I have recently moved my bank current and short term savings accounts. Partly this is a political statement in support of the move your money campaign, and partly because I feel that my money might actually be a bit safer (if only slightly) in a small UK Mutual than with the UK arm of a large Spanish Bank. However, my reason for mentioning this here is that the move gave me the opportunity to compare the on-line mechanisms of both my old and new providers and it also got me thinking again about the way I actually do my on-line banking.
The thinking here is that my browser is the least secure (and probably most targeted) application on my desktop. So if I use a browser which I know has not connected to anything other than the two or three financial sites I trust, I should be relatively safe. Shouldn’t I? (OK, DNS poisoning could have redirected the browser to fake sites, but you get the drift I’m sure). And the best way to be sure that the browser I use is nailed down, and uncorrupted, is to run that browser from a separate machine. However, separate physical machines are expensive and it is tedious to have to fire up another box just to handle my banking when I could do it all from a VM.
But if my main desktop is already compromised (with say a key logger) how safe am I? One of the nice features of virtualbox is its ability to capture both the keyboard and the mouse automatically whenever the guest OS is in focus. For example, on starting a new guest OS, virtualbox says “You have the auto capture keyboard option turned on. This will cause the VM to automatically capture the keyboard every time the VM window is activated and make it unavailable to other applications running on your host machine.” So theoretically, all keypresses will be intercepted by virtualbox and will be invisible to the underlying host OS and its applications. But does this apply to a keylogger trojan already in the host OS? I guess that depends on the trojan and where within the complex stack of kernel, kernel modules, virtualbox and applications it actually hooks itself. But after revisiting and pondering upon my previous assumptions during the move of my accounts, I can’t help feeling that my (rather elaborate) security mechanisms are actually no more than a nice warm security blanket.
But they do make me feel safer…..