Setting up an investments only PC

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
curly lambeau
Posts: 669
Joined: Wed Apr 25, 2007 10:42 am

Re: Setting up an investments only PC

Post by curly lambeau »

What is the purpose of using a whole PC for this, when you could simply use an encrypted bootable USB stick with Linux to get the same outcome?

Using a Live USB stick in no way requires writing to the hard drive. It doesn't even need to mount the hard drive.

For the sake of argument I'll grant that the project itself is reasonable, but I see no advantage to having an extra computer for it. If you don't mind the clutter or whatever, it makes no difference. But it seems to add nothing.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Setting up an investments only PC

Post by Epsilon Delta »

curly lambeau wrote:What is the purpose of using a whole PC for this, when you could simply use an encrypted bootable USB stick with Linux to get the same outcome?

Using a Live USB stick in no way requires writing to the hard drive. It doesn't even need to mount the hard drive.

For the sake of argument I'll grant that the project itself is reasonable, but I see no advantage to having an extra computer for it. If you don't mind the clutter or whatever, it makes no difference. But it seems to add nothing.
There is a behavioral advantage to a separate PC. In theory, if you ever plug the USB device into an infected PC the USB can be infected. Among other things you need to be very careful to never insert the USB device into a powered up PC and to always remove the USB device when you are finished. In the days of floppy discs there was a similar problem, it only took a moments inattention for a "sterile" floppy to get a boot block virus.
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

Cosmo wrote: I also agree that this is overkill. Question for the OP; did you by any chance go out to eat and pay for the bill with a credit card? How about a shopping trip? Was any credit card pulled out for this? The fact is, despite all the potential cyber threats, you are far more likely to have compromises made to your accounts due to some of the low-tech crimes out there than some sophisticated organized effort over the Internet. And as others pointed out, it doesn't matter how strong of a barrier you put out there, it is only as strong as some of the bank's and institution's existing protective measures in place.

Cosmo
These questions have already been answered but I will reiterate my thoughts on them.

First, I think having my credit card compromised is much different than having my investment accounts drained. There are very good consumer protections for credit card fraud. The situation is much murkier for break-ins to investment accounts. If I can show that I went the extra step of using an investments-only PC, I think it makes my case for being reimbursed by an investment company much better.

We disagree about the safety of using the same computer for general internet access and investments. I think the probability of having a computer compromised even with good safety security practices has increased a great deal recently and is getting worse. Nowadays organized crime is behind the cracking attempts and they have huge resources and can afford to acquire the best technology money can buy to attack my computer.

Having a separate PC is not a draconian, costly effort. As has been mentioned on this thread, it can be as simple as setting aside an old computer for this purpose. I am using Linux because I think it gives me more security and I want to learn about it but much of the advantage comes from a separate computer.

Finally, if you think it is too much effort to do this, then why take the effort to read or comment on this thread?
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

dual wrote: First, I think having my credit card compromised is much different than having my investment accounts drained. There are very good consumer protections for credit card fraud. The situation is much murkier for break-ins to investment accounts. If I can show that I went the extra step of using an investments-only PC, I think it makes my case for being reimbursed by an investment company much better.
What are the odds that your investment accounts will be drained? If your account is drained, what makes you think you would or would not need to make a case to change the outcome?
We disagree about the safety of using the same computer for general internet access and investments. I think the probability of having a computer compromised even with good safety security practices has increased a great deal recently and is getting worse. Nowadays organized crime is behind the cracking attempts and they have huge resources and can afford to acquire the best technology money can buy to attack my computer.
I'm sorry but this sounds like fear mongering more than anything. As I said before, billions of dollars of transactions take place over the internet every single day. Once again, I recommend reading Beyond Fear by Bruce Schneier to give you a realistic idea of what we're dealing with here. It is extremely unlikely that your computer will get attacked and someone will drain your investment accounts. That being said, if a nation state or professionalized hacking group really wants to hack into your computer or accounts, they'd be successful regardless of your efforts. It really is a waste of your time to worry about something so minute as long as you are following basic security principals.
Having a separate PC is not a draconian, costly effort. As has been mentioned on this thread, it can be as simple as setting aside an old computer for this purpose. I am using Linux because I think it gives me more security and I want to learn about it but much of the advantage comes from a separate computer.
It's still a waste of your time. The effort does not match the risk. But if it helps you sleep at night then I can't argue with that.
Finally, if you think it is too much effort to do this, then why take the effort to read or comment on this thread?
Because the truth needs to be told. I respect the people who visit this forum and wish them the best. When I hear about unnecessary worry in a field that I specialize in, I feel that I have the responsibility to respond. Similar to the way when visitors post here when worried about market drops and everyone responds not to worry and continue investing according to their plan.
Muchtolearn
Posts: 1563
Joined: Sun Dec 25, 2011 10:41 am

Re: Setting up an investments only PC

Post by Muchtolearn »

SPG8 wrote:As an aside, anyone know the frequency of such fraud?

