The long overdue online banking & security post

I've been meaning to post this for some time.

Recently (or ... not so recently) I was asked by a family member what the best/most secure way to conduct online banking is. This is kind of a tricky question, there's no quick or easy answer. The more secure you want to be while managing finances (banking, credit card accounts, etc.) the more work you have to put in it. There's no "secure/insecure" state, it's more about balancing the risk and convenience. I believe the biggest threat to accessing your financial accounts with your browser, at least the threat that you can do anything about, is the spread of malware designed to surreptitiously collect your bank credentials, or actually conduct transactions against your account without your knowledge.

I'll list a few options and spell out the associated risk as I see it.

1. Most secure: Don't do online banking or shop online. I guess this is obvious? But if you manage accounts or buy things online you're accepting some risk.
   
2. Pretty secure: Use any of the widely available linux live boot CD's out there to access your online accounts. You can even further reduce the risk of hardware-based threats by having a purpose built system for accessing online accounts - and ONLY online accounts. Home users who boot a live CD (link) (link) to access their accounts are pretty well protected, but business users should consider a purpose built system for accessing online bank accounts (again - only online bank accounts, not email/browsing) that has very strictly controlled physical access due to the increased risk of hardware keystroke loggers being placed on their system. Business accounts in the U.S. don't have the same legal protections as personal accounts, so greater care should be taken to secure these accounts. There are plenty of examples of why you should exercise more caution when dealing with business accounts online: link
   
3. Modestly secure: Using a custom user profile for online banking. Creating a user account specifically for online banking can be a fairly safe option, but only given a few conditions. Make sure your system is clean of all viruses and malware on a regular basis. Make sure the banking profile is highly customized so that it can't/won't be inadvertently used to start browsing random web sites. Most importantly, ALL accounts used for normal access (web, email, etc.) on this system must be limited accounts. The risk of malware planting itself on a system and escalating from a limited user context to an administrative user context is pretty low if you are smart about your browsing. More on this later.
4. Not so secure: Using a web browser that allows you to have multiple profiles, add a custom profile for just online banking. Having a unique profile just for banking can mitigate some threats, but this won't stop a lot of the malware that's loaded through phishing or other social engineering exploits; these will often run outside of the Browser and will still be active regardless of what profile is running on the browser.
   

There are some rules of the road for being safe online. The typical ones still apply: Keep your A/V updated, scan your system once in a while, etc. I will say that the folks writing and deploying malware are ahead of the A/V venders right now, so this isn't a silver bullet. some other things apply:

• Keep your software updated. Windows patches, Adobe updates, Java updates, Flash updates, etc. Sometimes this can be a bit daunting - free for personal use, Secunia's PSI (link) software can help.
• Don't use an admin account for everyday use. All of your general purpose accounts should run under a limited user context. I can't understate how important this is; Admin credentials should only be used for very specific tasks.
  
• Keep an eye on your financial transactions. Some banks will let you set up alerts, etc. for types of activity on your account. Check this out.
• Don't use debit cards. Debit cards are evil. Use a credit card for all of your online transactions, and pay that off monthly. If you can't wrap your head around that, at least set up an account specifically for using a debit card and keep a low balance in it. Don't have it automatically draw from other accounts in an overdraft situation. But really - don't use debit cards. If you're a U.S. citizen you have some good protections against credit card fraud. These protections aren't as strong for debit card transactions, so if you do use a debit card you should know what your banks policy is on disputed transactions and what the process is to dispute a transaction, it's tough to work this out when you've just discovered that your bank account has been emptied.
  
• Firefox + noscript + adblock plus = good. This is a major hassle to set up and adjust to, but once you do it's going to protect you pretty well.
  
• Add another layer to protect your browser - check out Sandboxie. (link). Sandbox your browser, and make an individual sandboxed browser session just for doing your online banking.
• DO NOT REUSE PASSWORDS. Keep your passwords unique. There have been multiple examples of password reuse getting folks in trouble on social media sites (Gawker) - it isn't a huge leap to assume that these credentials from a blog/social media site/etc. could be used to access an online account or online commerce site such as amazon. To help keep track of all those passwords, don't be afraid to use a password manager like lastpass or keepass. If you're using an online service like lastpass you shouldn't have your most sensitive accounts in there, and don't put the email you sign up for the service with in there.
  
• Use passphrases. Don't worry a bunch about complexity - that's old school thinking. Use 15+ character passphrases. Anything else you read is wrong. I can't make it any more clear than this: XKCD
• Don't trust sites that mail you your password. Passwords should be salted (link) and stored as a hash value (link). If a site mails you your password, it's stored in plain text. bad.
  
• Be wary sites that limit your password length, or prevent you from using certain characters such as + = ` ", etc. A password hash can be generated from any length password using of these characters. I do believe some limits may be used by sites to prevent attacks like SQL injection (link if you're really interested), so I won't say avoid these sites - but if it's a site that holds or processes sensitive information you may want to get more details about the security of the system before using it.
• Don't answer security questions with normal answers that show up on google searches (Mothers maiden name, etc.) or any social networking sites, or anything else that's easy for somebody to work out.
• NEVER click on banking/finance, email, etc. links in your email. Crafting an HTML email with something that looks dead on like what your bank would send you is pretty trivial. Even the sites that you can be directed to can be pretty convincing.
• If you get a call from your bank about some issue with your account, get a ticket number (if applicable) and call them back on a number listed on their web site.
• Don't access your accounts when connected to a public wifi service, untrusted network, etc.

Online banking is a really convenient feature, just be smart about it and patient with the additional steps necessary to do it in the safest way possible. Like anything else in life, it has some associated risk but with a bit of patience you can limit the possibility that you'll have to take a day off of work to find out where your money went.


Related:

• http://wynco.bbb.org/article/bbb-advises-business-owners-to-observe-safe-online-banking-practices-30162
• http://mrintech.com/important-security-tips-for-online-banking
• https://www.trymembersfirst.com/online.html