When you don't trust Windows for online shopping and banking

When you don't trust Windows for online shopping and banking

Summary: There are no good reasons why you can't trust Windows for shopping and banking as long as you take a few sensible precautions.


Today's mailbox question is from a reader who no longer trusts Windows to protect him when shopping and banking online:

A few months ago my PC somehow became infected with malware that managed to grab my bank login details as well as a number of usernames and passwords I use for online shopping. As a result of this I lost some $4,500. I got most of this back, but it was a tremendous hassle and I'm left feeling I can't trust Windows to protect me from hackers and malware. What do you suggest I do?

A big question, but I'm going to offer a couple of suggestions as to what you can do to protect yourself in the future.

Harden your Windows installation

How malware gets onto your system could be from not installing antivirus software on your system, or that it was out of date and not offering you protection from the latest malware.

My first suggestion is that you install security software. My preference is Microsoft Security Essentials, because it's free and will update in the background without ever nagging you to buy a license. It's also very good software.

I'd also take the time to run Windows Updates -- found in Control Panel -- and install any patches that you might have missed. These patches plug up vulnerabilities that can allow hackers to gain access to your system.

You should also check that all your programs are updated, especially applications such as web browsers and add-ons such as Adobe's Flash Player. To take the stress out of doing this I would suggest you download and run Secunia PSI. This will scan your system for out-of-date software, automatically update some of it for you, and tell you how to update the rest yourself.

Finally, you also need to be sensible. Be careful what you download and install onto your system; although your antivirus software should take care of most threats. Also, be careful about clicking on links that come to you via email, Twitter, Facebook and so on.

Create a Linux Live-CD

If you're still worried that Windows can't offer you enough protection, then you need to create for yourself an isolated operating system that you can use purely for banking and shopping.

What I wrote about nearly three years ago still applies today.

The best way to do this is to load a Linux distro onto a CD/DVD or USB flash drive and use that for banking and online shopping. I recommend using a CD/DVD because absolutely nothing can be written to the disc. It's not an ideal setup because it can be a hassle, but it will offer you a significant level of protection.

  • Download a Linux ISO. Ubuntu remains popular, but Mint is nice too.
  • Burn the ISO to CD or DVD using a disc-burning tool, such as ImgBurn.
  • Pop the CD into your drive and boot up from the CD when you want to bank or shop.

If you don't have a CD/DVD burner then take a look at PenDriveLinux. Here you will find out how to boot and run Linux from a USB flash drive.

This method not only protects you from malware and Windows-based vulnerabilities, you're also protected from phishing attacks by not using the Live-CD for anything other than banking and shopping. Don't use it for email, or Facebook, or even Twitter for that matter. You boot into the Live-CD, which is completely isolated from your Windows installation, do what you went in to do, and when you're done you can boot back into Windows.

Simple, safe, and effective. I also recommend that you burn a new CD every six months or so just to keep you on top of new releases and updates.

What about passwords? Simple. Grab yourself a USB flash drive and a copy of an app such as TrueCrypt and encrypt a text file containing your passwords.

Closing thoughts

Bottom line: I don't think that there's any reason why you can't trust Windows for shopping and banking as long as you take a few sensible precautions. Millions of people do just that daily. However, if you're still concerned, you can always create a Linux Live-CD which you can boot up from and use that to do any activities you consider too risky for Windows. It's more of a hassle, but it is a far more secure option.


Topics: Software, Banking, Linux, Malware, Open Source, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Who is this? Identify yourself! This is not AKH. Imposter!

    Dietrich T. Schmitz *Your
  • Which Windows version? And which Windows edition?

    Least privilege is fundamental to computer security. I inquired about the Windows version because the default account for Windows XP, Home and Professional, is the Administrator account which should not be used for day-to-day computing. Create a limited user account and use that for day-to-day computing. Even Vista/7 security benefits from using a true standard user account (not the default) for day-to-day computing.

