I don't bank online, my wife still writes checks.
I look at places like this and the like.
https://www.schwab.com/
https://www.tdameritrade.com/home.page
https://www.bnymellon.com/
I launch a Private Secure browser when I access them.
BTW, I don't use any of the ones I listed, I have others.
You can call most of them, instead of access them online, If you have all day to wait on the phone prompts.
Use a private secure browser, and when you close the private browser, it empties everything.
Also you can setup your standard browser to empty the cache when you disconnect.
I install daily security updates, and keep the AV Dat files Current.
And, I don't use Windoz.
I'm sure that is not secure enough for Joe, but it is for me!
GL,
T

So do we. Not doing online banking greatly reduces the risk.

Lots of my friends do this as well.

Are these tied to your bank account? If yes, I'd create a throw-away bank account for that sole purpose, to limit the nuisance and damage if there is a breach.


A private session is one for which no history is kept, so it's hard for people to figure out where you've been.

This is not the same as a "sandbox", which would have the desired isolating effect, but I don't know the meaning of "Secure" above. What kind of browser are you using, by make and model?


One key is to always use the URL provided directly by the organization in question, and not to use the URL provided by the email or website that just popped up.


This describes private session, and not a sandbox.


I don't use Windoze either. What do you use? I'm on a Mac. Only common thing that's stronger is Linux.

But it doesn't matter what OS and protection software you have if a skilled person (versus a robot) wants in - they will get in, and you'll never know till it's too late.

The Great Bank Robbery: Carbanak Cybergang Steals $1 Billion from 100 Financial Institutions Worldwide | Kaspersky Lab US

Kaspersky Lab Discovers Equation Group: The Crown Creator of Cyber-Espionage | Kaspersky Lab US


Well, I do know the common attack vectors and threat models. It's pretty easy to thwart the vast bulk of automated attacks, but sooner or later someone will get lucky, so one must also arrange things to limit the damage.

Most of a financial site security is in their server, and what level of security they use.
I Use Linux Mint XFCE, Mint Mate, and Ubuntu XFCE, all based on Debian, and Ubuntu.
I use ClamAV antivirus software on all, that is Ubuntu add-on software.
I use Firefox with adblocker, and do not track, Firefox add-on software.
Back to the password, I want a deep password on my financial sites, that can't be easily breeched, when I'm not there.
Most sites have a 5 attempts or less.
Some have logins where you login, then use a cell phone in addition to the password.
I don't have that, but have thought about it.
With linux I've never had any malware, or AV issues since I've been using it, since about 2000.
Please explain the sandbox, not familiar with that.
T

Of coarse the Bank itself can get hacked.

True enough, but this protects the bank, not the customer.

It's no defense against stolen credentials.


All good. The adblocker will stop some adware and maybe malware.


Complex passwords are not that helpful. Most breaches are due to a stolen password, not a cracked or guessed password.


What really works is two-factor authentication, specifically a RSA Token: SecurID - Wikipedia, the free encyclopedia

This is what is used where it matters. Perhaps the various financial institutions offer this option.


Yeah, Linux is essentially immune, mostly because the Win and Mac spaces are together 99% of the market, the bulk being Win, so nobody bothers with Linux.


It's a hardware partition with a virgin OS installed that one uses for surfing in bad neighborhoods. If the OS gets infected, no problem because the malware cannot escape the partition, and one can simply install a new virgin OS on top of the wreckage. Another term for this is "detonation chamber".

Sandbox (computer security) - Wikipedia, the free encyclopedia

And, I thought I was a paranoid computer user.
There are limits to what a home user can do.
I used Secure VPN, and a secure ID token when I worked for Lucent.
Now I run a dual boot linux on one of my Laps, and a 5 linux boot on the other.
If one gets corrupted, I can boot to another linux partition, or I can boot to a USB drive or live CD.
That is about as complex as I'm gonna get in this stage of my existence.
Have Fun, I do.
T

All good.

What makes home protection practical is that the hackers are running a business, and they cannot make any money on people like us if it takes any personal attention to penetrate our defenses. So, one deals with low-skil automated attacks first.

In the security world, this is called a threat model: Threat model - Wikipedia, the free encyclopedia

For the ordinary non-famous person, one can posit the following things about the threat:

1. The objective is money, specifically net profit, so the low-hanging fruit gets the largest attention.

2. The assailant is at least a thousand miles away, and attacks solely through the internet.

The most profitable approach is to blindly infect as many computers as possible by some kind of automated system, look for financial-institution credentials, steal them, and sell them to people who will "monetize" them. Even if 0.1% of the automated attacks succeed, it's still wildly profitable, so don't bother with anything more complicated.

So, the remedy to paranoia is business-case analysis, from the viewpoint of the attacker.


Now if you are famous enough to be worth a directed, non-random attack, or a company with much technology to steal, much better defenses are needed.

Google for "Chinese Hackers Suspected In Long-Term Nortel Breach" at the Wall Street Journal. (The direct path is probably behind a paywall.)

Nortel hacked to pieces | Financial Post

In such cases, paranoia is just good sense, as the old saying goes.



And the next step up is when the assailants are intelligence agencies.

I just got a spam PM on this forum, from Cortezthekiller: "Have you always wanted to become a singer? Many people dream of singing, but few take the steps required to learn.Look at my site." Hmmm.

That user has been dormant since 2010 so I suppose the account has been hacked.
At the bottom of the PM there is a triangle symbol, please click on it and report the post as spam. Also, if you click on the user name and view their profile, there is an "infractions" tab where you can give an infraction notice.

Yep. Got the same thing.

Might as well just have a mod delete that account. (Or at least change the pass)

Hmm, I got an email note from MEF that ol' Cortez wanted to PM me but couldn't as my PM message count had reached its limit at 50. So I sent the ol' boy a PM after clearing some space. Just as well I didn't get the message. I'LL DO THE SINGIN' ROUND HERE just like Alfalfa, I don't need no stinkin' lessons. Oh well at least I learnt sumpin' - until today had no idea there was a PM # of messages limit.

Sorry Cortez, you've been hacked. No seven cities of gold for you. Not even one.

Just got the same thing...deleted the PM.

Same here.

Oh well.