (PC security).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
Posts: 95704
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Do you have or recommend a Financial Only PC?

Post by LadyGeek »

jebmke wrote:Three zero cost solutions. (1) Bootable USB flash drive with a non-persistent Linux installation. (2) Dual boot your existing PC with another OS (Linux is free), (3) Install VirtualBox or another free VM software and run Linux in a VM.
(1) and (2): Booting Linux on a Windows PC containing a Windows OS on the hard drive is a huge security risk. Linux does NOT recognize Windows file permissions (NTFS); all files are OPEN to anyone with Linux. Whoever uses the boot disk has the full run of your hard drive.

Don't ever let a visitor dual-boot Linux on a Windows PC. Create a "guest" (restricted privileges) account for them instead.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
patrick
Posts: 2594
Joined: Fri Sep 04, 2009 3:39 am
Location: Mega-City One

Re: Do you have or recommend a Financial Only PC?

Post by patrick »

Mudpuppy wrote:This advice stems from the fact that browsers and PCs, even ones with anti-virus, anti-malware, and up-to-date patches, can fall prey to malware. Even if you are cautious with your browsing habits, legitimate websites can and have been compromised in the past. The most notorious was the Zeus trojan already mentioned, but there were many variants and newer malware that can do things like a keylogging attack, an attack against password databases (one of the reasons I use KeePass is it's been the most free of such concerns), or even a live session hijacking (where it sees that you are logged into your bank account and it conducts a little wire transfer or ACH transaction under a "hidden" tab).
But how exactly would they get in? Just because the web site has a trojan on it doesn't mean that the badguys it will be able to get it running on your PC. To get it to run they can either exploit software flaws to run it automatically, or they can trick you into giving it permission to run. Keeping your patches up to date will stop the former (for the most part ... the NSA probably has lots of unpatched exploits but they do not need to hack your PC to get your banking information since they can get it straight from the bank). For the latter it's just a matter of saying no when the security warning asks you to give permission to run the trojan.
Mudpuppy wrote:Yes, it is somewhat random if you get hit with such malware, but there is a real chance it will happen if you use the same machine for random web surfing and financial transactions (same machine, the malware can easily bypass tricks like "well I use Chrome for financial sites and Firefox for everything else"). That is why using a separate machine, a virtual machine (VM), or bootable media like a read-only USB drive or LiveCD is a common recommendation. It involves a setup cost, but then there's only a tiny bit of effort to completely thwart this attack vector.
If the host OS is infected then a VM running under it is not all that secure. You start up your VMM from your regular OS, then you start your browser inside it, type in "www.somebankorother.com" and then your username and password ... but if your regular OS has a keylogger it sees that you typed in "www.somebankorother.com" and then sends whatever comes after back to the badguys to attack you. Bootable media (or a separate machine you installed Linux on) isn't a guarantee since the media (or your Linux installer) could have been tampered with before you burned the CD or write-protected the USB stick. As a practical matter these strategies (other than using a VM for financial work only with everything else in the host OS) probably would work for now since it is easier for the badguys to attack the 99% of users who don't bother doing them. Or they'll just stick to sending e-mail to trick you into go into a fake bank web site and sending your password straight to them nomatter how secure you are against trojans.
Mudpuppy wrote:This is an entirely different sort of concern than the concern a bank faces. A bank is concerned with targeted, information-backed attacks where the attackers are not just attacking the machines, they are also attacking the people through very sophisticated spear phishing attacks (above and beyond what you get as a consumer). These are generally called "Advanced Persistent Threats" by the major companies (although I'm not a fan of the name but that's a subject for another time). There's not much you can do to guard against these. Even companies have a hard time guarding against these because all you need is one employee who falls for it and clicks the email attachment. The brighter companies have done the corporate equivalent of "using a different machine" by putting the email and desktop activities on a different network segment than their critical infrastructure and have set it up so the different network segments are not directly accessible from one another.
Getting infected by e-mail is pretty hard though. Most e-mail systems will remove executable attachments automatically. Sometimes they'll even go inside zip files to remove executables inside them too. The badguys would have to send an e-mail that tricks the user into something like renaming the attached .fyf file to .exe and then running it. Even then there would probably be a secruity warning before it launches. On the other hand, if there are thousands of employees it's not too unrealistic that one of them would be fooled into doing so.
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Do you have or recommend a Financial Only PC?

Post by Ged »

TheTimeLord wrote:
Ged wrote:I would not use a tablet or phone to access a financial institution. These operating systems are not very robust.

Best would be a bootable Linux CD or a write protected USB. The brilliant thing about that approach is that there no persistent writable storage around for someone to attack.
http://www.infoworld.com/article/284595 ... ipads.html
http://www.computerworld.com/article/24 ... esses.html

http://www.technewsworld.com/story/80770.html?rss=1

http://resources.infosecinstitute.com/i ... ptography/

http://cocoamanifest.net/linked/2012/05 ... urity.html
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Do you have or recommend a Financial Only PC?

