Time to ditch Windows for online banking and shopping [UPDATED]

Time to ditch Windows for online banking and shopping [UPDATED]

Summary: It's time to ditch Windows for online banking and shopping.There, I've said it.

SHARE:

It's time to ditch Windows for online banking and shopping.

There, I've said it.

Last week, FBI Director Robert Mueller told an audience in San Francisco how he nearly fell for a bank phishing email. As a result of this Mueller now doesn't do any banking on line.

Then Washington Post "Security Fix" columnist Brian Krebs advises businesses not to carry out online banking on Windows-based machines and to use a Linux-based LiveCD.

I'm going one step further, and suggest that no one use Windows for either banking or online shopping. Period.

So, am I saying this to be controversial? No. Am I attacking Windows or Microsoft? Am I trying to start a flame war? No.

So why am I saying this? Simply because I believe that the risk of using Windows outweighs the convenience. Sure, the overall risk of financial loss to a consumer is small given that federal law limits the consumer's liability to $50, but having you bank details or credit card information compromised is a huge time-consuming hassle that people can do without.

It couldn't be simpler.

  • Download a Linux ISO (my favorite is Ubuntu but there are loads of others to choose from).
  • Burn the ISO to CD (I recommend ImgBurn).
  • Pop the CD into your drive and boot up from the CD when you want to bank or shop ... take a couple of minutes and it's 100% safe since nothing can write to the CD).

This way not only are you protected from malware ands Windows-based vulnerabilities, you also protect yourself from phishing attacks by not using the Live CD for anything other than banking and shopping (no email, no Facebook/MySpace ...). You boot into the Live CD, do what you want to do, and close the OS when you're done.

Simple. Safe. Effective.

Note: I recommend that you burn a new CD every six months or so just to keep you on top of new releases and updates.

What about passwords? Simple! Grab yourself a USB flash drive and a copy of an app such as TrueCrypt and encrypt a text file containing your passwords (if you want you can create an encrypted partition on the USB key to store more data if you want).

Think this is too much hassle? I thought it would be, but I've been doing this for a few days now and it's quick and simple and offers a great deal of peace-of-mind.

[UPDATE: Time to respond to some of the TalkBalk chatter:

  • Why not spend the time making Windows more secure? I don't want to get caught up in the whole Windows vs. mac vs. Linux thing but this statement is ridiculous. Make Windows more secure than a read-only that you only use for critical stuff? Seriously ...
  • This doesn't protect against phishing ... Well, if you separate email and browsing from banking, then it does ... a lot of readers seemed to have missed that. also, while the FBI director talked about phishing, his isn't the only threat facing online banking users. One thing that using a LiveCD for banking does is create a policy ... so if you ONLY visit your bank via the LiveCD OS, you're putting in place a policy that says you DON'T visit your bank via email links. Security is, after all, 90% good practice.
  • Microsoft Security Essentials will protect us ... There's no phishing protection in MSE.
  • IE8 has a better phishing filter than Firefox .... As tested by nsslabs, IE8's phishing filter had an 83% catch rate compared to Firefox's 80%. If you're willing to split hairs over a few percentage points but ignore the fact that the best phishing filter misses almost 1 in 5 phish attempts then your priorities are wrong.
  • It's a dumb waste of time ... Each to his or her own I guess ... but I'm sure that many look at passwords in the same way. If some people were left to their devices they'd not have passwords.
  • It's security by obscurity, if Linux had a greater market share it would be targeted by hackers ... Maybe, probably ... I don't know. However, you're overlooking the fact that you are working withing a read-only environment which adds a lot to your security.
  • It's a stop-gap measure ... You bet! Just like locking your door or learning self defense, what you're doing is making the bad guys look for an easier, softer target. Nothing is perfect.
  • How about using a virtual machine rather than a Live CD? It's an idea, but the OS inside the virtual machine wouldn't be read-only.
  • It's too much hassle ... Suit yourself.
  • But I love Windows ... Wah! Wah! Wah!!!! No one is asking you to give up on Windows, it's just augmenting Windows.

Keep your comments rolling it!]

Thoughts? I'm particularly interested in suggestions to improve the Live CD, a better choice of Live CD or tools for the USB key.

