Helping people with computers... one answer at a time.
Using a dedicated machine is one approach to significantly improving the security of online operations. I'll examine the approach and alternatives.
I am wary of using online banking and brokerage services, but I would like to use them for the convenience. With basic notebook computers now costing $300 and less, I am thinking of getting one to be used solely for financial transactions. No emailing, browsing, Facebooking, etc. Ideally, I want it to connect only to a short list of financial websites and have no contact in or out with any others. What would be the best way to do this? What other safety measures should I use? After all, it is one thing to have an email account hacked, but my retirement account is something else again.
There are a number of approaches that you can take - getting a dedicated machine is certainly one.
There are a variety of thoughts on how best to do this. Most add at least a layer of inconvenience and some become downright impractical, at least to me.
Much, of course, depends on your own level of concern and realistic confidence in your own abilities.
This is the solution that I hear thrown about most often.
The approach is very, very simple: download a "live" Linux boot CD - I would recommend Ubuntu Linux as being very capable and popular. Then, simply reboot your existing machine from that CD. ("Live" refers to the fact that it is bootable, and boots into a working or "live" copy of the operating system without any install required.)
Once booted, you'll be running in Linux, not Windows; you'll find common tools, like the Firefox web browser, that you can then use to go online and do whatever you wish to do securely, without fear of Windows malware.
The appeal is simply this: it's not Windows and nothing is stored on your machine. While the live CD technically does have access to your hard drive, it's typically not mounted by default and not used at all by the running operating system.
So nothing that any potential malware might try to leave behind on your machine will stick - reboot and it's gone. Each time that you boot from the CD, you're starting with a completely clean slate.
While I do know of at least one person who operates this way, I personally find this exceptionally impractical.
Starting with a clean slate on each reboot means that you can save nothing - nothing at all - to your own computer. While that's kinda the point when it comes to malware, it also prevents even the simplest of operations of your own.
You can't even save a bookmark without resorting to additional online services. You can't save a PDF that you've downloaded without once again using some kind of additional online service, emailing it to yourself, or saving it to a USB thumbdrive.
To my way of thinking, pulling in additional services or using a USB drive defeats much of the purpose of having this sterile environment - it breaks the isolation.
And if you're going to do that, then there's a much more practical and usable approach.
A more practical approach, in my opinion, is a separate machine on which something other than Windows (i.e. Linux) is actually installed.
If you restrict your activity on this machine to only your high-security activities, such as your online banking needs, then you get most of the benefit of the live CD approach, while being able to save downloaded documents, bookmarks, and other customizations without needing to repeat them each time that you restart the system.
In fact, it's very reasonable to include file-sharing access to other machines on your local network so as to transfer documents to this secure system. You might even set up an email client so that you can act on email requests, click links, and/or use that as a way to transfer files without setting up machine-to-machine networking.
Purists will argue that each of these "convenience-enabling" actions reduces the absolute security of the solution ... and they're right. The live CD is in an absolute sense more secure.
The question boils down to this: is the amount of additional security you gain from using only a live CD worth the inconvenience? My take, naturally, is not. In fact, I'd predict that most folks who intend to use the live CD approach will soon abandon it. It takes a certain amount of rigor to stick with it. If you can, great.
But for the rest of us ... we're human, and I know I'm lazy. I'd rather walk over to the Linux machine that's all ready to go and with which I can easily transfer files as needed.
When I say "separate machine" above, I don't mean to imply that you need to go out and get another machine. You could, of course, but in reality, it could be any of these approaches:
OK, get a new machine. If all that you're going to put on it is Linux and all that you're going to do is online banking, it doesn't have to be particularly powerful or have a huge hard disk. It can be inexpensive. Just be sure to image the pre-installed copy of Windows so that you can use that on this machine should you want to someday.
Use that old machine. You may very well have an old machine lying around gathering dust somewhere that just isn't up to current versions of Windows. That's perfect. Ubuntu may work well, but if not, smaller foot-print versions of Linux, such as Puppy, are very reasonable alternatives for this kind of operation.
Use the same machine. Consider installing Linux along side Windows in a dual-boot configuration. You can use only one at a time and will need to reboot to switch, but this requires no additional hardware, only disk space.
Use a virtual machine. Don't use a separate machine at all. Look into using virtual machine technology to run a copy of Linux within a window on your own machine. Virtual machine technology is pretty darned close to having a completely separate machine.
Even if you do use a dedicated machine or virtual machine, this is a bit of work. Just what kind of "improved security" does this get you?
It boils down to two things: a smaller "attack surface" and isolation.
Smaller Attack Surface - To put it into more practical terms, you're not using Windows. This isn't as much of a slam against Windows as it is a recognition that it's everywhere. Because it's everywhere, Windows-based vulnerabilities in both the OS and Windows applications are what most malware authors target. By not running Windows for these sensitive tasks, you've removed yourself from sights of the vast majority of online threats.
Isolation - By running on a machine dedicated to these sensitive tasks and only these sensitive tasks, you're setting up a barrier. Any malware that might be present or arrive on your "normal" Windows machine won't transfer to or won't work on this isolated machine. And by strictly restricting your activity on the secure machine, you're taking additional steps to prevent malware from reaching it directly.
Those two seem like very simple concepts, but they each provide a significant level of additional security.
You still cannot let your guard down.
As Window's own security has improved over time, malware authors are investigating other vehicles to cause problems.
Phishing is perhaps the most obvious, as it may not involve any malware at all - it's simply an attempt to fool you into divulging sensitive information to the wrong party. That can happen using any browser, any operating system and any machine.
Hackers are finding that popular technologies often have exploitable vulnerabilities. One example is as Adobe Flash, which is available on almost all platforms. While most malware vectors through Flash are Windows-related, there's no reason to believe that this cross-platform technology might not also allow for cross-platform vulnerabilities.
Bottom line: keep all the software up-to-date, including that live CD you might boot from.
I don't mean this to cause you to throw your hands up in the air in despair. I simply want to make it clear that there is no magic bullet. Doing your online banking in an isolated and different environment can definitely improve your overall security, but it does not and cannot provide absolute security.
Heck, even dumping the internet and doing all your banking in person or by mail can't even do that.
Me? I'll admit it: I don't do any of this.
I bank in Windows.
I follow all my other advice about keeping my machine secure. So far, that's worked well for me.
While I'll admit that I probably have an above average sense of what's safe and what's not to help guide me every day, I also ... well ...
I did say that I was lazy.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.