Post by telemark »

TheTimeLord wrote:Part of me is wondering if a tablet using the institutions financial apps might not be the safest way to go.
No! No no no no no. Use XP before you do that. Not only is the operating system not very secure, as Ged already mentioned, but the quality of many apps is barely above execrable. If you do use a tablet to access financial sites, and I recommend against it, use the browser and go to the web site--the browser is somewhat less likely to be vulnerable.

Everyone is rushing to get an app out the door, because the public expects it. Making them secure is less of a priority.
SGM
Posts: 3341
Joined: Wed Mar 23, 2011 4:46 am

Re: Do you have or recommend a Financial Only PC?

Post by SGM »

I had a separate machine for quickbooks accounting software for my business and for tax software. Another machine was used for billing software. A third machine was used for all other applications and the internet including investments. I did not keep personal information on the hard drive that was used on the internet.

Now I have two machines one for tax software another for the internet.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Do you have or recommend a Financial Only PC?

Post by Epsilon Delta »

Aptenodytes wrote:
Dutch wrote:
Epsilon Delta wrote:
TheTimeLord wrote:I think you are missing the point and there are 2 I can think of. The biggest I would assume is if the machine is never used to surf web sites and only used for financial transactions it would be unlikely to download the malware or be probed for the information needed for these hacks.
If you never use a machine on the web how do you use it to perform financial transactions?
+ 1

That would make it so safe, that it would be unusable.
No need to be pedantic. It is clear enough from the context that Web surfing here refers to visiting Web sites other than the financial institutions in question.
Just connecting to the web can get you compromised. Estimates of the time to owned for an unpatched XP machine are as short as 4 minutes, that's without the user doing anything. Newer software may be better but there's no guarantee there are no similar holes. Actually I'll guarantee there are similar holes, although I won't guarantee anybody can find them :P .

You're also going to have to access a bunch of sites to update software, maybe Microsoft, Mozilla or Google, your BIOS vendor, your anti-virus vendor. I've seen paranoid lists with about 20 "must" dos. Accessing these safely is not trivial.

Finally some financial sites have been compromised. Citi was owned root and branch. Nobody knows what Citi's web servers were doing during that period. Were they serving up root kits? If they were it would compromise all your web sites not just Citi.

So in the end you end up with a dozen or two web sites inside your security perimeter. That's not that many fewer than my typical day,
jebmke
Posts: 25479
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Do you have or recommend a Financial Only PC?

Post by jebmke »

LadyGeek wrote:
jebmke wrote:Three zero cost solutions. (1) Bootable USB flash drive with a non-persistent Linux installation. (2) Dual boot your existing PC with another OS (Linux is free), (3) Install VirtualBox or another free VM software and run Linux in a VM.
(1) and (2): Booting Linux on a Windows PC containing a Windows OS on the hard drive is a huge security risk. Linux does NOT recognize Windows file permissions (NTFS); all files are OPEN to anyone with Linux. Whoever uses the boot disk has the full run of your hard drive.

Don't ever let a visitor dual-boot Linux on a Windows PC. Create a "guest" (restricted privileges) account for them instead.
If all you are doing is logging into Vanguard and the bank, there isn't any more risk than if you logged in from your host. The institution would have to be the bad actor which raises a whole lot of other problems.

I agree on the visitors. I don't allow visitors to use my computer. Most people have their own tablets anyway.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
User avatar
dbCooperAir
Posts: 1107
Joined: Tue Jan 07, 2014 9:13 pm

Re: Do you have or recommend a Financial Only PC?

Post by dbCooperAir »

I have thought about this is the past but have not taken the steps to do so. With laptops so cheap these days I can't see how it would hurt. Maybe a 2015 year project, I'm scheduled for a Quicken update this year anyway.
Neither a wise man nor a brave man lies down on the tracks of history to wait for the train of the future to run over him. | -Dwight D. Eisenhower-
User avatar
nisiprius
Advisory Board
Posts: 52219
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Do you have or recommend a Financial Only PC?

Post by nisiprius »

TheTimeLord wrote:...I think you are missing the point and there are 2 I can think of. The biggest I would assume is if the machine is never used to surf web sites and only used for financial transactions it would be unlikely to download the malware or be probed for the information needed for these hacks....
I don't know how you can perform financial transactions without connecting to the web. In pre-web days some banks and such had special-purpose applications that accessed them, but these days almost all the financial services companies I can think of use the web. It's sort of meaningless to say "I'm accessing the web but I'm not 'surfing' it." As long as you're accessing the web you're vulnerable to many possible security issues, such as "man-in-the-middle" attacks. Having a "financial-only" PC wouldn't have protected you against the heartbleed bug. If your financial websites use Flash (Vanguard does, I think--or used to) you are subject to Flash vulnerabilities. etc. etc. etc.

