Best security setup for online banking?

[redlight]

Yes - see my other post in this thread.

Badly worded should have said used it.

The way I read it for some online transactions through the bank I will have to use the card reader.
This generates a random number which has to be validated before the transaction is authorised.
I have not been asked to use it yet so I do not which transactions its for.
Thats all good for extra security but what if I want to do a transaction when I am away from the house.
Its impractible to tote a card reader around with me so I might as well join the long queue at a branch.
Kind of defeats the object of online banking.

[DR]

I think you shouldn't use it if you are really that worried

[directhex]

That sounds very dubious, sounds like spyware to me (and well, it *is* korea). In most cases I'd trust online banking that stick to html form/ssl/ssi over elaborate authentication systems any day, the former tends to have less compatibility issues and security issues.

indeed.

they have their own cipher (SEED) instead of using SSL like the rest of us. the only implementation is an old activex control. http://en.wikipedia.org/wiki/SEED

plus, most of the activex controls you're forced to use sign themselves as random companies unrelated to the transaction, so koreans are self-trained to use IE6 and always click "yes" to activex dialogs. hurrah

[djfluff]

I think that is going a bit too far?
On screen keyboard is actually more dangerous because anyone outside your window will be able to see your password being typed in. It is as bad as being looked at when you type in your PIN at the cash machine. And why would you have a keylogger installed in the first place.

If you have people looking in your window as you work, maybee a curtain, or some kind of blind device might be a good security device ?
People generally dont have keyloggers installed, they are usually seripticiously put there. (there are 2 types hardware and software.)

[peterb]

Badly worded should have said used it.

The way I read it for some online transactions through the bank I will have to use the card reader.
This generates a random number which has to be validated before the transaction is authorised.
I have not been asked to use it yet so I do not which transactions its for.
Thats all good for extra security but what if I want to do a transaction when I am away from the house.
Its impractible to tote a card reader around with me so I might as well join the long queue at a branch.
Kind of defeats the object of online banking.

I have only used it to enable it on the site, I haven't used it for any transactions (I think setting up bill payments is one transaction you need it for - I don'yt know if actually makinbg a payment needs it. However, it is a pretty small unit, so it would fit into a pocket or briefcase. I think there is more info here
http://www.natwest.com/microsites/ge...asp?cmp=reader

[bydandie]

If you have people looking in your window as you work, maybee a curtain, or some kind of blind device might be a good security device ?
People generally dont have keyloggers installed, they are usually seripticiously put there. (there are 2 types hardware and software.)

Unfortunately the major driver behind cybercrime at present is financial, so without a good multilayer defence which most companies don't have, you can be infected by a keylogger before the AV catches up.

[bydandie]

it's slightly less mad than spending £230 on XP again (what with it being free), but generally speaking, outside the usual "there's less spyware etc" arguments, there'd be no benefit

a bigger question is over browsers - it can be particularly bad in some cases (e.g. in korea, all online banking by law needs to use a particular 32-bit msie activex control)

All the browsers are as bad as each other, the reality is you need to have a multi-layer defence against this.

[frimm]

Well to be honest I haven't had any problems with online banking in all the years I've been using (ok so I'm pushing me luck by saying that ).. Other than all the obvious (Firewall, Anti-virus) I've never done anything special either.

The only thing I would say is never ever disclose your passwords/pins to anyone, and NO bank with ever ask for these in full when logging in, as they all prefer to use randomly selected digits. Another one to remember (as I've known others to get caught out) If a bank ever calls you, they will never ask you for your pin/password in full, again it'll only be a few digits. If anyone calls you and asks for more than this, tell em to put their request in writing and send it snail mail.


frimm

[TheAnimus]

indeed.

they have their own cipher (SEED) instead of using SSL like the rest of us. the only implementation is an old activex control. http://en.wikipedia.org/wiki/SEED

plus, most of the activex controls you're forced to use sign themselves as random companies unrelated to the transaction, so koreans are self-trained to use IE6 and always click "yes" to activex dialogs. hurrah

Not too mention that any fool can easily 'shim' an active-x object. This makes making a password havister very very easy.

Retards.

If your really worried how about something like DSL (Damn Small Linux) on a USB stick, I used to have a few of these when i was doing some linux security toying.

