Reader Shares Personal Financial Security Protocols

Reader and security researcher Nweaver has blogged the precautions he takes when managing his personal finances, from credit cards to debit to his brokerage account.

Credit cards: Very laissez-faire, because you’re using the bank’s money
Debit cards: Only uses at his bank’s ATMs because, while there’s protections, until a fraudulent transaction gets fixed, you’re responsible for the funds
Online banking: Reboots computer using Linux “Live” CD, thus ensuring his laptop is free of potentially malignant programs. The only thing he does is access his account, then he reboots.

Pretty good policies, but if you swipe a debit card as a credit card, doesn’t it have the same protections? You’re not entering your PIN. The way he handles his online account is interesting, too. Another method that we’ve heard is to actually have a totally separate computer that all you ever use it for is online banking. — BEN POPKEN

Personal Financial Security Protocols [Nicholas Weaver's Random Thoughts]
(Photo: Getty)

Comments

Edit Your Comment

  1. Fuzz says:

    Another option is a virtual machine. You can run them off your USB drive. Totally sandboxed, and you don’t need to reboot.

  2. Saeculorum says:

    A debit card is not covered under the Fair Credit Billing Act, even if it is swiped as a credit card. As such, there are none of the legally mandated protections that credit cards have.

    Yes, your bank might offer to extend those protections anyway, but if your money is temporarily gone from your account due to fraud, your checks will still start to bounce.

  3. tentimesodds says:

    Ben, if you use your debit card all over the place, it at least brings up the possibility that the number will be stolen. Especially at restaurants. If this happens on a debit card, you’re SOL until it gets resolved. Credit card, different story.

  4. stopNgoBeau says:

    Ditto Saeculorum’s post. Your bank may offer full fraud protection, but the money that was fraudulently taken is still missing from your account until you get it taken care of. With a credit card, your available limit just dips a bit, but you don’t owe anything.

    Also, I have contested three different fraudulent charges on my Capital One Bank debit card, and each one was reversed, against me, because they claimed they didn’t get the requested documents from me, even though I faxed or emailed them in each time. In all cases, the fax number on the form I had to fill out was either unknown by the person I was speaking to on the phone (thats the fax number listed on the form? I’ve never heard of that extension), or they just never received it.

  5. nweaver says:

    Notice I said my ATM card is ATM only, and NEVER used outside bank branches. I refuse to use a “check” card. I think I need to make it clearer why I do this.

  6. endless says:

    I actually just setup a mac system for this exact purpose, online purchases and banking will from now on, be done on it.

  7. nweaver says:

    endless: I have a Mac. I still reboot into knoppix (you can do this if you have bootcamp installed on an x86 mac).

    Online purchases? Well, those use a credit card, so I don’t care (much), I happily let Amazon save my credit card number, etc etc etc.

  8. nweaver says:

    Endless: I have a mac. I use a mac. I don’t trust Apple’s security enough, so I boot my Knoppix CD in my x86 Mac Mini…

    AS for online shopping, as long as you use a credit card, who cares? Feel free to use your Windows box, and don’t even worry if it is 0wned (too much). Credit card fraud online has the same impact as credit card fraud from TJ Max: it costs the card company and the merchants, but not you.

  9. samurailynn says:

    I use a mac for all my web browsing, including online banking. No problems that I know of with malignant software installing itself on here.

  10. gundark says:

    Nweaver: I trust it enough to bet you cant cite even one example of anyone having a “potentially malignant program” cause problems with anyone’s online banking on a Mac.

  11. endless says:

    nweaver:

    Ive used unsecured PCs for years, this mac should be many steps ahead of that. Especially considering the mac will be on a light load as the majority of my surfing will still be done on the PC.

  12. nweaver says:

    THe mac’s strength is primarily from “minority platform” effects, with a secondary strength from a bit better isolation model/better legacy (the Unix legacy rather than the DOS legacy). There have been tons of nasty holes on Mac systems, which the attackers simply haven’t bothered attacking. As Apple’s market and mindshare increases, this “protection” could easily vanish.

