Security Hardening

I consider myself to be tech-savvy. I can work with Windows, macOS and Linux. I can code small tools and set up new systems. In short, I think I know how a computer works. But sometimes I still wonder if I’m doing everything I can to do to protect my assets from a cyber security perspective. Of course, I already use 2FA and different passwords. And I don’t think I fall for phishing*. I estimate the risk of hacking to be very low, but the impact would be large.

I was thinking of options like:

  • Linux on a USB stick only for online banking etc.
  • A separate notebook for this purpose only (there are cheap options)

Do any of you use separate systems for online banking and broker logins?

And how well does this work for you?


*But that’s what everyone who has never fallen for it says

2 Likes

You can also just use Tails[1], which is a USB-bootable GNU/Linux OS that boots to a temporary behind system on any computer.

But in the end, is it really worth it? Banks already have 2FA, mine even called me when I transferred money outside of Switzerland. Phishing doesn’t work really work anymore, because what will they do with the password? Still need your phone.

… and after going through with your idea you will just give up on it after doing it a bit, because it’s just a pain in the ass without any upside (in my opinion).

[1] Tails - Home

Theoretically: Malicious software could be installed in the background and wreak havoc as soon as you are successfully logged in. Directly on the device without knowing your password/2FA. The malware could enter the system unnoticed via a zero-day. Virtually every Chrome and Firefox update now fixes a high-level security vulnerability.

1 Like

I use my old laptop as separate secure machine. It actually runs Qubes OS with disposable VMs. But thats more like a hobby.

I think, a read-only Linux on USB should be sufficient. Maybe you can have it on a stick with a manual read-only switch (make sure hardware or firmware enforces, not only suggests this).

as it supports read-only per default and is a rather hard target (powerful nation-state adversaries that are not interested in your usecase).

This is more convenient, as you only have to carry around one laptop (or none). Criminals capable of infecting the hardware below the OS don’t seem that common. On the other hand, I don’t know how many billions you intend to handle from your machine.

Further upgrades could be:

  • Separating passwords into two parts on two different machines (e.g. keepass file on smartphone and stick, each). Don’t forget backups
  • Dedicated email account with the same security (maybe Protonmail). The email account often is as dangerous as losing control over 2FA.

In any case, you will need a way to push files (e.g., annual reports for tax) to your less critical daily driver. But some online Dropbox should be sufficient. You could also abuse the email account, but you want to open that one as seldom as possible, as it is likely a root for most other accounts.

1 Like

Wouldn’t you trigger all kinds of alarms with your bank/broker, if you try to connect to it through Tor? Tails forces all your traffic through Tor.

7 Likes

You’re totally right. I forgot about that. It’s a no-go.

2 Likes

You may choose a Swiss exit relay.

That would still be in Tor’s published list of exit nodes, which I’m sure the banks are using.

Network is not the attack vector, it’s more about having a trustworthy system (in times of TLS network is no longer a problem). I don’t think it makes sense to discuss Tor or VPN services here.

And privacy is also not a use case, you are identified to the bank anyway.

But of course, you can also convince me otherwise :slight_smile:

My mother-in-law (who just turned 90) has the blueprint for the ultimate security hardening feasible for your threat scenario:

  • owns no computer, no smartphone
  • physically shows up at the bank’s branch for all transactions

I’ll be a little more paranoid than previously discussed before turning to more serious advice:

  • your USB stick with Linux on it, how has it been sourced? Where is it produced, who had access to the supply chain? China? Israel? The US?
  • ditto for your separate notebook
  • that Linux distribution you’re talking about …
    • are you installing binaries from some web site on the Internet?
    • or are you compiling source code and installing it yourself?
      • and where do you download the source code from? Has there ever been an issue with source code injected at that code repository? If not, how do you know this isn’t an issue now?
  • that VM you’re running your disposable images in, are you sure that exploits in the VM haven’t made it to the host operating system and are now persistently infecting every new VM you install and use?

Let’s say you’ve addressed all of the above. What about making sure you’re connecting to the site you’re thinking you’re connecting to?

  • you are only using DNSSEC, right? For domains, including your bank’s, you call them up in order to make sure you’re connecting to the right IP address instead of the one your DNS servers claim they are.
  • another layer up: you’ve checked your browser is … ahem … trustworthy. I don’t know what your checklist for this is, but here’s a few suggestions:
    • write your own browser (good luck!)
    • don’t use the browser of some small company or non-profit org as they don’t have the resources to security test their own thing or respond quickly enough to reported or otherwise discovered vulnerabilities
    • use the browser of some Really Large Company that has teams staffed with hundreds if not thousands of people working on them. Admittedly, not all of these people work on the security of that browser – in fact, most work on increasing the probability that you keep using that Big Company’s products – but in my experience you still have teams in the “hundreds” that worry about the security of that browser
    • Ok, we now assume you have a secure browser, whatever that means
    • You’ve sorted through the list of root CAs that are acceptable to your browser. I.e. the CAs that sign the certificates that your bank’s servers present to your browser such that a cryptographically authenticated and secured connection is established between you and your bank. There have been many instances of root CAs issuing certificates for entities that should not have received them, so this is a pretty important step.