But i'm more parinoid than the average bear, and i normally satisfy myself when using mates PCs after a quick netstat to make sure nothing has a socket open, and a proccess explorer look at the IE session for silly libraries loaded. Hardly 100% but far more than nescicerry. As it stands its far harder to harvest bank details by infection. Just use phishing. So thats what most do, even criminals only do things if its cost effective.

[MarcLister]

I'm with NatWest and I haven't got one of these number generator thingies.

I did have a module at Uni called Professional Issues. The two lecturers had semi-retired and only worked part-time. They had both worked together for pretty much their entire careers for Barclays. When we were talking about online banking they both said that they had read the T&Cs the banks get you to agree to for online banking and decided not to touch online banking with a bargepole.

As for security, just take the normal precautions, good antivirus/firewall. Spyware cleaners, up-to-date WindowsUpdates and good strong passwords on your accounts and online banking accounts.

[stockhausen]

Install Linux (free) in a separate partition and ALWAYS boot into that to do your on-line banking - NEVER, ever use it for anything else. Keep any personal details off-line on a couple of USB sticks.

[bydandie]

Install Linux (free) in a separate partition and ALWAYS boot into that to do your on-line banking - NEVER, ever use it for anything else. Keep any personal details off-line on a couple of USB sticks.

A bit over the top, and Linux is still subject to a multitude of vulnerabilities (It is a urban myth that it is more secure than Windows - open souirce has just as much vulnerabilities although they are generally patched quicker).

The person in the original request is not computer literate, and at some stage they will do their online banking from their windows partition for convenience.

Security is a delicate balance between control and functionality, get it wrong and you have something that people won't use or try to circumvent.

If you were to take it to that degree, I'd rather use a U3 drive running Firefox U3 with Avast U3 edition.

The fact remains that having an IPS like the one in KIS7 will help, but a multilayer approach is required.

[chrestomanci]

I know im probably just jumping on the linux is more secure band wagon but would there be any advantages? Or is there not much difference?

A potential advantage would be that you can use a bootable CD such as Knoppix. Once you have downloaded the CD image from a trusted source & burnt it, you can be sure that no extra software (root kits etc) can be installed on it, so every time you boot from it you know that you are getting an absolutely clean install.

You will still be able to save stuff like statements to a USB key or the like if you want to, and you could also put a bookmark to the banking site on the USB key to save having to type it in each time.

When you are done, you shut-down and eject the CD and USB key, and nothing is stored on your PC where any viruses or root kits might read it.

[bydandie]

A potential advantage would be that you can use a bootable CD such as Knoppix. Once you have downloaded the CD image from a trusted source & burnt it, you can be sure that no extra software (root kits etc) can be installed on it, so every time you boot from it you know that you are getting an absolutely clean install.

You will still be able to save stuff like statements to a USB key or the like if you want to, and you could also put a bookmark to the banking site on the USB key to save having to type it in each time.

When you are done, you shut-down and eject the CD and USB key, and nothing is stored on your PC where any viruses or root kits might read it.

The only issue the the lack of patching available on a live CD.

[peterb]

A potential advantage would be that you can use a bootable CD such as Knoppix. Once you have downloaded the CD image from a trusted source & burnt it, you can be sure that no extra software (root kits etc) can be installed on it, so every time you boot from it you know that you are getting an absolutely clean install.

You will still be able to save stuff like statements to a USB key or the like if you want to, and you could also put a bookmark to the banking site on the USB key to save having to type it in each time.

When you are done, you shut-down and eject the CD and USB key, and nothing is stored on your PC where any viruses or root kits might read it.

All this (and the other advice in the thread) is good, but at the expense of convenience of use.

At the end of the day it comes down to a risk assessment. What is that chance of you being targeted for your finacial information. How risky do you assess onlinne banking to be? How much is that risk worth taking against the convenience of using the service, as opposed to physically going to your bank branch? In the end it is a trade off between convenience and risk reduction.

In practice taking using the encryption techniques enforced by you browser and taking normal safe computing precautions (Not using an account with admin priviliges for everyday computing tasks, shutting down the browser after use, not opening suspicious e mails, using an up to date AV product, and ensuring that the OS system is kept up to date with security releases etc etc) will be sufficient. Once the data is on the computer, the management of privacy is up to you, using some form of protected filestore, such as a protected directory or off line in a memory stick.