    I look at the number of reported 0-days in Safari for Windows, and go “all those bugs probably also exist in the Mac version”, and as a result I don’t have faith in the overall Mac system. Also looking at the number of “security” updates on Apple’s updater.

    It is better than Windows, and I feel very comfortable using a Mac for day to day activities.

    But at the cost of a serious breach of my financial accounts? No.

  13. anatak says:

    @stopNgoBeau:
    Thats what you get for banking with Capitol One. I’ve never had an issue getting fraudulent charges reversed, its never taken more than 5 minutes, and I’ve never ever had to email or fax anything in just so that they can pull the old “we never got it” stunt.

    Whats in your wallet? Cash, sucker!

  14. lemur says:

    @Fuzz: A virtual machine is the next best thing to rebooting to an OS stored on trusted media but it is not as good.

    For instance, if you run Linux in a virtual machine in Windows and there’s a keylogger on the Windows host, you’re screwed. It is true the keylogger would not be able to do a targeted logging but it could record everything and let the evil guy sort it out later.

    (What I mean by targeted logging is a method that takes advantage of context to separate interesting input from uninteresting stuff. For instance, a keylogger that would attach to your browser could easily find out which fields are used for logging in and could record only what is entered in those fields.)

  15. sporesdeezeez says:

    Way up at the top, Fuzz mentioned virtual machines. This is a good point and should not be overlooked.

    While I’m not sure if they offer a version for Macs, VMWare does offer their free VMPlayer for other platforms – I’ve personally used it for Windows and Linux (Ubuntu). It’s pretty simple, and the virtual machine is self-contained and awkward to hack. The steps from their website say it all:

    1. Download VMware Player.
    2. Try the pre-built Browser Appliance virtual machine, configured for secure internet browsing.
    3. Visit Virtual Appliances at VMTN to download other free, pre-configured virtual machines from industry-leading ISV partners, open source partners and the VMware community.

  16. MeOhMy says:

    @nweaver:

    Notice I said my ATM card is ATM only, and NEVER used outside bank branches. I refuse to use a “check” card. I think I need to make it clearer why I do this.

    Me too! I specifically requested a non-“check card” when I switched bank accounts. Apparently some banks are actually charging EXTRA for this.

    The check card hits your bank account directly. Sure, a PIN isn’t the most secure thing in the world, but it’s a lot better than the nothing that a check card has.

  17. virgilstar says:

    Seriously, unless you’re clicking links in phishing e-mails, and surfing for pron, then I really fail to see what the risk is. If you have a windows PC, all the relevant updates, running the latest version of Firefox, running a good antivirus (CA) plus spybot S&D every week, emptying the browser cache every session, not storing any forms information, and only typing in addresses to the browser, not following links or even using bookmarks, then I just cannot see what the risk is. I also run MSConfig every week or so, to check for startup/background tasks, and I know the registry on my PC inside-out, so can spot anny unwanted keys.

    @nweaver – “I happily let Amazon store my credit card details”. Experience should tell you that a LARGE number of identity theft issues come from a screw-up at a company’s site, where a hard disk with X-bajillion numbers is stolen (Google “ABN-AMRO security” if you want more details on a classic example). No matter what my personal security measures are, I for one will NEVER let any company store my card details, just for the convenience of one-click shopping.

    The exception is PayPal, but I got the key-chain widget and absolutely refuse to “verify” my account by giving them my bank account number in addition to my card details. I just deal with the inconvenience of not having a “verified” account. I’m not an eBay seller so it’s not a big deal.

  18. virgilstar says:

    On the topic of keyloggers – only if you’re stupid enough to actually enter personal information (SSNs, card #s) IN THE CORRECT ORDER does this become a risk. I make a habit of using the keyboard and mouse in combination, to enter the card # in a random order.

    e.g. if the card is 12345678 then I would enter 3456, then click on the left to enter 12, then click on the right to enter 78. That way, any key-logger would get the numbers, but they would be in randomized order and therefore useless.

