What's the best way to bank online using a dedicated machine?

Helping people with computers... one answer at a time.

Ask Leo! » Viruses and Malware » Malware Prevention

Using a dedicated machine is one approach to significantly improving the security of online opertations. I'll examine the approach and alternatives.

I am wary of using online banking and brokerage services, but I would like to use them for the convenience. With basic notebook computers now costing $300 and less, I am thinking of getting one to be used solely for financial transactions. No emailing, browsing, Facebooking, etc. Ideally, I want it to connect only to a short list of financial websites and have no contact in or out with any others. What would be the best way to do this? What other safety measures should I use? After all, it is one thing to have an email account hacked, but my retirement account is something else again.

•

There are a number of approaches that you can take - getting a dedicated machine is certainly one.

There are a variety of thoughts on how best to do this. Most add at least a layer of inconvenience and some become downright impractical, at least to me.

Much, of course, depends on your own level of concern and realistic confidence in your own abilities.

•

Boot from a live Linux CD

This is the solution that I hear thrown about most often.

The approach is very, very simple: download a "live" Linux boot CD - I would recommend Ubuntu Linux as being very capable and popular. Then, simply reboot your existing machine from that CD. ("Live" refers to the fact that it is bootable, and boots into a working or "live" copy of the operating system without any install required.)

"Each time that you boot from the CD, you're starting with a completely clean slate."

Once booted, you'll be running in Linux, not Windows; you'll find common tools, like the Firefox web browser, that you can then use to go online and do whatever you wish to do securely, without fear of Windows malware.

The appeal is simply this: it's not Windows and nothing is stored on your machine. While the live CD technically does have access to your hard drive, it's typically not mounted by default and not used at all by the running operating system.

So nothing that any potential malware might try to leave behind on your machine will stick - reboot and it's gone. Each time that you boot from the CD, you're starting with a completely clean slate.

While I do know of at least one person who operates this way, I personally find this exceptionally impractical.

Starting with a clean slate on each reboot means that you can save nothing - nothing at all - to your own computer. While that's kinda the point when it comes to malware, it also prevents even the simplest of operations of your own.

You can't even save a bookmark without resorting to additional online services. You can't save a PDF that you've downloaded without once again using some kind of additional online service, emailing it to yourself, or saving it to a USB thumbdrive.

To my way of thinking, pulling in additional services or using a USB drive defeats much of the purpose of having this sterile environment - it breaks the isolation.

And if you're going to do that, then there's a much more practical and usable approach.

A machine running Linux

A more practical approach, in my opinion, is a separate machine on which something other than Windows (i.e. Linux) is actually installed.

If you restrict your activity on this machine to only your high-security activities, such as your online banking needs, then you get most of the benefit of the live CD approach, while being able to save downloaded documents, bookmarks, and other customizations without needing to repeat them each time that you restart the system.

In fact, it's very reasonable to include file-sharing access to other machines on your local network so as to transfer documents to this secure system. You might even set up an email client so that you can act on email requests, click links, and/or use that as a way to transfer files without setting up machine-to-machine networking.

Purists will argue that each of these "convenience-enabling" actions reduces the absolute security of the solution ... and they're right. The live CD is in an absolute sense more secure.

The question boils down to this: is the amount of additional security you gain from using only a live CD worth the inconvenience? My take, naturally, is not. In fact, I'd predict that most folks who intend to use the live CD approach will soon abandon it. It takes a certain amount of rigor to stick with it. If you can, great.

But for the rest of us ... we're human, and I know I'm lazy. I'd rather walk over to the Linux machine that's all ready to go and with which I can easily transfer files as needed.

A machine doesn't have to be a new machine, or a machine at all

When I say "separate machine" above, I don't mean to imply that you need to go out and get another machine. You could, of course, but in reality, it could be any of these approaches:

OK, get a new machine. If all that you're going to put on it is Linux and all that you're going to do is online banking, it doesn't have to be particularly powerful or have a huge hard disk. It can be inexpensive. Just be sure to image the pre-installed copy of Windows so that you can use that on this machine should you want to someday.
Use that old machine. You may very well have an old machine lying around gathering dust somewhere that just isn't up to current versions of Windows. That's perfect. Ubuntu may work well, but if not, smaller foot-print versions of Linux, such as Puppy, are very reasonable alternatives for this kind of operation.
Use the same machine. Consider installing Linux along side Windows in a dual-boot configuration. You can use only one at a time and will need to reboot to switch, but this requires no additional hardware, only disk space.
Use a virtual machine. Don't use a separate machine at all. Look into using virtual machine technology to run a copy of Linux within a window on your own machine. Virtual machine technology is pretty darned close to having a completely separate machine.

What does this all get you, anyway?

Even if you do use a dedicated machine or virtual machine, this is a bit of work. Just what kind of "improved security" does this get you?

It boils down to two things: a smaller "attack surface" and isolation.

Smaller Attack Surface - To put it into more practical terms, you're not using Windows. This isn't as much of a slam against Windows as it is a recognition that it's everywhere. Because it's everywhere, Windows-based vulnerabilities in both the OS and Windows applications are what most malware authors target. By not running Windows for these sensitive tasks, you've removed yourself from sights of the vast majority of online threats.
Isolation - By running on a machine dedicated to these sensitive tasks and only these sensitive tasks, you're setting up a barrier. Any malware that might be present or arrive on your "normal" Windows machine won't transfer to or won't work on this isolated machine. And by strictly restricting your activity on the secure machine, you're taking additional steps to prevent malware from reaching it directly.

Those two seem like very simple concepts, but they each provide a significant level of additional security.

What this doesn't get you

You still cannot let your guard down.

As Window's own security has improved over time, malware authors are investigating other vehicles to cause problems.

Phishing is perhaps the most obvious, as it may not involve any malware at all - it's simply an attempt to fool you into divulging sensitive information to the wrong party. That can happen using any browser, any operating system and any machine.

Hackers are finding that popular technologies often have exploitable vulnerabilities. One example is as Adobe Flash, which is available on almost all platforms. While most malware vectors through Flash are Windows-related, there's no reason to believe that this cross-platform technology might not also allow for cross-platform vulnerabilities.

One thing that is cross-platform are the browser and web technologies used. Vulnerabilities in Firefox, for example, could impact all platforms and CSS and JavaScript issues are by almost definition cross-platform.

Bottom line: keep all the software up-to-date, including that live CD you might boot from.

Is there any hope?

I don't mean this to cause you to throw your hands up in the air in despair. I simply want to make it clear that there is no magic bullet. Doing your online banking in an isolated and different environment can definitely improve your overall security, but it does not and cannot provide absolute security.

Heck, even dumping the internet and doing all your banking in person or by mail can't even do that.

Me? I'll admit it: I don't do any of this.

I bank in Windows.

I follow all my other advice about keeping my machine secure. So far, that's worked well for me.

While I'll admit that I probably have an above average sense of what's safe and what's not to help guide me every day, I also ... well ...

I did say that I was lazy. Smile

Article C4876 - July 13, 2011

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

You may also be interested in:

How do I run an anti-virus scan if I can't boot? It's hard to run an anti-virus scan if you can't boot from the hard drive. To run an anti-virus or other scan, you'll need to take some special steps to boot from something else.
Should I convert to Linux? Linux is often a viable alternative to extend the life of older machines. We'll look at some of the issues involved in switching to Linux.
Internet Safety: How do I keep my computer safe on the internet? Internet Safety is difficult and yet critical. Here are the seven key steps to internet safety - steps to keep your computer safe on the internet.