Safe to bank from home computer?
January 15, 2011 4:13 PM Subscribe
Safe to bank from home computer?
I'm not a computer security maven (clearly). I know about https: pages and looking for the padlock, but wouldn't the weakest link be my own computer? I have free McAfee from my ISP which is cabled in (broadband?). My computer is running XP, version 2002, service pack 3.
Thanks for any help you can offer.
I'm not a computer security maven (clearly). I know about https: pages and looking for the padlock, but wouldn't the weakest link be my own computer? I have free McAfee from my ISP which is cabled in (broadband?). My computer is running XP, version 2002, service pack 3.
Thanks for any help you can offer.
Yes. Millions of people do this every day, and only a very tiny percentage of them fall prey to things like identify theft. When it does happen, it's usually due to some stupidity or ignorance on their part.
You sound like you're doing a fine job of being aware of the basics - check your urls, both for the correct site name and https. Keep your computer's antivirus up to date, and assume that most banking links you get via email are fishy, unless you explicitly signed up to receive them.
TL;DR: Relax. You'll be fine.
posted by chrisamiller at 4:16 PM on January 15, 2011 [2 favorites]
You sound like you're doing a fine job of being aware of the basics - check your urls, both for the correct site name and https. Keep your computer's antivirus up to date, and assume that most banking links you get via email are fishy, unless you explicitly signed up to receive them.
TL;DR: Relax. You'll be fine.
posted by chrisamiller at 4:16 PM on January 15, 2011 [2 favorites]
Best answer: I would be inclined to trust my home computer more than my work computer, and I wouldn't bank from a cybercafe unless it was an emergency and I was going to change my password from a known-secure PC shortly thereafter.
As long as you're up-to-date with patches, run up-to-date AV, and use a browser with a decent security record (not IE6), you're pretty safe. Not downloading random crap from dodgy websites helps, and you could look into NoScript or other browser security plugins if you wanted.
(If you really want to up the paranoid you could keep an old PC running something oddball like Linux for your banking.)
posted by rodgerd at 4:30 PM on January 15, 2011
As long as you're up-to-date with patches, run up-to-date AV, and use a browser with a decent security record (not IE6), you're pretty safe. Not downloading random crap from dodgy websites helps, and you could look into NoScript or other browser security plugins if you wanted.
(If you really want to up the paranoid you could keep an old PC running something oddball like Linux for your banking.)
posted by rodgerd at 4:30 PM on January 15, 2011
You are MUCH more likely to have credit card information stolen when you give your card to waiter in a restaurant than you are while doing online banking.
Also, to echo other responders: Tens of millions of people do online banking every day. You'll be fine.
posted by Kololo at 5:09 PM on January 15, 2011 [3 favorites]
Also, to echo other responders: Tens of millions of people do online banking every day. You'll be fine.
posted by Kololo at 5:09 PM on January 15, 2011 [3 favorites]
Download Knoppix and burn a CD with it.
Boot from the CD, your now running Linux.
Do your banking without going to any other websites.
You know you are banking with a clean machine.
Shut down and remove the CD, restart.
Your back to your regularly scheduled programing.
posted by Pecantree at 5:15 PM on January 15, 2011 [1 favorite]
Boot from the CD, your now running Linux.
Do your banking without going to any other websites.
You know you are banking with a clean machine.
Shut down and remove the CD, restart.
Your back to your regularly scheduled programing.
posted by Pecantree at 5:15 PM on January 15, 2011 [1 favorite]
If your are connected to the bank via https, you shouldn't have to worry about someone intercepting your information. The thing to be worried about would be malware on your computer logging your username and password and sending it along to a third party. I'd suggest ditching McAffee and installing Microsoft Security Essentials, a much more effective product.
posted by PhillC at 7:13 PM on January 15, 2011 [1 favorite]
posted by PhillC at 7:13 PM on January 15, 2011 [1 favorite]
Been banking from my home computer for a good decade now. Basic computer security is always in place and I've never had a problem and MAN it makes life easier - all bills paid on payday mornings while drinking my coffee.
posted by L'Estrange Fruit at 7:15 PM on January 15, 2011 [1 favorite]
posted by L'Estrange Fruit at 7:15 PM on January 15, 2011 [1 favorite]
In addition to the usual fire-wall, anti-virus, and keep windows up-to-date measures, there is one more thing I do. I keep the bulk of my $$$ in investment accounts (e.g., at Fidelity) that do not have permissions set up for electronic transfers to the outside, even to my own bank account; a paper check is the only way to do it. I can still log into the investment accounts (e.g., to shift $$$ between funds or to execute trades), but moving money out is impossible. This way if the bad guy gets all of my log-in credentials, he still can't send money from the investment accounts to the bank and then out the door to Latvia or Nigeria.
posted by Kevin S at 8:30 PM on January 15, 2011
posted by Kevin S at 8:30 PM on January 15, 2011
It's safe. Just be sure you always go directly to the site yourself. Meaning, never ever click on a link in an email to go to your bank's website.
