I consider myself to be tech-savvy. I can work with Windows, macOS and Linux. I can code small tools and set up new systems. In short, I think I know how a computer works. But sometimes I still wonder if I’m doing everything I can to do to protect my assets from a cyber security perspective. Of course, I already use 2FA and different passwords. And I don’t think I fall for phishing*. I estimate the risk of hacking to be very low, but the impact would be large.
You can also just use Tails[1], which is a USB-bootable GNU/Linux OS that boots to a temporary behind system on any computer.
But in the end, is it really worth it? Banks already have 2FA, mine even called me when I transferred money outside of Switzerland. Phishing doesn’t work really work anymore, because what will they do with the password? Still need your phone.
… and after going through with your idea you will just give up on it after doing it a bit, because it’s just a pain in the ass without any upside (in my opinion).
Theoretically: Malicious software could be installed in the background and wreak havoc as soon as you are successfully logged in. Directly on the device without knowing your password/2FA. The malware could enter the system unnoticed via a zero-day. Virtually every Chrome and Firefox update now fixes a high-level security vulnerability.
I use my old laptop as separate secure machine. It actually runs Qubes OS with disposable VMs. But thats more like a hobby.
I think, a read-only Linux on USB should be sufficient. Maybe you can have it on a stick with a manual read-only switch (make sure hardware or firmware enforces, not only suggests this).
as it supports read-only per default and is a rather hard target (powerful nation-state adversaries that are not interested in your usecase).
This is more convenient, as you only have to carry around one laptop (or none). Criminals capable of infecting the hardware below the OS don’t seem that common. On the other hand, I don’t know how many billions you intend to handle from your machine.
Further upgrades could be:
Separating passwords into two parts on two different machines (e.g. keepass file on smartphone and stick, each). Don’t forget backups
Dedicated email account with the same security (maybe Protonmail). The email account often is as dangerous as losing control over 2FA.
In any case, you will need a way to push files (e.g., annual reports for tax) to your less critical daily driver. But some online Dropbox should be sufficient. You could also abuse the email account, but you want to open that one as seldom as possible, as it is likely a root for most other accounts.
Network is not the attack vector, it’s more about having a trustworthy system (in times of TLS network is no longer a problem). I don’t think it makes sense to discuss Tor or VPN services here.
And privacy is also not a use case, you are identified to the bank anyway.
My mother-in-law (who just turned 90) has the blueprint for the ultimate security hardening feasible for your threat scenario:
owns no computer, no smartphone
physically shows up at the bank’s branch for all transactions
I’ll be a little more paranoid than previously discussed before turning to more serious advice:
your USB stick with Linux on it, how has it been sourced? Where is it produced, who had access to the supply chain? China? Israel? The US?
ditto for your separate notebook
that Linux distribution you’re talking about …
are you installing binaries from some web site on the Internet?
or are you compiling source code and installing it yourself?
and where do you download the source code from? Has there ever been an issue with source code injected at that code repository? If not, how do you know this isn’t an issue now?
that VM you’re running your disposable images in, are you sure that exploits in the VM haven’t made it to the host operating system and are now persistently infecting every new VM you install and use?
Let’s say you’ve addressed all of the above. What about making sure you’re connecting to the site you’re thinking you’re connecting to?
you are only using DNSSEC, right? For domains, including your bank’s, you call them up in order to make sure you’re connecting to the right IP address instead of the one your DNS servers claim they are.
another layer up: you’ve checked your browser is … ahem … trustworthy. I don’t know what your checklist for this is, but here’s a few suggestions:
write your own browser (good luck!)
don’t use the browser of some small company or non-profit org as they don’t have the resources to security test their own thing or respond quickly enough to reported or otherwise discovered vulnerabilities
use the browser of some Really Large Company that has teams staffed with hundreds if not thousands of people working on them. Admittedly, not all of these people work on the security of that browser – in fact, most work on increasing the probability that you keep using that Big Company’s products – but in my experience you still have teams in the “hundreds” that worry about the security of that browser
Ok, we now assume you have a secure browser, whatever that means
You’ve sorted through the list of root CAs that are acceptable to your browser. I.e. the CAs that sign the certificates that your bank’s servers present to your browser such that a cryptographically authenticated and secured connection is established between you and your bank. There have been many instances of root CAs issuing certificates for entities that should not have received them, so this is a pretty important step.
