Is it safe to give credit card information to trusted websites using a computer with no firewall or virus protection? I spoke with the bank and they claimed any bad transactions would be resolved in my favor. I can't think of any compromising situations other than a key logger on my machine that would get me in trouble. So, I went ahead today and signed up for a years subscription to e-yearbook.com for some old classmate photos. It was $19.95 for a year's subscribtion but I had to use my debit card numbers. How safe is that?
Last time I checked, debit cards had FAR LESS fraud protection than credit cards. A debit card can wipe out your entire bank balance. Even if you do eventually get it back, you may have a lot of other financial issues to deal with.
I set up a checking account in a different bank with a credit card there. Use that for all my internet transactions.
I'm with Mike. I've been told that Debit cards have all the same legal protections as Credit cards, but the practical issues outweigh that. If you have fraud on your Credit card you see it on the statement at the end of the month and notify the card issuer, no problem. If you have fraud on your Debit card you find out when your checks start bouncing. Restoring your cash is fine, but the damage is already done.
For this reason I tell my bank to give me an old fashion ATM card that is *not* a Debit card. I'm not sure that's what I have though... lol
Anyway, I never use anything other than a credit card over the phone or on the Internet, even with Paypal. I only use my ATM card with the PIN at *my* bank or at the supermarket.
rickman wrote in news:m032r8$l1q$ snipped-for-privacy@dont-email.me:
+1 Also you probably should be using a dedicated browser for financial transactions over the internet. A portable install of any of the leading browsers except IE is suitable, but *NEVER* use it for general internet browsing.
--
Ian Malcolm. London, ENGLAND. (NEWSGROUP REPLY PREFERRED)
ianm[at]the[dash]malcolms[dot]freeserve[dot]co[dot]uk
[at]=@, [dash]=- & [dot]=. *Warning* HTML & >32K emails --> NUL
I use my Blackberry for that stuff--it's one of the pre-Android models, and so has no malware and good data security. (I don't know how secure BB 10.3 is, but up to BB 7 it's been pretty nearly bulletproof.)
If I have to bail on that, I'll probably just use an old laptop running a Linux live CD. Takes awhile to boot, but suspend works OK, so you don't have to do it very often.
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC
Optics, Electro-optics, Photonics, Analog Electronics
160 North State Road #203
Briarcliff Manor NY 10510
hobbs at electrooptical dot net
http://electrooptical.net
It depends on how it's used. If it's used with the PIN (as a debit card), it's between your bank and you. There are protections but some banks are much better than others. CUs tend to be very good, large banks, not so much. OTOH, if you use it (a MC or VISA branded card) it is cleared through the credit card network, rather than an interbank network, and has the same protections as a VISA or MC. The CC company will stand behind the transaction, letting your bank off the hook.
Again, it's up to your bank. Many will fix everything in the case of fraud. It's their business to make cards easy and safe to use.
What difference does the website portal security matter if you can't trust the merchant's underlying back-end security processes in the first place?
The (USA) recent offender's list includes: Target, Home Depot and as of th is morning, I read that Jimmy Johns sandwiches shop has a massive security breach too.
Though I don't recall the details, I did once read that the credit card com panies have a fix for all these problems and supposedly many of those fixes are already in place in Europe. The article suggested that the exposure s imply isn't great enough for US merchants to swap out all their POS infrast ructure - or be forced to be the CC companies. Of course, that could all b e B/S too.
I have noticed at three different stores where I live that I could make my purchases simply by swiping my debit card. The terminal does not ask for a PIN and does not ask me to sign anything. Just swipe and go. One is a g rocery store, the other (believe it or not) is a gas station. In both case s, it seems there is a $50 limit, because if you go over $50, it will ask f or a PIN or signature (depending on whether you select debit or credit).
Live CD is slow and too much trouble to re-enter the settings every time. I have multiple 16G (perhaps 5G used) USB flash drive for web browsing and other developments.
I have all the settings store on the SD image and takes only a few minutes to clone it back on a new hard drive without any user interactions.
As someone once noted, "using ssl is like using an armoured van to deliver the message to a tin shack". If there is a decent web front-end then the statement might have to be amended to "...a tin shack with a brick front wall"
Keyloggers have a zillion ways to get on your computer. As soon as you log on, they empty your accounts and wipe your credit cards.