If you get a link in an email, it's probably a phishing attempt. Clicking on the link will not send you to your bank's website, but to a lookalike site which will steal the username and password you type into it.
Every once in a while you might get a particularly successful phishing email which has you thinking, "Maybe this one's legit!" If you really can't resist logging into your bank account to check, close the email, type in the URL as you always do, and log in that way.
posted by ErikaB at 8:32 PM on January 15, 2011
If you get a link in an email, it's probably a phishing attempt. Clicking on the link will not send you to your bank's website, but to a lookalike site which will steal the username and password you type into it.
Every once in a while you might get a particularly successful phishing email which has you thinking, "Maybe this one's legit!" If you really can't resist logging into your bank account to check, close the email, type in the URL as you always do, and log in that way.
posted by ErikaB at 8:32 PM on January 15, 2011
I sometimes use the private websurfing mode on my browser. Also, I make sure to use a new browser window to visit my bank, and to close it right away after I've logged out from the bank.
posted by ZeusHumms at 8:34 PM on January 15, 2011
posted by ZeusHumms at 8:34 PM on January 15, 2011
Best answer: I don't mean for this to completely scare you off from online banking, but let me say that by using Windows XP you're already at a special disposition vulnerable to attacks. If your computer can support it, definitely get up to Windows 7.
That being said, here's a little more information as to *why* you should be concerned, and what you can do to secure down your current machine.
- Firstly, ditch Mcafee as soon as possible. Get it off your system. It's currently experiencing one of the worst detection rates in the industry...and their company is so large and bloated (along with their software) that they have been very slow to adapt to the emerging changes in the crimeware scene.
- Get the following programs installed on your PC. Security Essentials, Web of Trust, and Secunia PSI. Ensure that your Windows Automatic Updates are enabled and that you are installing them as they arrive.
- Get yourself off of administrator rights asap. Create another account in your system called "Trusted" or similar, grant that account administrator rights. Log in as your trusted account and remove administrator rights from your main account (make sure your main account is a User account and not Poweruser).
- Download and install Malwarebytes. Run an initial scan to make sure you're mostly clean. Also download GMER and keep it on your trusted account's desktop.
Ok, so now let's refresh and explain why all this was needed. Maliscious software known as "malware" is going to be your biggest threat on Windows XP, especially if you're running as an administrator. A particular subset of malware, called "crimeware" is going to be your biggest concern when it comes to online banking. You'll need to know when to spot information stealing crimeware, and understand that with Windows XP, you're the low hanging fruit that crimeware developers are targeting.
The most widespread banking trojans at the moment are Zeus (Zeusbot), Alureon (TDSS), and Torpig (mebroot). These trojans are in constant development, which means they are always looking for a way around your virus scanner and computer defenses. They can be unknowingly installed by following a simple mouseclick off of a Google/Yahoo/etc search result (see SEO exploits). So you need to be ready for their install tactics. One of the most commonly used attack vectors for malware is not surprisingly Adobe Reader. Having an old version of Reader on XP running as Administrator is akin to operating a lemonade stand in Darfur. If you need Reader, get it updated to X immediately. (Reader X introduces sandboxing, which tricks malware to attack non-existant system resources)
This is where Secunia PSI comes in, as it'll update a majority of high-risk 3rd party programs that are often used as attack points for Malware.
For SEO exploits, Web of Trust will be your friend. This handy IE plugin will be able to warn you ahead of time of links that are regarded as unsafe. WOT pulls a lot of its information from Malwaredomains.com as well, which in turn gives it a pretty quick turn around on identifying bad sites as they're found.
Now one last thing. Because there's so much money in crimeware, there's also a lot of money poured into its development. Treat crimeware as its own special breed of malware. It's sophisticated. It's stealthy. Many people will say they're machine is clean and never realize they have TDSS or Mebroot installed capturing their keystrokes. The reason for this is obviously, crimeware authors don't want you to know that they've compromised your privacy. They use a particular workaround to your system's defenses called a Rootkit. Finding rootkits is not easy, as many are VERY good at hiding their presense from the operating system (eg. They're able to hide their files, processes, and general activities). Using GMER as stated above, is an excellent start to see if you may have a rootkit. You may also see at this point why the Knoppix solution mentioned in a previous post might be a good way to go if you're unsure of your system's current state.
Just be sure to watch your finances as you do online banking. Take the necessary precautions. And be vigilant on keeping yourself informed on the threat trends in the crimeware industry. More than likely you're fine, but on an unsecured system, it doesn't take much for that to change. Best of luck!
posted by samsara at 7:28 AM on January 16, 2011 [3 favorites]
That being said, here's a little more information as to *why* you should be concerned, and what you can do to secure down your current machine.
- Firstly, ditch Mcafee as soon as possible. Get it off your system. It's currently experiencing one of the worst detection rates in the industry...and their company is so large and bloated (along with their software) that they have been very slow to adapt to the emerging changes in the crimeware scene.