Ok, enough for now. Here’s the serious advice.
You don’t need to outrun the bear, just your fellow folks running away from the bear.
What you already do is sufficient if you keep applying common sense when in doubt.
Use a separate browser (see above for legitimate choices) that you use only for transactions you worry about and use that browser for nothing else.
To be clear, we’ve just scratched the surface, but when you’ve worked with folks from, say, Hoolie’s Project Zero team, you can get as creatively paranoid as you want.
The reality, though: you personally are not a target, and none of these sophisticated attacks will ever likely land on your computer. It’s more probable that a Great White Shark will bite you while lightening strikes the both of you.
Of course, in the end it’s always a balancing act, there is never 100 % safety. If someone is sitting behind you with a gun, even the best tech-safety features are useless. And I think the argument ‘what about?’ should not be used as an excuse for not making certain things safer.
Right. I am saying – and I believe you replied before I finished my post – that you’re already doing more than most others & you apply common sense, and that’s already enough.
With the trend towards email clients where you need three clicks to see the sender and with the trend towards Microsoft Safetylinks bullshit URLs, I’m not surprised.
I wouldn’t use anything like Tails. These images themselves might have a high chance of being trojaned to begin with as those who use them might be specific targets.
Given how valuable and vulnerable your phone is, I’ve also given thought to separating out IBKR and banking apps onto a separate device.
As always there’s a big convenience/security trade-off.
Inputs on Cybersecurity have already been given here. Ultimately, I share the viewpoint that as ordinary user you will be safe if you uphold common measures. The risk you need to avoid is being identified as high value target, because nearly no one survives a specific, targeted attack (which might include a perpetrator getting physical access to your devices). So, you know, don’t post about your multi-million net worths on the internet
Then, there is your own live access as a risk. When you got mugged twenty years ago you lost your cash. Nowadays you may be forced to access and wipe out your entire brokerage. So, don’t allow instant transfers, and don’t carry around a phone with all necessary access tokens (e.g. keep a separate phone with your 2FA which stays at home).
Lastly, there is containment. Make sure you’ll be notified immediately, by push and/or mail, if a fraudulent transaction happens (and know how to act). This setup depends on your broker and bank, just mentally go through an attack scenario and tailor a solution. In my case for example, this included a separate mail account with old-school POP3 for certain notifications so that mails couldn’t be purged, even if a perpetrator had full access to my main device.
And: This is one of the reasons why I prefer a local Swiss bank/broker: Whenever I move large amounts around I get a call to verify the transaction, before it actually gets executed.
The one thing I’d add but isn’t offered: A cyber insurance for private individuals with decent coverage (never found anything offering more than CHF 50k loss coverage).
… in the vein of @PhilMongoose’s spot on convenience/security trade-off: how do your heirs access their inheritance you’re managing via that super secured access to your funds?
Probably on the surface doesn’t apply to most of you, at least not yet, seemingly, but for many probably potentially. And if you add the proverbial chance of getting-run-over-by-a-tram, it might actually apply to you even today, and even if you’re young.
Admittedly, less important if your heirs “only” inherit your assets and do not need timely access to the cash flow generated by your assets.
I’m in the category now where my familiy’s assets – managed by me – generate a majorty of the cash flow we consume. I need to make sure that if I drop dead tonight my loved ones can still access that cash flow until officially ownership of the assets is sorted out (which can take months, even in simple cases).
I’m thus interested in having accounts jointly owned (a little bit of a headache with IBKR, simple with Swissquote) and access to cash accounts even with 2FA being relatively simple (again a little bit of a headache with IBKR, relatively simple with Swissquote).
By reading and partipating to this forum, you confirm you have read and agree with the disclaimer presented on http://www.mustachianpost.com/
En lisant et participant à ce forum, tu confirmes avoir lu et être d'accord avec l'avis de dégagement de responsabilité présenté sur http://www.mustachianpost.com/fr/
Durch das Lesen und die Teilnahme an diesem Forum bestätigst du, dass du den auf http://www.mustachianpost.com/de/ dargestellten Haftungsausschluss gelesen hast und damit einverstanden bist.