It's time to ditch Windows for online banking and shopping.
There, I've said it.
Last week, FBI Director Robert Mueller told an audience in San Francisco how he nearly fell for a bank phishing email. As a result of this Mueller now doesn't do any banking on line.
Then Washington Post "Security Fix" columnist Brian Krebs advises businesses not to carry out online banking on Windows-based machines and to use a Linux-based LiveCD.
I'm going one step further, and suggest that no one use Windows for either banking or online shopping. Period.
So, am I saying this to be controversial? No. Am I attacking Windows or Microsoft? Am I trying to start a flame war? No.
So why am I saying this? Simply because I believe that the risk of using Windows outweighs the convenience. Sure, the overall risk of financial loss to a consumer is small given that federal law limits the consumer's liability to $50, but having you bank details or credit card information compromised is a huge time-consuming hassle that people can do without.
It couldn't be simpler.
- Download a Linux ISO (my favorite is Ubuntubut there are loads of others to choose from).
- Burn the ISO to CD (I recommend ImgBurn).
- Pop the CD into your drive and boot up from the CD when you want to bank or shop ... take a couple of minutes and it's 100% safe since nothing can write to the CD).
This way not only are you protected from malware ands Windows-based vulnerabilities, you also protect yourself from phishing attacks by not using the Live CD for anything other than banking and shopping (no email, no Facebook/MySpace ...). You boot into the Live CD, do what you want to do, and close the OS when you're done.
Simple. Safe. Effective.
Note: I recommend that you burn a new CD every six months or so just to keep you on top of new releases and updates.
What about passwords? Simple! Grab yourself a USB flash drive and a copy of an app such as TrueCryptand encrypt a text file containing your passwords (if you want you can create an encrypted partition on the USB key to store more data if you want).
Think this is too much hassle? I thought it would be, but I've been doing this for a few days now and it's quick and simple and offers a great deal of peace-of-mind.
[UPDATE: Time to respond to some of the TalkBalk chatter:
- Why not spend the time making Windows more secure? I don't want to get caught up in the whole Windows vs. mac vs. Linux thing but this statement is ridiculous. Make Windows more secure than a read-only that you only use for critical stuff? Seriously ...
- This doesn't protect against phishing ... Well, if you separate email and browsing from banking, then it does ... a lot of readers seemed to have missed that. also, while the FBI director talked about phishing, his isn't the only threat facing online banking users. One thing that using a LiveCD for banking does is create a policy ... so if you ONLY visit your bank via the LiveCD OS, you're putting in place a policy that says you DON'T visit your bank via email links. Security is, after all, 90% good practice.
- Microsoft Security Essentials will protect us ... There's no phishing protection in MSE.
- IE8 has a better phishing filter than Firefox .... As tested by nsslabs, IE8's phishing filter had an 83% catch rate compared to Firefox's 80%. If you're willing to split hairs over a few percentage points but ignore the fact that the best phishing filter misses almost 1 in 5 phish attempts then your priorities are wrong.
- It's a dumb waste of time ... Each to his or her own I guess ... but I'm sure that many look at passwords in the same way. If some people were left to their devices they'd not have passwords.
- It's security by obscurity, if Linux had a greater market share it would be targeted by hackers ... Maybe, probably ... I don't know. However, you're overlooking the fact that you are working withing a read-only environment which adds a lot to your security.
- It's a stop-gap measure ... You bet! Just like locking your door or learning self defense, what you're doing is making the bad guys look for an easier, softer target. Nothing is perfect.
- How about using a virtual machine rather than a Live CD? It's an idea, but the OS inside the virtual machine wouldn't be read-only.
- It's too much hassle ... Suit yourself.
- But I love Windows ... Wah! Wah! Wah!!!! No one is asking you to give up on Windows, it's just augmenting Windows.
Keep your comments rolling it!]
Thoughts? I'm particularly interested in suggestions to improve the Live CD, a better choice of Live CD or tools for the USB key.