    As for the Windows edition, I inquired because of Software Restriction Policy (SRP). Why SRP? Write where one cannot execute and execute where one cannot write. Windows XP Home does not support SRP, at all. Windows XP Professional, Vista Business/Ultimate and 7 Professional/Ultimate fully support SRP via gpedit.msc. Windows Vista/7 Home provide a 'lite' version of SRP via Parental Controls.

    Least privilege combined with SRP whitelisting provide much more effective hardening than installing and running AV software, although I have nothing against running AV software on Windows.

    As a small business owner, I'd be very tempted to use a PC dedicated solely to online banking, if I were to use Windows. As a consumer, I'd create a separate least privilege account used solely for online banking (no email, web surfing, instant messaging, media streaming, etc.) and I'd never use the default account for anything other than administering the PC. Again, if I were to use Windows.

    There's just too much malware in the Windows desktop world not be be ultra-careful and fully use features built-in to the operating system.

    P.S. I'd also enable Microsoft Update as it covers more of Microsoft's software than Windows Update, including applications like Microsoft Office.
    Rabid Howler Monkey
    • By default, even an admin account doesn't run with admin token

      Since Vista, even a user who is member of the administrators group, doesn't inherit the admin token at runtime, this token is simply stripped from the session. Therefore you can easily run with such an account and be safe. The difference in reality is that whilst a non admin user will have to enter a admin user account + password to write to places where their account doesn't have any explicit access, a admin user will have to just acknowledge the uac prompt to write to such places (this not only includes fs rights, registry keys and other objects are treated in the same way). Off course you can harden this by setting uac to prompt for userid+ password even if the user is part of administrators. On Windows 7 another good thing to do is move the "uac slider" in control panel to the top (which mimics the uac settings under Vista). Enabling Windows update and setting it to receive updates from other MS products is a necessity, just as much as such updates mechanism are a necessity on any other os.

      I would like to echo secuniapsi, as Windows update doesn't do third party software such as Java and Flash, and these two are by far the biggest attack vectors on the Windows operating system, by far.
      • RE: By default, even an admin account doesn't run with admin token

        [i]Off course you can harden this by setting uac to prompt for userid+ password even if the user is part of administrators[/i]

        I would prefer to harden the system by disabling the UAC prompt (not the same as disabling UAC) for the standard user account. Isn't this how it's done for enterprise Windows users? They should never see a prompt for the local machine administrator credentials.

        A home user can either log in to the default account or use fast user switching to the default account to perform administration activities.
        Rabid Howler Monkey
  • An even better solution

    Install Ubuntu (or any other Linux distro) as your main OS of choice, and within it, use Virtualbox to create a Windows computer on which you can run MS Office and some other windows-only software that you absolutely need -- if you're like most people, you don't really 'need' Windows for anything, but just in case you feel like it might come in handy.

    Use Linux for everything including your banking and other stuff, and when someone sends in a .docx or some other file for which you'd rather use Windows, go into your virtual machine to take care of it.

    This is much better than having Linux in isolation and using it only for banking.
    • Nah it isn't

      Not only is virtualisation not the answer to programs that won't run or run poorly (such as games), the number of applications available is vastly smaller. Of course Linux isn't any safer then Windows in any case, and vulnerabilities are discovered and patched on a constant basis, just as is the case on Windows. In areas where Linux marketshare is bigger then their tiny desktop market share, we see Linux systems being infected en masse, good case in point is the webserver area, where vulnerabilities in Apache are exploited en masse.
      • RE: Nah it isn't

        [i]Of course Linux isn't any safer then Windows in any case[/i]

        Desktop Linux, whether using a LiveCD (or LiveDVD) as recommended by the author or an install on one's hard drive, [b]is[/b] significantly safer than Windows. Due to it's low, 1-2%, market share, it really isn't targeted by the malware miscreants.

