We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
We're aware that dates on the Forum are not currently showing correctly. Please bear with us while we get this fixed, and see Site feedback for updates.
What is the safest technical setup for online banking ?
Comments
-
GeoffTF said:Zanderman said:A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.GeoffTF said:Zanderman said:A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.2
-
Rob5342 said:GeoffTF said:Zanderman said:A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.1
-
If I take the OP's query at face value re "safest setup" then I'd say:
1. a modern Linux w/ regular updates (but no rolling distro)
2. immutable install
3. on a LUKS-encrypted HD/SSD partition with a really strong password
I have such a system up and running (I can use the same Linux base as a mutable system via dual-booting) and it's been rock-solid. I trust this setup more than the apps on the phone (not because I think they're inherently less safe but because the phone is a lot more "mobile" than a home PC).
Alas, as many others have remarked, installing Linux, especially with the constraints I listed, is not for the fainthearted.
OTOH, someone on a Windows system could create something like this in a virtual machine (ie a Virtual Box VM). This is a much more forgiving environment than having to install a new system on bare metal and would offer almost the same security. In fact the immutable part would be trivial as a VM can be configured as such. And if the Windows installation is itself fully encrypted (as many are these days) then there's no need for a separate encryption for the Linux files.
0 -
Zanderman said:GeoffTF said:Zanderman said:A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.GeoffTF said:Zanderman said:A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.
0 -
If you read the link that I gave on sandboxing browsers, you would know that nowadays extensions run in a hardware isolated partition, where they can do no harm. On Linux, you can additionally run the whole browser in a hardware isolated container.
Does sandboxing stop adblocker extensions? I don't think it does.
From https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=,high-alert
Edit - we're getting way off topic now!
I'll say it again. Android 14 phone - a secured out of the box system with years of updates ahead. Use the bank developed apps from the vetted app store and biometrics to scupper shoulder surfers, oh and apply a short screen lock timeout - that would be my advice on the way to go.
1 -
booneruk said:If you read the link that I gave on sandboxing browsers, you would know that nowadays extensions run in a hardware isolated partition, where they can do no harm. On Linux, you can additionally run the whole browser in a hardware isolated container.
Does sandboxing stop adblocker extensions? I don't think it does.
From https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=,high-alert
Edit - we're getting way off topic now!
I'll say it again. Android 14 phone - a secured out of the box system with years of updates ahead. Use the bank developed apps from the vetted app store and biometrics to scupper shoulder surfers, oh and apply a short screen lock timeout - that would be my advice on the way to go.
0 -
Monanore said:Those of us who avoid online banking may soon have no choice but to use it. Given the current threat landscape, what is the safest set-up ?I'd love to hear your ideas.Threat landscape? CIA talk.Simple, use a mobile that has the latest security updates.Always have 2 x current accounts with different banks as a backup.Don't give your passwords out. Have very complicated passwords. If you don't know them off-hand then not much chance of anyone else guessing.Don't send money to strangers as the rest of the forum members and Martin have to pay the bill.Don't answer your door (email, telephone etc) to strangers.The threat has been the same since the first cave had a door fitted. That door was mainly to keep the heat in but they realised about 400 years later it's also pretty good for security.Have more doors.
0 -
danco said:I am concerned about having two phone numbers if I follow the interesting advice about keeping one at home. It's not only banks that send 2FA codes by text messages. For instance, my NHS login requires a code, as does the regular security check on my email account. Some sites will allow more than one phone number but many won't.
Also, there is a cost in having a second phone number (in addition to the cost of the phone itself). One should pay for security, but I wonder what's the best way to go. Especially as some checks require sending a YES/NO message to a short number, and it seems many cheap providers don't allow that.
If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.2 -
GeoffTF said:booneruk said:If you read the link that I gave on sandboxing browsers, you would know that nowadays extensions run in a hardware isolated partition, where they can do no harm. On Linux, you can additionally run the whole browser in a hardware isolated container.
Does sandboxing stop adblocker extensions? I don't think it does.
From https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=,high-alert
Edit - we're getting way off topic now!
I'll say it again. Android 14 phone - a secured out of the box system with years of updates ahead. Use the bank developed apps from the vetted app store and biometrics to scupper shoulder surfers, oh and apply a short screen lock timeout - that would be my advice on the way to go.
Surely the point is, in reality, that people do install browser extensions, and do give permissions (not least as without those permissions the extensions often won't do what they're designed to do. It's what people do. Yes they have a choice, but they often make the wrong one, in security terms.
But there is no choice for banking apps. They are secure. You can't add things to them. So you don't - because you can't. So they are as secure as they were designed to be. Unlike a browser with extensions.4 -
Zanderman said:GeoffTF said:booneruk said:If you read the link that I gave on sandboxing browsers, you would know that nowadays extensions run in a hardware isolated partition, where they can do no harm. On Linux, you can additionally run the whole browser in a hardware isolated container.
Does sandboxing stop adblocker extensions? I don't think it does.
From https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=,high-alert
Edit - we're getting way off topic now!
I'll say it again. Android 14 phone - a secured out of the box system with years of updates ahead. Use the bank developed apps from the vetted app store and biometrics to scupper shoulder surfers, oh and apply a short screen lock timeout - that would be my advice on the way to go.
But there is no choice for banking apps. They are secure. You can't add things to them. So you don't - because you can't. So they are as secure as they were designed to be. Unlike a browser with extensions.Yes people do, They also give their money to scammers. They click on links in text messages and emails, visit dodgy web sites. They use phones and computers that have not had any security updates for years. They load dodgy applications. They do not use a virus checker on Windows. They use one easily guessed password for everything, and write it on a piece of paper that they carry with their phone. They download remote desktops for scammers, and give their authentication codes to anyone. The list goes on. Nonetheless, there are more sensible people who want to know how to make it as difficult as they reasonably can for criminals to get into their important financial accounts.Whether you use a browser or an app is mostly a red herring. If you have a separate device that you use as your only method of accessing your important financial accounts, and nothing else, and secure that device at home, you should be very safe. In that case, it does not matter too much whether you use a browser or an app. Even if your device is not secure, it is not likely to be compromised, because you are not doing any of the things that are likely let malware in. You are also minimising the chance that a criminal will be able to force you to give him access. Technical security just adds another layer of defence.I have a banking app on an old mobile phone that gets no security updates. I just use it for small in person transactions, and do not worry about it. I will not do that if I am dealing with £millions though. If a small mistake can lead to a large loss of money, I want good security, and everything on a big screen in front of me.1
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 348.4K Banking & Borrowing
- 252.1K Reduce Debt & Boost Income
- 452.4K Spending & Discounts
- 240.9K Work, Benefits & Business
- 617.3K Mortgages, Homes & Bills
- 175.7K Life & Family
- 254.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 15.1K Coronavirus Support Boards