How often are victims not reimbursed?

Are these measures being taken against things happening right now, or potential eventualities?

Thanks
I just had my credit card compromised. Figure it was a restaurant or a gas station. Chase picked it right up. Cancelled my card and sent me a new one that I got the next day. I still had my card so it must have gone through a skimmer.
Muchtolearn
Posts: 1563
Joined: Sun Dec 25, 2011 10:41 am

Re: Setting up an investments only PC

Post by Muchtolearn »

curly lambeau wrote:What is the purpose of using a whole PC for this, when you could simply use an encrypted bootable USB stick with Linux to get the same outcome?

Using a Live USB stick in no way requires writing to the hard drive. It doesn't even need to mount the hard drive.

For the sake of argument I'll grant that the project itself is reasonable, but I see no advantage to having an extra computer for it. If you don't mind the clutter or whatever, it makes no difference. But it seems to add nothing.
Curly, I wanted to use a flash drive. But protect it with a password. It was such a big deal. Why can't you just add a password to access it. The software I saw was ridiculous. Maybe its better now?
Muchtolearn
Posts: 1563
Joined: Sun Dec 25, 2011 10:41 am

Re: Setting up an investments only PC

Post by Muchtolearn »

Dont read me, this guy is going to do it regardless of what anybody says. I am not quite sure why he posted as his decision was set. I am not criticizing him although I too think it is excessive and of no value.
Mudpuppy
Posts: 6658
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Setting up an investments only PC

Post by Mudpuppy »

donttreadonme wrote:I'm sorry everyone, but this thread is beyond ridiculous. Worrying this much about online transactions is a waste of your time. Every day millions, if not billions of dollars in transactions are executed over the same HTTPS connection that you get when you log into Vanguard or any other secure website and you are presented with an SSL certificate. Anything you do in addition to verifying that SSL certificate will only marginally increase your security. If your credit card or banking info still gets compromised, just contact your financial institution and they will resolve the problem - most of the time with no skin off your back.

As others have said, on a personal level you should be more worried about carrying cash in your wallet or giving your credit card to the waiter at the restaurant. For anyone who is still worried about online financial activities, I suggest reading Beyond Fear by Bruce Schneier. http://www.amazon.com/Beyond-Fear-Think ... 0387026207

For what it's worth, I have a BS in Information Assurance. Also Security+ certification and Certified Ethical Hacker. I'm sure there are some other infosec guys on here too that also have some common sense.
Unless of course they use the stolen credentials to initiate a wire transfer to an offshore account before you realize that your machine has been compromised with a keylogger. Then all the degrees, credentials, and valid SSL certificates in the world is not going to get your money back....

Additionally, no law guarantees to make you whole when it comes to wire transfers, particularly if the bank can show that it was your compromised system that allowed the thieves to initiate the transfer in the first place. It's not all just credit and debit card fraud these days. Wire transfer fraud is the new "big bad" to keep an eye on due to the relative ease at moving money compared to credit and debit card fraud.

Personally, I'd much rather be "ridiculous" with a dedicated banking virtual machine, than broke due to malware getting on my system and the bank saying "well, if you read our terms and conditions, you would see that you're fully liable for all losses resulting from the compromise of your machine." If you're fine with that risk, that's your decision to make (assuming it is an informed decision). But stop ridiculing those that decide it's not an acceptable risk for them.

References:
http://krebsonsecurity.com/2011/11/ddos ... er-heists/
http://krebsonsecurity.com/2011/04/fbi- ... -to-china/
http://articles.sun-sentinel.com/2010-0 ... rdale-bank
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

Mudpuppy wrote: Personally, I'd much rather be "ridiculous" with a dedicated banking virtual machine, than broke due to malware getting on my system and the bank saying "well, if you read our terms and conditions, you would see that you're fully liable for all losses resulting from the compromise of your machine." If you're fine with that risk, that's your decision to make (assuming it is an informed decision). But stop ridiculing those that decide it's not an acceptable risk for them.
What's to stop your dedicated banking VM from being hacked? And if you are able to successfully completely secure your VM, why not secure your primary machine in the same way?
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

donttreadonme wrote:What's to stop your dedicated banking VM from being hacked? And if you are able to successfully completely secure your VM, why not secure your primary machine in the same way?
There are a handful of attack vectors that criminal enterprises use to attempt to take control of a victim's computer. The earliest and best known attack vector is the 'malicious email attachment'. Click on an email attachment specifically targeted at some well known vulnerability and you're instantly infected.