Topics: Windows, Banking, Hardware, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

872 comments
Log in or register to join the discussion
  • Instead of a live CD

    Would I be able to install Linux in Windows and do the same?
    The one and only, Cylon Centurion
    • A VM Should be fine

      While ultimately windows is handling the transport, Linux is the one doing the processing, and therefore should be fine.
      Stuka
      • Problem with using a VM

        The problem with your suggestion is that it still offers an OS that can be written to (without tweaking); this is no different than having a Linux install on a dual-boot system. Adrian's idea is that by using a LiveCD, you are secure in knowing nothing can modify your OS since a LiveCD is unable to be written to. There are ways to lock down a Linux installation so that it cannot be written to (such as modifying the OS partition in fstab with ro - read only) but I don't think it is something I'd want to try instructing a newbie to do.
        NetAdmin1178
        • Valid Point

          The LiveCD ultimately is the safest way.
          Stuka
          • Re: VM usage

            Or just set the VM to rollback to the last snapshot every time you start up and/or shut down. No permanent changes to the VM that way.
            Dalelaurd
          • You'd have to dedicate the VM...

            to just that - online banking - otherwise it could be compromised just like the PC.
            JCitizen
        • Best of both worlds

          Boot your VM off a live CD image. It's a heck of a lot faster than using a physical CD and gives you the same protection.
          frgough
          • I agree

            Personally I'd hate to reboot every time I remembered I had to check my bank details.
            AndyCee
          • Very good idea... few additional thoughts

            I must agree, that is a very good idea. Booting a CD from within a VM should guarantee the read-only environment we're looking for, and it is much more convenient to start-up the CD from within your currently running OS than rebooting your PC to boot a CD.

            You could also boot the VM to a CD iso, rather than the CD itself. It should be even more responsive to work with (HDD files typically have faster access than optical media), and there's no wasted CD media when updates come out for the OS, just replace your iso with the new one. The only consideration I see at this time would be needing to safeguard that iso from being tampered with, since it would be potentially exposed while you're using your regular OS.
            NetAdmin1178
          • Host OS keyloggers would pose a problem to this solution... (nt)

            NT
            NetAdmin1178
          • iso exposed......

            ...isnt that getting just a little too paranoid? The thing that concerns me is needing to this for online shopping because that is something I do hand in glove with everything else that I do - during a typical week I might make 20 or more purchases and as many other transactions - while I am working or doing other things - a fast PC with a virtual window running from an ISO seems the only sensible way forward. Mind you I buy a lot on ebay where I like to keep the auction open in one window while I work in another....it is an easy solution for someone who transacts occasionally but my life is totally intetwined with the internet - I cant remember the last time I went into town - I buy everything on line.
            cymru999
          • Best...

            Thank you. That's exactly what I was thinking.
            kc117mx
          • Wouldn't the CD image be on writable media?

            More like worst of both worlds.
            AzuMao
        • Compromised host OS

          If the host OS (Windows) is compromised, like say with a keylogger, wouldn't your online credentials still be stolen when using a Linux VM for transactions, since the keylogger can still monitor keystrokes?

          I don't really know if this is possible, would appreciate if someone here could shed some light on this.

          Thanks
          balaknair
          • Yes,

            That's very possible. In fact, the ONLY key combo
            that can't be hooked (captured by a keylogger) is
            ctrl+alt+del.

            Even if you are running a VM, a good keylogger
            hooks the keys between Windows and the program you
            are using, so yes, it would hook between Windows
            and the VN.
            VistroDotNet
          • Hooking alt ctrl del

            http://www.codeproject.com/KB/winsdk/AntonioWinLock.aspx

            Nuff Said!

            and if people on the interweb can do it, you be that anyone else with malware or a rootkit can do it too.
            Troyr1
          • No..

            ..a good keylogger is a driver (runs between
            keyboard and OS), hooking [i]everything[/i].
            AzuMao
          • One way is using an I/O firewall..

            like Snoofree Privacy Shield. I've never seen a keylogger or video hook defeat it yet. In fact when I see it popup, I know I got undefined spyware on my XP system, and I keep trying different utilities until I catch the miscreant!

            Snoopfree is free, but donations are made very difficult by the author. I do not work for any man or company - I just hate malware to pieces!

            Microsoft should add something like this to the operating system, as well as the UAC! Of course they would probably violate Snoopfree's copyright.
            JCitizen
          • Microsoft do not have that excuse.

            Snoopfree owns no "copyright" on the general
            concept of behavior-based heuristics. Nothing is
            stopping Microsoft from making Windows have more
            fine grained control over which programs are
            allowed to do what.
            AzuMao
          • The HIPS in Comodo...

            is almost as good, but won't ID whether it is finding video/keyboard hooks, only file modifications.

            I think Comodo's Defense + could be modified to report such input/output traffic. In fact the two utilities don't get along anymore.
            JCitizen