What is the safest technical setup for online banking ?

GeoffTF

Monanore said:

Those of us who avoid online banking may soon have no choice but to use it.  Given the current threat landscape, what is the safest set-up ?  So far here's what I think :

PC, definitely not smartphone.

Dedicated PC - no other uses or apps, no deviating from established urls, no links of course.

Not Windows.  But, Apple or Linux ??  With or without AV ?

VPN - is it safe to entrust money traffic to a 3rd party ?

What sort of protection for PC to router signal ?

I'd love to hear your ideas.

A mobile away from home is clearly more at risk than a dedicated PC securely locked away at home, particularly if it does not have security updates.

Linux should be fine without AV, which does not do much on Linux anyway. You could use an immutable version of Linux, which should be the ultimate in security. (No practical computer system is completely secure though.)

https://www.zdnet.com/article/what-is-immutable-linux-heres-why-youd-run-an-immutable-linux-distro/

I would not bother with VPN.

You do not have to worry about the PC to router signal, which will be encrypted for banking transactions anyway. You do not need to install a firewall on your PC. The router's firewall should suffice, but make sure that you have a router with good security.

Desmond_Hume

jbrassy said:

The latest version of ios (18) on iphone allows you to restrict access to apps unless you use Face ID. So if someone stole my phone, they would be unable to access my emails unless they somehow had my face. Same is true of my banking apps. 

Again, as other people have said, having strong unique passwords is key. Using a password manager like 1Password helps in this regards. Having 2FA also worth doing. 

OP's suggested setup is over the top and paranoid. It's far more secure to receive bank statements electronically through an online banking portal than receiving them on paper through the post.

My only grumble with the iOS implementation is that yes, Face ID (or touch) is the same for all apps (I only have one face after all) but so is the backup pass code. It's the same as the backup passcode to the homescreen as well. I'd much rather one passcode for phone access then another passcode to access the next level down at app level. 

friolento

mark_cycling00 said:

1. Know what to do if your phone is stolen. Device tracker from your laptop and factory reset perhaps? Always have it locked, ideally biometric lock
2. Don't keep using old passwords that got leaked in those linkedin etc. hacks
3. Don't use the same password for everything. Especially phone and email should be very different from your banking 
4. Enable 2FA on everything 
5. Regularly check for unexpected devices logged into your Gmail, Facebook etc
6. Don't fall for social engineering scams 
7. Really don't do the one above 

People attempt to hack my email accounts every hour without success. 

A6_T3Gicsspaob!M01

Your passwords should look more like the one above (it's actually easy to remember, just ask me) than

Manc!ty123

I would add: put a personal PIN  on your SIM card. Not just for banking but for proper security of your mobile. Not sure why they don’t make this mandatory, or at least encourage people to do so

Ergates

Monanore said:

Thanks everyone, all very interesting and helpful.

@Zanderman @Ergates -  I'd always assumed that a phone was less secure, could you help me understand why I'm wrong ?

The main reason is that it is harder to install things that don't come from the appropriate "store"  (Apple, or Play depending on the OS).  Apps on the stores are vetted.  This means it is hard to accidentally install malware on your phone.

You can do it, but you have to really go out of your way to do so.   It is also possible for external actors to hack a phone, but we're talking GCHQ level of capability - not some random fraudster.

The biometric security (fingerprint, face) that are used in most modern phone also offers a better level of protection than *most* people use for log in to their PC.

The obvious downside is that it's a lot easier to lose your phone (or have it stolen).  Which is inconvenient, but if you've used a biometric lock isn't too much of a security issue.   Unless they've also stolen your thumb or face.  And if they've done that then I suggest you have bigger things to worry about.

booneruk

Monanore said:

Those of us who avoid online banking may soon have no choice but to use it.  Given the current threat landscape, what is the safest set-up ?  So far here's what I think :

PC, definitely not smartphone.

Dedicated PC - no other uses or apps, no deviating from established urls, no links of course.

Not Windows.  But, Apple or Linux ??  With or without AV ?

VPN - is it safe to entrust money traffic to a 3rd party ?

What sort of protection for PC to router signal ?

I'd love to hear your ideas.

Have a modern phone that's running a supported version of its OS. Run the latest version of your banking app, make sure your phone is secured via a decent pin number and use biometrics in order to stop shoulder surfers spying your pin entry. The end.

Emily_Joy

Ergates said:

Monanore said:

Thanks everyone, all very interesting and helpful.

@Zanderman @Ergates -  I'd always assumed that a phone was less secure, could you help me understand why I'm wrong ?

The main reason is that it is harder to install things that don't come from the appropriate "store"  (Apple, or Play depending on the OS).  Apps on the stores are vetted.  This means it is hard to accidentally install malware on your phone.

What?! All my mobile phones have apps from untrusted/non-store sources installed. Really not a problem. Furthermore, the phone screen always has enough fingerprints to copy to bypass biometrics.

To anyone who is as paranoid as OP I would recommend Linux + up-to-date firefox with private mode, make sure that no passwords are stored, history is wiped every time the browser is closed, NoScript and AdBlock Ultimate are installed. That would suffice.

friolento

Emily_Joy said:

What?! All my mobile phones have apps from untrusted/non-store sources installed. Really not a problem. 

That would be your decision, and should not be a recommendation to anyone, and specifically not to people who are just casual users of technology.

Rob5342

onomatopoeia99 said:

Monanore said:

VPN - is it safe to entrust money traffic to a 3rd party ?

You do not need a VPN. Anyone that claims you do is selling snake oil.  I could explain why you don't, but the explanation wouild be need to be very technical.

I think it's fairly simple to explain. A VPN just provides a secure "pipe" to some other place on the internet where your traffic all pops out and carries on as it would have done anyway. The same data will be travelling over the internet to your bank, just from a different place where it is relayed from/to you.   

born_again

GeoffTF said:

Monanore s

A mobile away from home is clearly more at risk than a dedicated PC securely locked away at home, particularly if it does not have security updates.

Why is it?
Excluding using public WiFi.

Your using a mobile signal which is exactly the same no matter where you are.

VPN. Who's to say that the supplier is not filtering info.

Ergates

Emily_Joy said:

Ergates said:

Monanore said:

Thanks everyone, all very interesting and helpful.

@Zanderman @Ergates -  I'd always assumed that a phone was less secure, could you help me understand why I'm wrong ?

The main reason is that it is harder to install things that don't come from the appropriate "store"  (Apple, or Play depending on the OS).  Apps on the stores are vetted.  This means it is hard to accidentally install malware on your phone.

What?! All my mobile phones have apps from untrusted/non-store sources installed. Really not a problem. Furthermore, the phone screen always has enough fingerprints to copy to bypass biometrics.

To anyone who is as paranoid as OP I would recommend Linux + up-to-date firefox with private mode, make sure that no passwords are stored, history is wiped every time the browser is closed, NoScript and AdBlock Ultimate are installed. That would suffice.

I specifically said it was possible - but you have to go out of your way to do it.  It's very easy *not* to unknowingly install apps from untrusted sources.   If you choose to do so that's on you.

And do you honestly think that your average street thief who snatches someone's phone has the capability to replicate your fingerprint from the screen then use that to bypass security?   Has Ethan Hunt fallen on hard times?