More recently, a second and more insidious attack approach has gained widespread use. This one starts with an attack on a well-trafficked commercial or non-profit website. The attacker first compromises an organization's webhost and installs their malware so that it silently gets served whenever anyone visits the compromised website. The user doesn't need to do anything other than visit the compromised website, which could be one that they've visited many times in the past without any problems. The compromised website may be a perfectly legitimate and widely known one, like Amnesty International.

Finally, there's yet another attack approach involving legitimate online ad networks that are in widespread use by most major news and information websites. Criminal enterprises create malicious javascript web ads and submit them to the major ad networks. Whenever the malicious ad is served up by any web host that happens to be using the compromised ad network, an end-user's machine can be infected. All of the major ad networks devote significant resources to combating this problem, but occasionally, malware ads manage to slip through the cracks.

The reason a dedicated PC approach reduces risk of infection is because the PC isn't used for day-to-day web browsing or to read email. It's only used to access investment accounts. As a result, there's zero chance that the PC can get a virus from an email attachment and the only way the PC could get a virus from loading a web page is if an investment company's website is hacked to serve up malware. This is much less likely than some random website like bogleheads.org getting compromised.

Jim
Last edited by magellan on Wed Mar 28, 2012 4:24 pm, edited 1 time in total.
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

magellan wrote: The reason a dedicated PC approach reduces risk of infection is because the PC isn't used for day-to-day web browsing or to read email. It's only used to access investment accounts. As a result, there's zero chance that the PC can get a virus from an email attachment and the only way the PC could get a virus from loading a web page is if an investment company's website is hacked to serve up malware. This is much less likely than some random website like bogleheads.org getting compromised.
An issue that arises here is that many financial institutions use email as an additional authentication method. There are attacks that only require one to open their email client to exploit the box.

As a side note, are the security conscious individuals on this forum also turning off all electronic statements and notifications?

The approach of using a dedicated purpose machine requires extreme discipline on the part of the user. How many bogleheaders check their financial accounts while currently browsing bogleheads.org in another tab? Cross site scripting anyone? Or I could just link to this article here about configuring a secure VM. A dedicated attacker will be successful 100% of time. While the techniques discussed in this thread do improve security, it is once again only marginally better than using antivirus, using strong passwords, and email/web browsing security awareness.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

donttreadonme wrote:A dedicated attacker will be successful 100% of time.
I know what you're trying to say, but IMO you've overstated it considerably. If that were true, every financial institution would have been hacked by now. What you probably meant to say was that a dedicated hacker with unlimited time and unlimited resources will be successful 100% of the time. However, the time needed may be hundreds of years and the resources required could be so high that only a select few governments could muster them. Mere mortal hackers in the private sector, even when bankrolled by large criminal enterprises as many are today, have success rates that are considerably lower than 100%, especially if we constrain the pool to folks that have up to date software and up to date antivirus software.
...than using antivirus, using strong passwords, and email/web browsing security awareness.
Also don't forget the most important defense, which is keeping your OS and key software up to date with the latest patches.

Jim
Last edited by magellan on Wed Mar 28, 2012 2:50 pm, edited 1 time in total.
KyleAAA
Posts: 8758
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Setting up an investments only PC

Post by KyleAAA »

magellan wrote:
donttreadonme wrote: If that were true, every financial institution would have been hacked by now.
I would actually be surprised if that weren't the case. Most large sites are hacked in some way daily. It may not be account numbers or anything like that, but I would be surprised if most financial institutions didn't have some kind of data leak out every day.
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

magellan wrote: I know what you're trying to say, but IMO you've overstated it considerably. If that were true, every financial institution would have been hacked by now. What you probably meant to say was that a dedicated hacker with unlimited time and unlimited resources will be successful 100% of the time. However, the time needed may be hundreds of years and the resources required could be so high that only a select few governments could muster them. Mere mortal hackers in the private sector, even when bankrolled by large criminal enterprises as many are today, have success rates that are considerably lower than 100%, especially if we constrain the pool to folks that have up to date software and up to date antivirus software.
I haven't I've overstated anything. Every organization must employ people....vulnerable people. You can have the most technically secure organization on the planet, but you can still be penetrated. A) One of my guys applies for a job with your company, passes the background check, polygraph, credit score, etc. and gets hired. We're in. B) One of your disgruntled employees pockets a $20 for some information. We're in. C) A curious intern finds a USB drive in the parking lot and plugs it into their computer to see what's on it with good intentions of locating the person who lost it. We're in.