  19. kenclunk says:

    Another option is to stay at home and keep cash in a locked safe hidden in a secret spot under your matress. Then have security come when you are going to get the $10.00 out for a movie that night.

    Seriously, rebooting your computer, or having a second computer just to access online banking???

    I realize that there are some things that should be cautioned but I refuse to live in fear that some one will take over all of my accounts.

    I’ll save all of my energy by not worring and have more energy to deal with it when it happens.

  20. sporesdeezeez says:

    @sporesdeezeez: Good point about the keylogger. I agree, if the host machine is seriously compromised, you will not avoid that problem with a VM.

    That said, I think we could agree that if you start with a clean, firewalled OS for the host machine, any assorted malware you come across while browsing in the VM will be very unlikely to cross into the host. That means that you have to use the VM for all browsing, not just the banking. You may want a separate high-security browsing VM to use as distinct from the everyday browsing VM.

    For now this is a good trick that will foil most of the black hats out there. Eventually, if this catches on, I am sure that hackers will learn how to get past the virtual machine. There are already white hats who have devised a VM “blue pill” attack that promises to be quite devious if it’s ever implemented.

  21. nweaver says:

    On VMs: VMs are good for your risky websurfing, but they aren’t good for your risk-free banking, because if the host is compromised, the VM is compromised. There are also attacks on the VM infrastructure, but this forces the attacker to do 2x the work, which is often a “why bother” for now.

    On keyloggers: Keyloggers are a SERIOUS problem. The City of Compton, CA, almost lost $400,000 to a keylogger-based attack, and did lose $50,000 I think. This isn’t just theoretical, its what attackers are really trying to do, and as they get smarter, will become even more critical targets.

    And virgilstar: the identity theft risk from the credit card is low. It doesn’t get SS# (so you can’t create NEW accounts), and if the thief uses the card #, I don’t care, as see #1: until I write the check, it is not my money.

  22. jeff303 says:

    @nweaver:

    No, the Mac’s strength is the architecture. Mom and pop don’t run as root all the time (like on Windows). The user must enter a password to make “root level” changes to the system. The only flaw that comes to mind is Safari opens downloaded dmgs by default (this can be turned off).

  23. nweaver says:

    Jeff303: Windows theoretically has the same thing with Vista, they just didn’t tune it as well (“You are coming to a sad realization, cancel or allow”).

    And 0wning the user can almost be as good as 0wning root on a single user machine anwyay. You can do NASTY things in userspace when running as the user.

    For day to day use, Mac, yeah, no problem. I love my mac. But when my life savings are at stake, the Mac is not secure enough for my tastes.

  24. FLConsumer says:

    @samurailynn: There’s plenty of malware and security holes out there for Macs. You just don’t hear about them because they’re not going to affect the majority of people. There are also fewer attempts to exploit these because the payoff is so low. Why bother spending all of your time & effort on something that’ll only affect 5% of the computers out there when you can spend that same time and energy attacking 90% of the computers out there?

    I “live dangerously” — I happily surf with a PC, running a nice custom version of Winblows XP, using Firefox as a browser. I don’t visit pr0n, wArEz, HaXOrZ, nor “Free Giveaway!!!!!!” websites, have an enterprise-grade firewall and matching router protecting all of my TCP/IP devices at my home (important when even your light switches and air conditioning understands TCP/IP) and don’t have any of the problems others experience.

  25. endless says:

    yeah jeff, I am agreeing with weaver here. there have been and will be plenty of exploits for OSX. It at best is marginially more secure than windows for technical reasons.

    the only real advantage it has is that it has a small user base and is therefore not a good target.

  26. Alan Thomas says:

    As an infosecurity analyst with a major financial institution, I *have* encountered evidence of Trojan software on a Mac.

    That experience notwithstanding, I have a good deal of confidence in the Mac, but I also have high hopes for Vista (unless dimwits disable UAC on their systems).

    The majority of people who end up infected with banking Trojans are grossly negligent (not using up-to-date antivirus or neglecting to update their computers).

    The bottom line is: You can do everything right, and still get screwed. As malware evolves, traditional antivirus will be increasingly ineffective against it.