Mar 04 2012

Print this Post

am I kidding myself

I have recently moved my bank current and short term savings accounts. Partly this is a political statement in support of the move your money campaign, and partly because I feel that my money might actually be a bit safer (if only slightly) in a small UK Mutual than with the UK arm of a large Spanish Bank. However, my reason for mentioning this here is that the move gave me the opportunity to compare the on-line mechanisms of both my old and new providers and it also got me thinking again about the way I actually do my on-line banking.

As you would expect, I do all my on-line financial transactions from my linux desktop. Given the prevalence of sophisticated banking trojans (PDF file) such as ZeuS, I really don’t see how anyone could comfortably use a windows based machine, even one fully patched, with up to date virus protection and firewall in place. But I go further than just using my desktop, I actually only log on from a second desktop within a virtualbox VM. Further, the browser I use in that VM is as stripped of functionality as is possible (no addons, no plugins, defaults to block cookies etc.) and only ever connects to my bank(s) and no other sites. Unfortunately, the banks insist on cookies and javascript so I have to enable those selectively.

The thinking here is that my browser is the least secure (and probably most targeted) application on my desktop. So if I use a browser which I know has not connected to anything other than the two or three financial sites I trust, I should be relatively safe. Shouldn’t I? (OK, DNS poisoning could have redirected the browser to fake sites, but you get the drift I’m sure). And the best way to be sure that the browser I use is nailed down, and uncorrupted, is to run that browser from a separate machine. However, separate physical machines are expensive and it is tedious to have to fire up another box just to handle my banking when I could do it all from a VM.

But if my main desktop is already compromised (with say a key logger) how safe am I? One of the nice features of virtualbox is its ability to capture both the keyboard and the mouse automatically whenever the guest OS is in focus. For example, on starting a new guest OS, virtualbox says “You have the auto capture keyboard option turned on. This will cause the VM to automatically capture the keyboard every time the VM window is activated and make it unavailable to other applications running on your host machine.” So theoretically, all keypresses will be intercepted by virtualbox and will be invisible to the underlying host OS and its applications. But does this apply to a keylogger trojan already in the host OS? I guess that depends on the trojan and where within the complex stack of kernel, kernel modules, virtualbox and applications it actually hooks itself. But after revisiting and pondering upon my previous assumptions during the move of my accounts, I can’t help feeling that my (rather elaborate) security mechanisms are actually no more than a nice warm security blanket.

But they do make me feel safer…..

Permanent link to this article: http://baldric.net/2012/03/04/am-i-kidding-myself/


Skip to comment form

  1. Peter

    Did you check the *physical* connection? :-). I actually had a debate about privacy in a similar context, and there are two remarks I’d give you from that:

    1 – there is no such thing as 100% secure (not that I need to tell you this), you thus take the risk you deem acceptable. The problem is that your perception of risk may be off, for instance due to a lack of knowledge (or too much beer, but I digress).

    2 – isn’t it sad that so many people have to do so much to have a moderately safe banking experience? There *was* a solution, but those who came up with the idea tried to sell to the wrong audience, and the company thus went bust.. If anyone has a spare £10M..

  2. Mick


    I’d guess that I’m in the minority in the approach I take. Certainly I know that a woeful number of people are happy to log on to their banks from crusty old windows boxes stuffed full of malware. The banks seem content to take the (significant) financial hit this poses them because their losses are covered by customer charges. And as you will see from my later post, my new bank seems oddly cavalier about my protection. Why use flash on a bank site for pity’s sake?

    And log on from an Android ‘phone? Do me a favour guv…..



  3. Peter

    Haha – Android? It’s actually amazing how few people realise that they have become the “service” Google outsourced the Streetview WiFi gathering to.. Have read of item “47” in this response to the Canadion privacy commissioner: http://www.priv.gc.ca/media/nr-c/2010/let_101019_e.cfm

    So, no thank, I’m with you on that. No Android for me – not that it ever was an option after discovering that nothing useful works until you have a Google logon (I actually *read* Terms & Conditions)..

  4. Mick


    Thanks for that link. For the benefit of others I’ve copied the content below. The Canadian Commissioner’s report says:

    “47. Google intends to rely on its users’ handsets to collect the information on the location of WiFi networks that it needs for its location-based services database. The improvements in smart-phone technology in the past few years have allowed Google to obtain the data it needs for this purpose from the handsets themselves.

    48. Although it has no tracking tool to keep records of a customer’s locations (and does not intend to create one), Google acknowledges that it does need to examine the potential privacy concerns of this method of collection.”

    The report goes on to say:

    “70. The fact that Google does not intend to resume collection of WiFi data with its Street View cars eliminates the possibility of further inappropriate collection of personal information through the tool developed by its engineer.

    71. However, from users’ handsets, Google intends to obtain the information needed to populate its location-based services database. This alternative method of collection could also lead to inappropriate collection and retention of personal information if Google does not put in place appropriate safeguard measures.”

    So. If you use an Android ‘phone, Google owns you. But we knew that…….


Comments have been disabled.