It doesn't take a lot of time and resources to break in. You, as the defender, has to spend your time and resources trying to plug every hole in your system. The attacker only has to go straight to one you haven't plugged yet. In cyberwarfare the attacker will always have the advantage. Even the most secure nation will brought to it's knees by a nuclear bomb.
Also don't forget the most important defense, which is keeping your OS and key software up to date with the latest patches.
HA. No. The weakest link in your security system is the people within it - malicious or just plain incompetent insiders. Even the FBI and CIA have been compromised by spies. Even if you do have your OS and software patched I'll just use a zero day exploit against them.
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

KyleAAA wrote:
magellan wrote:
donttreadonme wrote: If that were true, every financial institution would have been hacked by now.
I would actually be surprised if that weren't the case. Most large sites are hacked in some way daily. It may not be account numbers or anything like that, but I would be surprised if most financial institutions didn't have some kind of data leak out every day.
+1

The issue is to define "hacked". A stupid attacker will get caught. The best will reside within your organization or within your systems and slowly siphon out information, cash, or anything of value. You can't prove a negative - an organization cannot prove that they haven't been hacked.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

donttreadonme wrote:You, as the defender, has to spend your time and resources trying to plug every hole in your system. The attacker only has to go straight to one you haven't plugged yet.
So instead of "a dedicated hacker will be successful 100% of the time" which is demonstrably untrue based on the fact that there are many unsuccessful dedicated hackers sitting in jail cells, you probably meant to say "every organization is vulnerable and has to get everything right all the time, while a hacker just needs to be dedicated and get lucky once."

Jim
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

magellan wrote:So instead of "a dedicated hacker will be successful 100% of the time" which is demonstrably untrue based on the fact that there are many unsuccessful dedicated hackers sitting in jail cells...
If they are sitting in jail, wouldn't that mean they *were* successful? And I said exactly what I meant to say. Speak for yourself.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

donttreadonme wrote:An issue that arises here is that many financial institutions use email as an additional authentication method.
This is an interesting point that perhaps deserves some discussion. Most sites only require email to activate an account or email address. I don't know of any financial sites that use email actively in the management of the account, aside from sending activity notifications. I can't remember any case where Vanguard requires me to use email to complete an action on my account.

Regardless, if this approach was used, it would be best to process any emails on a different computer from the investments only computer. Even if an activation or reactivation email requires a link to be clicked, it's fine to click the link in the activation email from an unsecure computer to perform the activation action. The key is to never enter your login credentials using the unsecured computer. I haven't seen a case where you have to provide credentials as part of an account or email activation process. Usually the activation link is encoded to include everything the website needs to activate the email address or account and the process doesn't require a separate login.

If there ever was a case where you needed to click on an email link to confirm an action, you'd have to open the email on the unsecured computer inspect the link, then somehow (carefully) copy the link over to the investments only computer. This would be a huge pain, but I don't know of any site that's designed in a way that would require this.

Also, if you ever have to access your account from an unsecured computer, even temporarily, it would be best to change the password from the secured investments only computer first, then use the unsecured computer, then change the password back (or to a new password) on the investments only computer. Hopefully this would be infrequent, otherwise it'd be a pretty big pain.

Jim
PennySaved
Posts: 115
Joined: Tue Mar 06, 2012 6:05 pm

Re: Setting up an investments only PC

Post by PennySaved »

I remember some years back when hackers were able to get into some TSP (fed govt 401k) investment accounts and take money out. A few TSP users computers (I think it was there not-well-protected home computers) got key loggers program installed on them and outsiders were able to access their TSP userids and passwords. Then the hackers did an electronic online request for TSP loan and had the loan proceeds direct deposited into a bank account. TSP covered the losses for those affected and then stopped allowing electronic online loan requests.
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

magellan wrote: I don't know of any financial sites that use email actively in the management of the account, aside from sending activity notifications. I can't remember any case where Vanguard requires me to use email to complete an action on my account.
My credit union sends me an email with a passcode every time I log in. This serves as a third identification credential. Most sites, including the financial sites I regularly access, use an email when you need to change your password. I think these days it would be rare not to do it that way.
Regardless, if this approach was used, it would be best to process any emails on a different computer from the investments only computer. Even if an activation or reactivation email requires a link to be clicked, it's fine to click the link in the activation email from an unsecure computer to perform the activation action. The key is to never enter your login credentials using the unsecured computer. I haven't seen a case where you have to provide credentials as part of an account or email activation process. Usually the activation link is encoded to include everything the website needs to activate the email address or account and the process doesn't require a separate login.
Yes, that would be best. But how many people are really going to switch computers when they're accessing a financial site and do something that causes that same site to send them an email? I think even most infosec professionals wouldn't be that paranoid.
If there ever was a case where you needed to click on an email link to confirm an action, you'd have to open the email on the unsecured computer inspect the link, then somehow (carefully) copy the link over to the investments only computer. This would be a huge pain, but I don't know of any site that's designed in a way that would require this.
You don't know of any site that would require you to click a long link to activate your account or change your password? I think nearly every site does this. The worst part is that link has the encoded information in it to connect you straight to the change password page for your account without asking any questions. The link is usually very long and encoded making it nearly impossible to transfer to your secure box to use. Also, if that entire process isn't implemented correctly, it can create a large hole in security.
Also, if you ever have to access your account from an unsecured computer, even temporarily, it would be best to change the password from the secured investments only computer first, then use the unsecured computer, then change the password back (or to a new password) on the investments only computer. Hopefully this would be infrequent, otherwise it'd be a pretty big pain.
I'm not sure it's necessary to change the password before accessing your account on the unsecure computer. Just change it to something different the next time you access it on the secure computer.