Ok, enough for now. Here’s the serious advice.

You don’t need to outrun the bear, just your fellow folks running away from the bear.
What you already do is sufficient if you keep applying common sense when in doubt.
Use a separate browser (see above for legitimate choices) that you use only for transactions you worry about and use that browser for nothing else.


To be clear, we’ve just scratched the surface, but when you’ve worked with folks from, say, Hoolie’s Project Zero team, you can get as creatively paranoid as you want.

The reality, though: you personally are not a target, and none of these sophisticated attacks will ever likely land on your computer. It’s more probable that a Great White Shark will bite you while lightening strikes the both of you.

8 Likes

Of course, in the end it’s always a balancing act, there is never 100 % safety. If someone is sitting behind you with a gun, even the best tech-safety features are useless. And I think the argument ‘what about?’ should not be used as an excuse for not making certain things safer.

1 Like

Right. I am saying – and I believe you replied before I finished my post – that you’re already doing more than most others & you apply common sense, and that’s already enough.

1 Like

Never forget the weakest link: yourself.

  • no passwords by heart
  • never click on ads, email links and attachments
  • 0 trust to people
  • social engineering is successful

(15% in our company clicked on a email link with a slightly different domain and tried to SSO login. IT company with 70% devs!)

6 Likes

Adding

ExitNodes {CH} StrictNodes 1

to torrc forces a Swiss exit node.

But results in

1 Like

With the trend towards email clients where you need three clicks to see the sender and with the trend towards Microsoft Safetylinks bullshit URLs, I’m not surprised.

interesting… postfinance.ch works

I wouldn’t use anything like Tails. These images themselves might have a high chance of being trojaned to begin with as those who use them might be specific targets.

Given how valuable and vulnerable your phone is, I’ve also given thought to separating out IBKR and banking apps onto a separate device.

As always there’s a big convenience/security trade-off.

3 Likes

I think if you want the simplest option:

  • Buy a new Chromebook and use that only for your online banking
  • You can use a separate device for the 2FA (hopefully something more secure than SMS that can’t fall back on SMS
  • Of course, this means that you now can only do your online banking at home

Ditto for IBKR account.

1 Like

Inputs on Cybersecurity have already been given here. Ultimately, I share the viewpoint that as ordinary user you will be safe if you uphold common measures. The risk you need to avoid is being identified as high value target, because nearly no one survives a specific, targeted attack (which might include a perpetrator getting physical access to your devices). So, you know, don’t post about your multi-million net worths on the internet :sweat_smile:

Then, there is your own live access as a risk. When you got mugged twenty years ago you lost your cash. Nowadays you may be forced to access and wipe out your entire brokerage. So, don’t allow instant transfers, and don’t carry around a phone with all necessary access tokens (e.g. keep a separate phone with your 2FA which stays at home).

Lastly, there is containment. Make sure you’ll be notified immediately, by push and/or mail, if a fraudulent transaction happens (and know how to act). This setup depends on your broker and bank, just mentally go through an attack scenario and tailor a solution. In my case for example, this included a separate mail account with old-school POP3 for certain notifications so that mails couldn’t be purged, even if a perpetrator had full access to my main device.

And: This is one of the reasons why I prefer a local Swiss bank/broker: Whenever I move large amounts around I get a call to verify the transaction, before it actually gets executed.

The one thing I’d add but isn’t offered: A cyber insurance for private individuals with decent coverage (never found anything offering more than CHF 50k loss coverage).

1 Like

Plot twist …

… in the vein of @PhilMongoose’s spot on convenience/security trade-off: how do your heirs access their inheritance you’re managing via that super secured access to your funds?

Probably on the surface doesn’t apply to most of you, at least not yet, seemingly, but for many probably potentially. And if you add the proverbial chance of getting-run-over-by-a-tram, it might actually apply to you even today, and even if you’re young.
Admittedly, less important if your heirs “only” inherit your assets and do not need timely access to the cash flow generated by your assets.

I’m in the category now where my familiy’s assets – managed by me – generate a majorty of the cash flow we consume. I need to make sure that if I drop dead tonight my loved ones can still access that cash flow until officially ownership of the assets is sorted out (which can take months, even in simple cases).

I’m thus interested in having accounts jointly owned (a little bit of a headache with IBKR, simple with Swissquote) and access to cash accounts even with 2FA being relatively simple (again a little bit of a headache with IBKR, relatively simple with Swissquote).

2 Likes