If your financial service institutions use email, then of course you are subject to whatever security problems email subjects you to, etc.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
patrick
Posts: 2594
Joined: Fri Sep 04, 2009 3:39 am
Location: Mega-City One

Re: Do you have or recommend a Financial Only PC?

Post by patrick »

Epsilon Delta wrote:Just connecting to the web can get you compromised. Estimates of the time to owned for an unpatched XP machine are as short as 4 minutes, that's without the user doing anything. Newer software may be better but there's no guarantee there are no similar holes. Actually I'll guarantee there are similar holes, although I won't guarantee anybody can find them :P .
Newer operating systems firewall off everything by default so the badguys can't even get in to attempt the attack unless you do something like visiting a website they control or turning off the firewall. Newer in this case even includes Windows XP with SP2 (or SP3) -- and a new Windows XP computer you bought in 2005 would have had SP2 pre-installed! Furthermore, standard home routers also block incoming connections and therefore even a pre-SP2 Windows XP machine -- or for that matter a Windows 98 machine! -- couldn't be attacked just sitting there if it were behind the router.
Epsilon Delta wrote:You're also going to have to access a bunch of sites to update software, maybe Microsoft, Mozilla or Google, your BIOS vendor, your anti-virus vendor. I've seen paranoid lists with about 20 "must" dos. Accessing these safely is not trivial.
Windows, Firefox, Chrome, and most anti-virus software have built-in updaters that download updates automatically and don't require going to any web site to get the new version. Updating your BIOS probably isn't needed (it's not in the line of fire for typical attacks). I don't think being paranoid is helpful. Unless you are on a web site advertising hot stock tips or something and suddenly see a prompt asking you want to run their software with administrator privileges. Then it helps to be paranoid and say NO, NO, NO, YOU WILL NEVER HAVE ADMINISTRATOR! NEVER!!!!!!!!!!!!
User avatar
saltycaper
Posts: 2650
Joined: Thu Apr 24, 2014 8:47 pm
Location: The Tower

Re: Do you have or recommend a Financial Only PC?

Post by saltycaper »

Utilizing a dedicated computer for financial transactions protects you from only some security issues.

Malware can spread from other machines on your network. (Isolating your computers by turning off sharing capabilities can help. Segmenting networks is better but not always easy to do on consumer-grade hardware.)

Wireless routers can be vulnerable even with WPA security. (Utilizing a wired connection would be safer.)

Some of the measures mentioned in this thread are good recommendations, and they can reduce your vulnerability, but you cannot eliminate security risks, even on your own end.

VMs/bootable Linux may be the most secure methods, but for many people, that's a hassle if you access accounts with any regularity.

The best thing you can do is monitor your accounts for irregularities.
Quod vitae sectabor iter?
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Do you have or recommend a Financial Only PC?

Post by Epsilon Delta »

patrick wrote:
Epsilon Delta wrote:You're also going to have to access a bunch of sites to update software, maybe Microsoft, Mozilla or Google, your BIOS vendor, your anti-virus vendor. I've seen paranoid lists with about 20 "must" dos. Accessing these safely is not trivial.
Windows, Firefox, Chrome, and most anti-virus software have built-in updaters that download updates automatically and don't require going to any web site to get the new version.
The updater's use the web. Just because you don't type microsoft.com doesn't mean you're not visiting microsoft.com.
Put microsoft.com, windows.com and windowsupdate,com in your routers black list and you will not get windows updates. At least that was the list in 2003.
patrick
Posts: 2594
Joined: Fri Sep 04, 2009 3:39 am
Location: Mega-City One

Re: Do you have or recommend a Financial Only PC?

Post by patrick »

Epsilon Delta wrote:
patrick wrote:
Epsilon Delta wrote:You're also going to have to access a bunch of sites to update software, maybe Microsoft, Mozilla or Google, your BIOS vendor, your anti-virus vendor. I've seen paranoid lists with about 20 "must" dos. Accessing these safely is not trivial.
Windows, Firefox, Chrome, and most anti-virus software have built-in updaters that download updates automatically and don't require going to any web site to get the new version.
The updater's use the web. Just because you don't type microsoft.com doesn't mean you're not visiting microsoft.com.
Put microsoft.com, windows.com and windowsupdate,com in your routers black list and you will not get windows updates. At least that was the list in 2003.
Surely it has to communicate over the network somehow. But it's not required to be done by going to the URL (or bookmark) from the updates web page in the web browser which downloads a bunch of markup that it has to render for you ... so I don't consider that as using the web. In any case you should not need to worry about a Flash exploit taking over your PC because you download Windows updates.
Post Reply