Anywho, I think we can both agree that security can be a real pain in the ass and there's a lot of things the user can do to open up vulnerabilities in the process.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

donttreadonme wrote:My credit union sends me an email with a passcode every time I log in.
That does add a complication. I think if I had an account like this and wanted to use the dedicated PC, I'd create a special gmail account just for investment accounts. I'd either use gmail or a client like thunderbird on the dedicated PC and I'd only access that one email account (never my general use email). Also, I'd enable email forwarding on the new gmail account so any other email sent to that account would get auto-forwarded to my main email account (that I presumably check more frequently than this 'investments only' account).
But how many people are really going to switch computers when they're accessing a financial site and do something that causes that same site to send them an email? I think even most infosec professionals wouldn't be that paranoid.
Agreed. But if you decided on a dedicated PC, you shouldn't enter credentials from a normal unsecured PC. So if the workflow from one of your financial institution requires frequent interaction using email, it's probably better to set up limited email on the investment computer. I don't have any accounts that work that way myself, so I've never considered this.
You don't know of any site that would require you to click a long link to activate your account or change your password?
I think I misstated that. I don't know of any site that requires you to click a long link AND enter your login credentials to complete the action. Usually you can just click the link. Then login from the secure PC. What I was trying to say was if you have to jump through some hoops with email on the other non-secured PC once in a great while, and you never have to enter your login credentials on that computer, it's probably workable. If you have to do that frequently, it'd be too much hassle.
Anywho, I think we can both agree that security can be a real pain in the ass and there's a lot of things the user can do to open up vulnerabilities in the process.
We do agree. As you said in an earlier post, security always comes down to a decision on a cost vs benefit tradeoff. That will ultimately be an individual and personal decision that no one else can make for us.

Jim
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

donttreadonme wrote: My credit union sends me an email with a passcode every time I log in. This serves as a third identification credential. Most sites, including the financial sites I regularly access, use an email when you need to change your password. I think these days it would be rare not to do it that way.
Your exaggerations are destroying your credibility.

I have accounts with four major banks, six major brokerages, four major credit unions and NONE of them require an email exchange when I log in to do transactions including transferring money between accounts. Every once in a while they want a verification, but these can be done by telephone. I do receive acknowledgement emails about transactions but these are sent after my use of their site and do not contain confidential information so they can be received on a non-secure computer.

Also, none of them require an email exchange when changing my password. They do send a notification email and most send snail-mail notifications of the change.

Just out of curiosity, what is the credit union?
donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Setting up an investments only PC

Post by donttreadonme »

dual wrote:Your exaggerations are destroying your credibility.
Let's leave the ad hominem attacks at the door.
I have accounts with four major banks, six major brokerages, four major credit unions and NONE of them require an email exchange when I log in to do transactions including transferring money between accounts. Also, none of them require an email exchange when changing my password.
Great, so that proves that no banks do this.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Setting up an investments only PC

Post by Epsilon Delta »

Mudpuppy wrote:
Personally, I'd much rather be "ridiculous" with a dedicated banking virtual machine, ...
You don't want a dedicated banking virtual machine. You want a dedicated virtual machine for everything else.

Just as the OS trusts the hardware, a VM trusts the host OS. If the host OS is compromised any VM running under it is (at least theoretically) toast. So a banking VM does not help if you browse dodgy web sites using the host OS and catch a virus. However if you use a VM for browsing dodgy web sites any viruses are restricted to the VM and vanish when the VM is closed, so it is then safe to do banking with the host OS.
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

donttreadonme wrote:
Great, so that proves that no banks do this.
No, what it does show is that your claims that it is difficult to use an investments-only PC are greatly exaggerated. Every company that wants a verification for login that I have dealt with allows several methods in addition to an email including receiving a robo-telephone call with the verification code. So use the telephone call instead of the email when accessing from your investments-only PC.

If the company does not use a phone call then:
1. Access the account from your non-secure PC, which you advocate doing anyway; or
2. take your business to a company that uses another method for login verification.

See. It is not hard if you put your mind to it. :idea:
Mudpuppy
Posts: 6658
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Setting up an investments only PC

Post by Mudpuppy »

donttreadonme wrote:It doesn't take a lot of time and resources to break in. You, as the defender, has to spend your time and resources trying to plug every hole in your system. The attacker only has to go straight to one you haven't plugged yet.
To use another analogy, any thief with a bump key could break into your house. Does that mean you leave the doors unlocked and the windows open when you aren't at home? Does that mean everyone should?