- Get the following programs installed on your PC. Security Essentials, Web of Trust, and Secunia PSI. Ensure that your Windows Automatic Updates are enabled and that you are installing them as they arrive.
- Get yourself off of administrator rights asap. Create another account in your system called "Trusted" or similar, grant that account administrator rights. Log in as your trusted account and remove administrator rights from your main account (make sure your main account is a User account and not Poweruser).
- Download and install Malwarebytes. Run an initial scan to make sure you're mostly clean. Also download GMER and keep it on your trusted account's desktop.
Ok, so now let's refresh and explain why all this was needed. Maliscious software known as "malware" is going to be your biggest threat on Windows XP, especially if you're running as an administrator. A particular subset of malware, called "crimeware" is going to be your biggest concern when it comes to online banking. You'll need to know when to spot information stealing crimeware, and understand that with Windows XP, you're the low hanging fruit that crimeware developers are targeting.
The most widespread banking trojans at the moment are Zeus (Zeusbot), Alureon (TDSS), and Torpig (mebroot). These trojans are in constant development, which means they are always looking for a way around your virus scanner and computer defenses. They can be unknowingly installed by following a simple mouseclick off of a Google/Yahoo/etc search result (see SEO exploits). So you need to be ready for their install tactics. One of the most commonly used attack vectors for malware is not surprisingly Adobe Reader. Having an old version of Reader on XP running as Administrator is akin to operating a lemonade stand in Darfur. If you need Reader, get it updated to X immediately. (Reader X introduces sandboxing, which tricks malware to attack non-existant system resources)
This is where Secunia PSI comes in, as it'll update a majority of high-risk 3rd party programs that are often used as attack points for Malware.
For SEO exploits, Web of Trust will be your friend. This handy IE plugin will be able to warn you ahead of time of links that are regarded as unsafe. WOT pulls a lot of its information from Malwaredomains.com as well, which in turn gives it a pretty quick turn around on identifying bad sites as they're found.
Now one last thing. Because there's so much money in crimeware, there's also a lot of money poured into its development. Treat crimeware as its own special breed of malware. It's sophisticated. It's stealthy. Many people will say they're machine is clean and never realize they have TDSS or Mebroot installed capturing their keystrokes. The reason for this is obviously, crimeware authors don't want you to know that they've compromised your privacy. They use a particular workaround to your system's defenses called a Rootkit. Finding rootkits is not easy, as many are VERY good at hiding their presense from the operating system (eg. They're able to hide their files, processes, and general activities). Using GMER as stated above, is an excellent start to see if you may have a rootkit. You may also see at this point why the Knoppix solution mentioned in a previous post might be a good way to go if you're unsure of your system's current state.
Just be sure to watch your finances as you do online banking. Take the necessary precautions. And be vigilant on keeping yourself informed on the threat trends in the crimeware industry. More than likely you're fine, but on an unsecured system, it doesn't take much for that to change. Best of luck!
posted by samsara at 7:28 AM on January 16, 2011 [3 favorites]
Response by poster: Someone mentioned Linux. My asus runs linux, would that be better?
posted by Prairie at 8:36 AM on January 16, 2011
posted by Prairie at 8:36 AM on January 16, 2011
Linux is statistically safer as its more obscure (eg. security through obscurity) and is less of a target for crimeware at the moment. Linux is not immune to malware, but you're at a lower risk overall if you use it over Windows. Be sure to take the same precautions with Linux as you would with Windows. Install an anti-virus solution such as ClamAV.
Keep in mind "security through obscurity" has worked to the benefit of many products such as OSX, Firefox, Foxit, etc. The developers of these products claimed that they're safer to use than their respective counterparts: Windows, IE, and Adobe. What's happened in the case of those three examples however, is by being sucessful they've become more mainstream. And once a product becomes mainstream, hackers take notice. In the mind of the hacker, they will almost always go for the lowest hanging fruit with the widest audience. Like any piece of software, OSX, Firefox, and Foxit are in fact riddled with security flaws if left unpatched. The same will go for Linux. Patch regularly, and follow the same precautions others have mentioned above.
posted by samsara at 9:06 AM on January 16, 2011
Keep in mind "security through obscurity" has worked to the benefit of many products such as OSX, Firefox, Foxit, etc. The developers of these products claimed that they're safer to use than their respective counterparts: Windows, IE, and Adobe. What's happened in the case of those three examples however, is by being sucessful they've become more mainstream. And once a product becomes mainstream, hackers take notice. In the mind of the hacker, they will almost always go for the lowest hanging fruit with the widest audience. Like any piece of software, OSX, Firefox, and Foxit are in fact riddled with security flaws if left unpatched. The same will go for Linux. Patch regularly, and follow the same precautions others have mentioned above.
posted by samsara at 9:06 AM on January 16, 2011
This thread is closed to new comments.
posted by griphus at 4:15 PM on January 15, 2011