TR Forums

My Yahoo email account was hacked recently and this put a good little scare into me w/r/t PC security in general. After the hack, my wife and I had all our credit cards reissued and have changed all of our passwords for retail, banking and other financial accounts. So far so good, nothing weird has shown up in any statements. But this got me to thinking about potentially better proactive methods. Specifically - if I need to transmit financial data online, would running that browser in a virtual machine provide protection from common malware in the host OS? I've considered setting up a dedicated box for financials, but would prefer to avoid the clutter if possible. Thanks for any advice along these lines.

You're looking at it backwards. If you really want that kind of security (and the bother that goes with it) you want to do your general web usage in the VM and then do your financial stuff in the host OS, or possibly in another VM. In general if something can compromise your host OS it can get into stuff running on it as well.

Rather than going whole-hog with a VM, you might want to look at Sandboxie, which will sandbox a web browser or any other program so that in theory it can't get out. It's significantly less bother (and expense, if you have to buy another Windows license for a VM), and if you pay for the registered version you can have one sandbox per program.

A keylogger or packet sniffer in the host OS could theoretically still steal personal data from sessions in the guest OS, since the I/O is still getting routed through the host OS. While doing what you propose will likely give you some benefit in terms of increased security, as bthylafh notes what you really want to wall off is the stuff that is most likely to be infected, not the stuff you want to secure. Once the host is infected, all bets are off.

I would also suggest using a non-persistent VM so that any changes are discarded when you turn it off.

You might also look at using something like KeePass http://keepass.info/ to securely store complex passwords for the various sites you may use. An old school way would be to print all your secure passwords and store them physically in a safe.

While a VM has potential to help might malware and financial fraud at the local PC level, I personally worry more about the other end of the payments channel. Sure, I may enter my credentials and payment info on a clean box using Transport Layer Security of some sorts, thus protecting my info in transit from my box to a remote server somewhere...but then once the merchant and/or payment processor has the data, all bets are off as far as I am concerned. Does the merchant store the payment/card data? Is it on an unencrypted network share? Is it on a backend database server somewhere with loose DB and NTFS permissions? Does the merchant share data with vendors or other third parties with lax security practices? Even if the merchant is supposedly PCI compliant, there are still often many glaring security holes. I will say that having worked in community banking and information security for the last 10 years, my views are somewhat cynical and biased. Security is often difficult, and data touches many, many hands these days due to so much outsourcing.

Pagey wrote:

Even if the merchant is supposedly PCI compliant, there are still often many glaring security holes. I will say that having worked in community banking and information security for the last 10 years, my views are somewhat cynical and biased. Security is often difficult, and data touches many, many hands these days due to so much outsourcing.

Since PCI standards don't require encryption for internal data transmission, only external, there's still no guarantee that your data will not be spraying all around the grocery store.

And you're no more cynical than someone who's been in the regulatory side of this for more than 15 years now.

sluggo wrote:

But this got me to thinking about potentially better proactive methods.

If you don't already use Malwarebytes Anti-Malware, I recommend you buy a license and install it alongside the Anti Virus you use today. It's generally not advised to run two AVs in parallel, but MBAM was designed for that, and is known to be lightweight. The free version is good for cleaning infected PCs--many folks know that--but the paid version adds proactive protection with lifetime updates which significantly improves your resident protection since you have two AVs monitoring the system instead of only one. That's two products made by different teams of researchers using different algorithms, signature databases etc. The license is normally $20-25 but it frequently goes on sale, and recently it's been as low as $10. To be notified in real-time you can create a deal alert on Slickdeals.