Just because there are other vectors of attack that one might not foresee does not mean one should just throw up one's hands and do nothing. There is a level of vigilance one can take to minimize one's attack profile, much like locking one's doors and windows will protect against those without a bump key. It may not eliminate all vectors, but it greatly cuts down on them.

And just because someone chooses a higher level of vigilance than you do does not mean you need to attack or ridicule them. Everyone has their own risk tolerance, whether it be for their asset allocation or their PC security. People will choose differently than you do. If they want to take the time to set up a dedicated machine that exemplifies the Saltzer and Schroeder design principles, that is their decision and you should respect their right to make such a decision. Agree to disagree and just walk away.
Mudpuppy
Posts: 6658
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Setting up an investments only PC

Post by Mudpuppy »

magellan wrote:
donttreadonme wrote:My credit union sends me an email with a passcode every time I log in.
That does add a complication. I think if I had an account like this and wanted to use the dedicated PC, I'd create a special gmail account just for investment accounts. I'd either use gmail or a client like thunderbird on the dedicated PC and I'd only access that one email account (never my general use email). Also, I'd enable email forwarding on the new gmail account so any other email sent to that account would get auto-forwarded to my main email account (that I presumably check more frequently than this 'investments only' account).
An email passcode does not have to be read on the financial machine to be used. Every time Treasury Direct emails me a passcode, I read it on my one VM, write it down on a post-it and enter it on the financial VM. It doesn't matter if you write down a one-time passcode, since it's useless after that one time. Just a pen and a post-it solves this problem easily. No need to get complex by adding an email account to the financial PC.
Mudpuppy
Posts: 6658
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Setting up an investments only PC

Post by Mudpuppy »

Epsilon Delta wrote:
Mudpuppy wrote:
Personally, I'd much rather be "ridiculous" with a dedicated banking virtual machine, ...
You don't want a dedicated banking virtual machine. You want a dedicated virtual machine for everything else.

Just as the OS trusts the hardware, a VM trusts the host OS. If the host OS is compromised any VM running under it is (at least theoretically) toast. So a banking VM does not help if you browse dodgy web sites using the host OS and catch a virus. However if you use a VM for browsing dodgy web sites any viruses are restricted to the VM and vanish when the VM is closed, so it is then safe to do banking with the host OS.
I already covered this earlier in the thread (as well as on the Rock Center thread). I have a browsing VM, a shopping VM, a video streaming VM, and a banking VM. I also said the VMs are only as secure as the host OS is, so one can never do any dangerous activities on the host OS or the game is lost.

But that information is easy to get lost in the length of this thread, so thank you for bringing it up again.
clearwater
Posts: 131
Joined: Mon Jul 11, 2011 2:45 pm

Re: Setting up an investments only PC

Post by clearwater »

This seems like a waste of time. I say "seems like" since it's your time, not anyone else's, and you get to decide where to expend your energy.

You're confusing actual complexity with perceived security.

You're not really gaining much here, and by the sound of it, you're probably actually operating in a *less* secure environment than using a well-tested professional system. Either Windows 7 or Mac OS X will do everything you need, in a very secure manner, *if used properly*. Both OS's will automatically encrypt all your data, which is the single most important risk you have. (Listening to how new your are to the Unix world, my guess is the majority of senior sysadmins would penetrate your system fairly rapidly... you'd be better off with a commercial OS which purposely defaults to secure for you and assumes nothing on your behalf.)

You can run virtual machines if all you want is a "clean" OS each time, and they're very handy for that. So you can always start with a known state such as a new Win 7 installation. This does nothing to prevent the host OS from having its own vulnerabilities which might enable a layered attack, but unless you have substantial assets and are a real target, these worries are overblown.

All of the other things you are worrying about are not realistic concerns. Keyloggers make for great media stories, but these kinds of threats in the wild area are very atypical. I see maybe two of these a year and it's almost always a high profile target.

Remember that you can almost always (without too much difficulty) get your money back if an account was compromised and actions taken which were not actually done by you. This is a very specific issue of law, and there is a big difference in court between someone claiming "you made a trade" and proving -- without a doubt -- it was you sitting in front of the keyboard at the time.

If you're really worried about all of this, you can simply conduct all your trading for rebalancing and the like with a phone call. You don't need a PC to run an investment portfolio. The US Mail and a telephone will work fine, and until 10 years ago, that's how it was done for most people anyway. If someone intercepts your mail, you have a different problem, and then you have both federal law and a national level agency on your side (U.S. Postal Inspectors).