A live CD means you have to key in the bank url, so you are subject to typo errors that can lead to a copy of your bank logon page. As soon as the criminals have your logon info, they empty your accounts.
The best I have found is to run Ubuntu 10.04 as a host for VirtualBox. You can run Win7, but it takes 6GB just for the WINSXS, plus all the regular files. This works, but it takes a long time to backup.
I run XP in VirtualBox 4.04. There are a number of separate VDI installations. One is for general browsing. It has email, Flash, Firefox, PDF-XChange PDF viewer, LTspice, and all the other general programs. It has no connection to the LAN and no USB. To transfer files, I copy them to the Ubuntu Desktop, then to wherever they need to go.
One of the VDI installations is for banking. It has no email, no connection to the LAN, and no USB. Most of the unnecessary functions are deleted, and it has only the bare minimum needed to connect to the banks.
I use Sticky Password manager. It stores the bank url and logon info so I never have to enter the url or any confidential info. The banking VDI never goes anywhere except to the financial institutions which are saved in Sticky, so it is unlikely to get infected.
If the main browsing VDI happens to get corrupted or infected, the infection cannot cross over to the banking VDI, so a keylogger has no hope of capturing the logon info.
If the main browsing VDI gets infected or corrupted, I simply copy the VDI from the backup. I have the essential data copied to the Ubuntu desktop, so it is a simple matter to download the new files to the old VDI and I'm back in business. The main VDI is only 3 GB, so it only takes less than a minute to copy the files to and from the backup. This means backing up is quick so I do it often, and especially whenever I make a change to the configuration.
The rest of the data files are in drives D:\ and E:\ and can store hundreds of gigabytes so I'm unlikely to run out of space. But these take longer to backup, so I do it less often. But the files don't change much, so there is less need to back them up.
About the only risks are some criminal getting into the router for a man- in-the-middle attack, or some external failure in the web such as a poisoned DNS link. I could change the router software to a more secure version, but I don't feel the risk is that bad to go to the trouble.
There is little I can do against a poisoned url, so that will have to be the bank's worry.
Running XP in VirtualBox seems to bee the ideal solution to file corruption in Windows, or most of the malware that can wipe out your bank accounts or cripple your computer. The software is free, and it is virtually impossible to tell you are running in a virtual computer. For the security and reliability it offers, it is hard to beat.
How many settings to you need to change just to do your online banking?
How confident are you that malware can't write to your flash drive?
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC
Optics, Electro-optics, Photonics, Analog Electronics
160 North State Road #203
Briarcliff Manor NY 10510
hobbs at electrooptical dot net
http://electrooptical.net
A Linux keylogger will see what you type into the VM, though, making it no better in that respect than a plain Linux system.
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC
Optics, Electro-optics, Photonics, Analog Electronics
160 North State Road #203
Briarcliff Manor NY 10510
hobbs at electrooptical dot net
http://electrooptical.net
VirtualBox intecepts the keystrokes at a very low level and sends them to the active program. When I am running in a vm, Linux cannot see my keystrokes. I have to shift the focus to Ubuntu in order to do anything there.
I asked the author of a keylogger if he could see the keystrokes in a vm. He said he could not. There is little risk of getting infected with a keylogger in Ubuntu.
Ubuntu has Firefox installed, but I never use it to browse the web. I deleted the email program and other unnecessary files so they cannot access the web. I am running behind a NAT router so there is no way malware can connect to Ubuntu and download and install itself.
I have verified the installation does not respond to attacks with Steve Gibson's Shields Up:
formatting link
About the only thing that could get infected is the main browsing VDI. However, it never connects to the banking sites and does not have the logon info. It has no access to the LAN, and has no USB access. The malware is trapped and cannot go anywhere else.
Malware in the browsing vm cannot see the keystrokes in the banking VDI, and it cannot cross over to the banking VDI, so it cannot see the logon info.
If I get an infection or install a bad program that is impossible to delete, I do not have to reinstall Windows and all my programs and data, then spend hours trying to get all the configurations back to where they were.
I simply overwrite the corrupted VDI with the backup in seconds, so an infection is easy to dispose of.
Depends on the computer. Some years ago, it was bruited about that if you did a fresh Windows install on a new PC, and exposed it to the Internet to update Windows to the latest set of security fixes, your computer had a high chance of being exploited (malware installed from outside) before it could finish downloading the security patches. The
*only* safe method in this case was to do a fresh install, and then do the upgrade from behind a well-secured firewall (on a network which didn't have any exploited PCs running on it).