        Desktop Linux users get in trouble when they enable vpn or sshd and fail to properly configure and secure the service. Neither service runs by default on most desktop Linux distros.
        Rabid Howler Monkey
      • Apache

        Is not linux, apache on windows has just as many vulnerabilities, its just a program running on top of the operating system. Most people will find that ANY desktop operating system will be a fine replacement. This includes linux variants and Mac OSX, many people are just afraid to make the jump.
        I use windows as a gaming platform, it really excels (pun intended) in this area, I use linux for everthing else.
        Linux is very secure from a design standpoint and from a no-one-uses-it-so-hackers-don't-bother standpoint, but misconfigured services will make anyone's computer vulerable no matter what it runs, so bottom line: if you don't know what you're doing, get help or don't do it.
        And, to follow up on Rabid Howler Monkey, ssh is a huge problem for some people to lock down, make sure you only use private key authentication to prevent dictionary attacks from being successful!
      • That's a flawed argument

        The issue is not whether a system is hackable or not per se (because if you tried to find a system that is unhackable, you'll end up spending more money than is worth it to protect your stuff -- unless you're a billionaire with lots to lose). The issue is about which system is more vulnerable, and Windows IS more vulnerable than Linux. It is also targeted by more malware programmers, which makes its likelihood of getting hacked far greater than any Linux distribution out there.

        Even though Apache-based servers are hacked, large corporations with the money and technical know-how choose to go with Linux anyway; and one of the major reasons is security (some other being cost, flexibility, and the ability to modify the code to suit your needs).

        The solution I suggested works because it provides far greater security out of the box than having Linux run inside of Windows.

        For those heavily into gaming, virtualization may not work, because your point about it being a poor substitute comes in. But remember my comment says, "if you're like most users"... that means you're NOT a heavy gamer, and most of the things you do on your computer involve surfing the Internet, listening to music, watching movies, working on documents, sending emails, etc.
      • RE: Nah it isn't

        Well one thing Linux has going for it on the Desktop, is all the software comes through the repositories. The user isn't searching the internet for programs and downloading malware instead (like what's been happening with Apple as of late). They go to the Software Center and search and find the app, and install. The side benefit is that with Ubuntu, ALL of the apps are kept up to date for security issues, rather than just the MS apps. Security holes on any system are a combination of supplied and 3rd party.
    • An even better solution 2

      Run Linux. Use OpenOffice which reads and writes the Microsoft Office file formats. No real need for Windows except for a few programs which are not that popular and have no Linux versions.
      • Programs

        Are you referring to things like BF3 or MW3? You know, unpopular programs that don't run on Linux.
  • WTB a comment system

    Seriously, what happened to my first comment?
  • I've never had a problem with Windows

    Although I did read today that 600,000 OS X Macs have been infected by a drive-by (no user interaction required) and are now part of a huge botnet. That is one massively successful piece of malware considering how few OS X Macs there are out there.
    • No, but you're going to get flagged for spamming here

      Get lost, fanboy
  • All antivirus type tools are not the answer

    They can't protect you against infections they don't yet know about. They close the gate after the horse has bolted. Just don't use Windows.
  • clean up after your self

    I always do my transactions and then delete everything when i am done .never had account's screw with. hell i don't even let my broswer save any thing at all .all data wiped when I close them and then defrag.hell i clean up even after evry use and yes I run M.S.E. . good artical A.H. .
  • Wubi for the average user, VirtualBox + Linux for more sophisticated

    Depending on the sophistication of the user, Wubi might be an easier solution than a pendrive boot. And for people with a modicum of technical background, something like VirtualBox lets you have better performance than a LiveDVD, with the same protections, if you use non-persistent sessions.
  • Use a Chromebook (first choice) or tablet OS

    I bought a Chromebook about 6 months ago for all my banking on line. I don't use a debit card and I'll trust the credit card people to protect that side of my finances.
    • Chromebook

      Just making sure that Google has a complete record of everything you do.