The number of attack vectors for getting access to personal information is pretty large, but the actual methodology often takes routes people don't expect, which is why I counsel clients not to go down rabbit holes with low cost-benefit. The single most important thing you can do is encrypt your data. You're more likely to encounter a direct physical attack then a keylogger; if someone really wants access to credentials badly enough it's trivial to find where you live and force you under threat of direct violence to disclose information -- at that point you've got TWO problems.

So there's nothing wrong with your exercise of wanting to build a more secure environment for conducting financial transactions, but you can just buy a laptop with Windows 7 or Mac OS X, keep full disk encryption turned on, practice safe password management techniques, and you'll be fine.

There are some rules we use to protect high value targets, but it involves a full threat analysis that goes far beyond personal computers. If you have *that kind* of risk, I'd recommend consulting a professional.
patrick
Posts: 1825
Joined: Fri Sep 04, 2009 3:39 am
Location: Mega-City One

Re: Setting up an investments only PC

Post by patrick »

If you really want to get paranoid, consider these risks with the separate machine:

1. The machine used to download the Linux CD and burn the image could have been infected. If so, it could have added a keylogger to the CD you burned (and thus any machine you boot or install from that CD).

2. The machine now being used as "investments only" might have been infected previously. If the badguys had installed a hypervisor based rootkit in your BIOS then they could steal the passwords you type in no matter what OS you run from later.
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

clearwater wrote:This is a very specific issue of law, and there is a big difference in court between someone claiming "you made a trade" and proving -- without a doubt -- it was you sitting in front of the keyboard at the time.
I hesitate to try this again, but I can't understand why so many posters insist on repeating information that clearly seems to be incorrect. I've posted links to specific case histories and other information that I think shows it's not correct. I'm eager to see links to something specific that shows I've got this wrong and that there's nothing to worry about. But so far, we've had no takers.

Yes, if the account is a bank or credit card account there are specific consumer protections that apply. For investment accounts, which are the topic of this thread, there are no specific laws that protect consumers against fraudulent online activity. Absent a specific policy that states otherwise, if a non-bank financial institution reasonably believes transactions were initiated by their customer, they do not have to cover the loss. The institution DOES NOT have to prove that you actually did the transaction, only that it reasonably believed that you did it.

Here's a repost of the myriad cases where businesses lost money because their bank accounts were hacked and unauthorized transfers were done by third parties. In all of these cases, hackers compromised an authorized employee's computer with a virus and then initiated electronic transfers. In the vast majority of these cases, the firms lost their lawsuits and were left eating the loss themselves.
Note that in most of these cases the victim was NOT specifically targeted by the hackers. A computer used by a firm's employee was incidentally compromised with malware that was built off a standard exploit kit. The firm only became a specific target after the hacker got access to the employee's computer and bank account.

I'm not a lawyer and I could certainly be missing something here. I've posted lots of specific links to applicable laws and case history, and I've challenged anyone to link to something that shows that consumer investment accounts are not at risk in the same way that business bank accounts are at risk. So far no links, but I'm eager to learn if I'm wrong.

Jim
User avatar
Cosmo
Posts: 1254
Joined: Mon Mar 05, 2007 9:46 pm

Re: Setting up an investments only PC

Post by Cosmo »

dual wrote:
Finally, if you think it is too much effort to do this, then why take the effort to read or comment on this thread?
To your point, why does anyone take the effort to comment on this thread?
User avatar
magellan
Posts: 3483
Joined: Fri Mar 09, 2007 4:12 pm

Re: Setting up an investments only PC

Post by magellan »

Cosmo wrote:
dual wrote:Finally, if you think it is too much effort to do this, then why take the effort to read or comment on this thread?
To your point, why does anyone take the effort to comment on this thread?
It's a fair point, but the OP started this thread stating they already set up an investments only PC and were looking for tips to be sure they didn't miss anything. The OP didn't ask for opinions about whether it was a good idea or not. What's been happening on this thread is sort of like someone posting and saying that they just bought an investment property and are looking for criteria for choosing a good management company, then having a bunch of posters jump in to say it's ridiculous to buy investment property, you should just get a REIT.

Of course, people are entitled to voice their opinions, and it's fine to respectfully voice a dissenting view. But those opinions would be more helpful with some links to support them. Then we could all learn something. It's disheartening in this thread, and unusual on this forum, to see so much incorrect information and opinion that's unsupported, yet presented as fact. Maybe I'm guilty too, but I've tried to back up my main points with links and data. I don't see that coming from people with opposing views and IMO that makes for a less productive discussion.

Jim
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

patrick wrote:If you really want to get paranoid, consider these risks with the separate machine:

1. The machine used to download the Linux CD and burn the image could have been infected. If so, it could have added a keylogger to the CD you burned (and thus any machine you boot or install from that CD).
I am not an expert but I have never heard of this kind of a virus. They would have to infect the CD burner software I used, which was open source. Other than Linux, no other operating system that I know is distributed in this way (i.e. download ISO, burn a live CD, and install) so this seems a vanishingly small target for criminals. They would have to write a virus that infects each type of CD burner software to modify the installed ISO to include the keylogger for all accounts on the Linux system. Certainly possible but it seems very little return for their effort.