Modern Windows versions may be safer.
Quite a few pieces of malware are designed to search for useful credentials on your system... credit-card numbers, login and password information for banking sites, and so forth.
There is always a risk when you give your credit-card info to any merchant. Both online merchants, and reputable brick-and-mortar merchants have been subject to really serious "loss of personal and financial data" due to malware and security loopholes.
Using debit cards is somewhat riskier in this respect (legally and practically) than using credit cards. If your debit card information is stolen, the thief could drain your entire account quite quickly... and even if the bank agrees to rebate the funds, your money is gone and hence unusable until the bank finishes its investigation. If this causes you cash-flow problems and you fail to pay bills and are penalized, that's your problem, not your bank's.
The Federal rules for reporting bogus charges on debit cards are less in your favor and more in your bank's, than is the case with credit cards. If I recall correctly, you have less time to report bogus charges, and if you miss the deadlines to report then *you* may be at risk for all of the bogus charges.
So, it really comes down to this: how much financial chaos and disruption are you willing to risk (in the short term at least) if a baddie gets ahold of your financial credentials?
I believe that banks are much more proactive about watching for illegitimate activity on credit cards, since it's *their* money being paid out - you can dispute any portion of a bill and refuse to pay it, and the bank doesn't get to demand payment from you until after they investigate and have evidence that the charge was actually legit.
Personally, I never use a debit card on-line, and only rarely at a brick-and-mortar merchant, due to the reduced protection. I either use a credit card, or (when on-line) pay by PayPal - my account is tied to a checking account in which I keep a relatively small floating balance, so that if something goes badly wrong my exposure is limited.
Due to the big credit-card-info thefts during the past year or so, I set up a transaction-watch for my primary card - I get an email from the bank whenever a charge is made without the card being physically present. So far so good... between this, and checking the bill carefully each month I'm comfortable that I can catch any illegal use well before the end of the reporting period.
Hmm. I don't know how happy I'd be in relying on that. OTOH I have an OS/2 VM on my main laptop, so if what you say is true, I can go back to being Conan the Barbarian on the net. ;)
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC
Optics, Electro-optics, Photonics, Analog Electronics
160 North State Road #203
Briarcliff Manor NY 10510
hobbs at electrooptical dot net
http://electrooptical.net
In Europe (including Great Britain) the CC companies have switched to a "chip and PIN" approach - an individual "smartcard" security chip in the credit card. You plug the card into the terminal, it asks you for a PIN, feeds the PIN to the card, and the card generates a secure "signed" transaction which authorizes the charge.
The banks were so proud of this that (in the UK at least) claimed that it was, in effect, entirely secure... that you had to have both the card, and the PIN (known only to the cardholder and the bank). They had a reputation of refusing claims of "Hey, my card was stolen!" from their customers, on the grounds that the fraudulent transactions showed that they'd been verified using the PIN, and that the cardholder must therefore have given the PIN away, and thus the cardholder was liable for the charge.
They were quite embarrassed, a year or so ago, when somebody figured out and publicized a "man in the middle" attack which broke this security. It turns out that there's a way to trick the point-of-sale terminal into reporting "transaction was verified by the card, using the PIN", where the card itself had only reported "the card is physically present for the transaction". The PIN itself wasn't ever required.
Here in the US, the CC companies have resisted the chip technology for years, due to the cost of upgrading the POS network. Due to the massive frauds lately (for which they have ended up paying most of the costs) they've decided to change. Starting in (I think) 2015, they're switching to a slightly different "chip and signature" system, with a smartcard chip in the credit card. Validation of the card using the security chip will be required, and a signature *may* be required. It's not primarily a PIN system, although some of these cards may also support chip+PIN mode.
The CC companies figured out an "inventive" way to pay for the new point-of-sale network. They're making the stores pay for new chip-capable terminals. Technically, stores don't *have* to upgrade... but if they stick with the old card-swipe terminals and do not upgrade, then the responsibility for the costs of a fraudulent transaction will be on the store, not on the card issuer.
What's your definition of "fix everything?" What about all the automatic payments from your bank account that failed because you're overdrawn. What about the loans that increase the interest rate if you're late paying...then send that info to other CC accounts that can also increase your rate because you're late on someone else's account? Those terms of service are BRUTAL. I think the aftermath is more complex than you propose.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.