When you don't trust Windows for online shopping and banking
Summary: There are no good reasons why you can't trust Windows for shopping and banking as long as you take a few sensible precautions.
Today's mailbox question is from a reader who no longer trusts Windows to protect him when shopping and banking online:
A few months ago my PC somehow became infected with malware that managed to grab my bank login details as well as a number of usernames and passwords I use for online shopping. As a result of this I lost some $4,500. I got most of this back, but it was a tremendous hassle and I'm left feeling I can't trust Windows to protect me from hackers and malware. What do you suggest I do?
A big question, but I'm going to offer a couple of suggestions as to what you can do to protect yourself in the future.
Harden your Windows installation
How malware gets onto your system could be from not installing antivirus software on your system, or that it was out of date and not offering you protection from the latest malware.
My first suggestion is that you install security software. My preference is Microsoft Security Essentials, because it's free and will update in the background without ever nagging you to buy a license. It's also very good software.
I'd also take the time to run Windows Updates -- found in Control Panel -- and install any patches that you might have missed. These patches plug up vulnerabilities that can allow hackers to gain access to your system.
You should also check that all your programs are updated, especially applications such as web browsers and add-ons such as Adobe's Flash Player. To take the stress out of doing this I would suggest you download and run Secunia PSI. This will scan your system for out-of-date software, automatically update some of it for you, and tell you how to update the rest yourself.
Finally, you also need to be sensible. Be careful what you download and install onto your system; although your antivirus software should take care of most threats. Also, be careful about clicking on links that come to you via email, Twitter, Facebook and so on.
Create a Linux Live-CD
If you're still worried that Windows can't offer you enough protection, then you need to create for yourself an isolated operating system that you can use purely for banking and shopping.
What I wrote about nearly three years ago still applies today.
The best way to do this is to load a Linux distro onto a CD/DVD or USB flash drive and use that for banking and online shopping. I recommend using a CD/DVD because absolutely nothing can be written to the disc. It's not an ideal setup because it can be a hassle, but it will offer you a significant level of protection.
- Download a Linux ISO. Ubuntu remains popular, but Mint is nice too.
- Burn the ISO to CD or DVD using a disc-burning tool, such as ImgBurn.
- Pop the CD into your drive and boot up from the CD when you want to bank or shop.
If you don't have a CD/DVD burner then take a look at PenDriveLinux. Here you will find out how to boot and run Linux from a USB flash drive.
This method not only protects you from malware and Windows-based vulnerabilities, you're also protected from phishing attacks by not using the Live-CD for anything other than banking and shopping. Don't use it for email, or Facebook, or even Twitter for that matter. You boot into the Live-CD, which is completely isolated from your Windows installation, do what you went in to do, and when you're done you can boot back into Windows.
Simple, safe, and effective. I also recommend that you burn a new CD every six months or so just to keep you on top of new releases and updates.
What about passwords? Simple. Grab yourself a USB flash drive and a copy of an app such as TrueCrypt and encrypt a text file containing your passwords.
Closing thoughts
Bottom line: I don't think that there's any reason why you can't trust Windows for shopping and banking as long as you take a few sensible precautions. Millions of people do just that daily. However, if you're still concerned, you can always create a Linux Live-CD which you can boot up from and use that to do any activities you consider too risky for Windows. It's more of a hassle, but it is a far more secure option.
Related:
- How good is Microsoft's free antivirus software?
- Time to ditch Windows for online banking and shopping
- Report: 48% of 22 million scanned computers infected with malware
- Can switching to Linux protect your online identity?
- Facebook offers HTTPS browsing, but not yet by default
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Who is this? Identify yourself! This is not AKH. Imposter!
Which Windows version? And which Windows edition?
As for the Windows edition, I inquired because of Software Restriction Policy (SRP). Why SRP? Write where one cannot execute and execute where one cannot write. Windows XP Home does not support SRP, at all. Windows XP Professional, Vista Business/Ultimate and 7 Professional/Ultimate fully support SRP via gpedit.msc. Windows Vista/7 Home provide a 'lite' version of SRP via Parental Controls.
Least privilege combined with SRP whitelisting provide much more effective hardening than installing and running AV software, although I have nothing against running AV software on Windows.
As a small business owner, I'd be very tempted to use a PC dedicated solely to online banking, if I were to use Windows. As a consumer, I'd create a separate least privilege account used solely for online banking (no email, web surfing, instant messaging, media streaming, etc.) and I'd never use the default account for anything other than administering the PC. Again, if I were to use Windows.
There's just too much malware in the Windows desktop world not be be ultra-careful and fully use features built-in to the operating system.
P.S. I'd also enable Microsoft Update as it covers more of Microsoft's software than Windows Update, including applications like Microsoft Office.
By default, even an admin account doesn't run with admin token
I would like to echo secuniapsi, as Windows update doesn't do third party software such as Java and Flash, and these two are by far the biggest attack vectors on the Windows operating system, by far.
RE: By default, even an admin account doesn't run with admin token
I would prefer to harden the system by disabling the UAC prompt (not the same as disabling UAC) for the standard user account. Isn't this how it's done for enterprise Windows users? They should never see a prompt for the local machine administrator credentials.
A home user can either log in to the default account or use fast user switching to the default account to perform administration activities.
An even better solution
Use Linux for everything including your banking and other stuff, and when someone sends in a .docx or some other file for which you'd rather use Windows, go into your virtual machine to take care of it.
This is much better than having Linux in isolation and using it only for banking.
Nah it isn't
RE: Nah it isn't
Desktop Linux, whether using a LiveCD (or LiveDVD) as recommended by the author or an install on one's hard drive, [b]is[/b] significantly safer than Windows. Due to it's low, 1-2%, market share, it really isn't targeted by the malware miscreants.
Desktop Linux users get in trouble when they enable vpn or sshd and fail to properly configure and secure the service. Neither service runs by default on most desktop Linux distros.
Apache
I use windows as a gaming platform, it really excels (pun intended) in this area, I use linux for everthing else.
Linux is very secure from a design standpoint and from a no-one-uses-it-so-hackers-don't-bother standpoint, but misconfigured services will make anyone's computer vulerable no matter what it runs, so bottom line: if you don't know what you're doing, get help or don't do it.
And, to follow up on Rabid Howler Monkey, ssh is a huge problem for some people to lock down, make sure you only use private key authentication to prevent dictionary attacks from being successful!
That's a flawed argument
Even though Apache-based servers are hacked, large corporations with the money and technical know-how choose to go with Linux anyway; and one of the major reasons is security (some other being cost, flexibility, and the ability to modify the code to suit your needs).
The solution I suggested works because it provides far greater security out of the box than having Linux run inside of Windows.
For those heavily into gaming, virtualization may not work, because your point about it being a poor substitute comes in. But remember my comment says, "if you're like most users"... that means you're NOT a heavy gamer, and most of the things you do on your computer involve surfing the Internet, listening to music, watching movies, working on documents, sending emails, etc.
RE: Nah it isn't
An even better solution 2
Programs
WTB a comment system
I've never had a problem with Windows
No, but you're going to get flagged for spamming here
All antivirus type tools are not the answer
clean up after your self
Wubi for the average user, VirtualBox + Linux for more sophisticated
Use a Chromebook (first choice) or tablet OS
Chromebook