I did check the MD5sum of the ISO and it matched that given on the operating system site.
patrick wrote:2. The machine now being used as "investments only" might have been infected previously. If the badguys had installed a hypervisor based rootkit in your BIOS then they could steal the passwords you type in no matter what OS you run from later.
The computer was seldom used so I am willing to take the risk this did not happen. I did reformat the disk and then did a fresh install.

Nothing is perfect but I think these steps reduce the risk of these possible problems.
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

clearwater wrote: You're not really gaining much here, and by the sound of it, you're probably actually operating in a *less* secure environment than using a well-tested professional system. Either Windows 7 or Mac OS X will do everything you need, in a very secure manner, *if used properly*.
That is not what I have read. Both of these systems are much more widely used than my variant of Linux and therefore are larger targets.
clearwater wrote:Both OS's will automatically encrypt all your data, which is the single most important risk you have.
As I mentioned, I do encrypt the data on the investments only PC.
clearwater wrote:(Listening to how new your are to the Unix world, my guess is the majority of senior sysadmins would penetrate your system fairly rapidly... you'd be better off with a commercial OS which purposely defaults to secure for you and assumes nothing on your behalf.)
Gaining knowledge is the purpose of my post. I have followed the advice by people on this thread to increase security from external attacks. Otherwise, the "experienced sysadmin" would have to gain physical access to my system and then would still face multiple obstacles to accessing my information.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Setting up an investments only PC

Post by Epsilon Delta »

dual wrote: I did check the MD5sum of the ISO and it matched that given on the operating system site.
Did you check the MD5sum of /usr/bin/md5sum? :twisted:
bb
Posts: 325
Joined: Wed Apr 25, 2007 10:04 pm

Re: Setting up an investments only PC

Post by bb »

I like the idea of a linux live boot. Always know that you are booting the same thing.
Protecting personal data? Don't store userids, passwords, account numbers on a hard
drive. How difficult - download iso - burn - use. Wow - how exhausting.
Trestles
Posts: 45
Joined: Fri Jul 20, 2007 3:08 pm
Contact:

Re: Setting up an investments only PC

Post by Trestles »

dual wrote:The purpose is to reduce the chances of my investment accounts being robbed by criminals using malware such as keyloggers and other trojans that get on my computer from my use of the computer for non-investment purposes.
Have you considered live booting from a CD/DVD? Knoppix linux is one such beast: http://www.knopper.net/knoppix/index-en.html

You can run this from any computer and do not need to save any data to disk. The computer cannot be broken into since it doesn't exist when it is not being used. Furthermore it is booted from a read only medium so it's virtually immune to viruses and key loggers.

Trestles
User avatar
Topic Author
dual
Posts: 701
Joined: Mon Feb 26, 2007 7:02 pm

Re: Setting up an investments only PC

Post by dual »

Have you considered live booting from a CD/DVD?
Yes, I did think about it. Here is a website that describes how to use Puppy Linux to create a portable, secure environment: http://www.ciphersbyritter.com/COMPSEC/ONLSECP5.HTM

Apparently Puppy Linux allows you to WRITE data to the liveCD/DVD so you do not have to store data on the computer hard drive, which as has been mentioned here is not secure.

One problem is that "out of the box," Puppy Linux has poor security. By default, you run as root with no password. But the website shows you how to harden the installation.

I played with this and found it sort of clumsy since accesses to the CD are quite slow. I had a spare computer so I decided to install Linux on it. But I think this is a viable option if you cannot spare a computer.

The website claims that writing to the DVD is quite unusual so it would present an even smaller target for criminals than alternate approaches. I am interested in the opinions of the Linux gurus on this approach.

BTW, see this thread about a new trojan found on MACs:
http://www.bogleheads.org/forum/viewtop ... st=1356012
User avatar
TheTimeLord
Posts: 8944
Joined: Fri Jul 26, 2013 2:05 pm

Re: Setting up an investments only PC

Post by TheTimeLord »

fareastwarriors wrote:Your PC might be super secured on your side but the other end might not be (Vanguard, banks, or others). But I guess it's good to be safe...
If Vanguard gets hacked then stolen funds are their liability, if I get hacked they may end up being mine. I think this maybe the difference.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
lazyday
Posts: 3799
Joined: Wed Mar 14, 2007 10:27 pm

Re: Setting up an investments only PC

Post by lazyday »

TTL, I wrote up a plan for a secure financial-only PC. Easy to use but long setup.

Everyone says it's too complicated. If you're interested: http://www.bogleheads.org/forum/viewtop ... 9#p2275271
Post Reply