security

[Tom Roberts]

Hi Nathan

With the kind assistance of Gerardus, I have Money running under Wine for the past 2 months. Thanks also to the tremendous efforts you illustrated in your forum posts -- this gave me confidence to give Xubuntu a try. 

I have a question which you may or may not have an answer to. I am wondering about the additional security which Linux offers to: 

- gmail and other email accounts, 

- use & storage of passwords, user ids, 

- multi-factor authorization, 

- protection of a laptop when designated by a bank as a 'trusted device'

- online bank transactions.

There are many security issues that an IT security expert could name...

There was recently someone's account at a Canadian brokerage, Questrade, which was hacked and the thief sold the shares in the account.

This got me thinking more about security. I read somewhere that Linux was more secure than Windows. I'd be grateful to know whether you have any views on this.

Thanks

Tom

[N G]

Hi Tom,

Yeah, definitely a lot to unpack here. Here are some thoughts in no particular order.

Probably not the answer you're looking for, but Linux isn't going to save any particular user from themselves. Or Macs.

If a person isn't mentally hardened to social engineering hacks (phishing, sim swaps, comprehension and awareness of cybersecurity best practices) then Linux won't make a difference. Clicking, downloading, or installing things without discretion will lead to problems on any system.

The usual practices are still in play: update your system regularly. Don't install anything outside the Ubuntu repositories, don't run random scripts you find online on your machine.

Don't run any program as root that doesn't require it. Even better, don't enable the root account. Ubuntu disables root by default and uses sudo so this shouldn't be a factor for you.

I don't run antivirus on Linux, usually that's important when you have Windows machines on the same network. The stuff I mentioned already is what counts more in Linux.

The browser and email are the main attack vectors. Social media, SMS and messaging apps as well. Use some kind of malware blocking like uBlock Origin in the browser. In the Questrade hacks that I read about it seems like the hackers got into the user's email and/or sim-swapped to get control of their email and phone number. You have to guard that stuff closely. Just think about all the important accounts that are tied to your email and phone numbers. Once they get in, they can send out "Forgot Password" requests and you won't know as they delete those emails to cover their tracks.

In this day and age I advise my family:

1. Don't answer the phone if you don't recognize the number. (and sometimes even if you do!) Your voice can be recorded and used to access your accounts over the phone.
2. Don't click on ANYTHING in any email or text message. Even from someone you know, because once they are infected it's coming to you.

If you're a hard target the hackers move on unless there's a reason.

The Finance Buff has had a few articles that I have taken to heart:
https://thefinancebuff.com/brokerage-account-acats-transfer-fraud.html
https://thefinancebuff.com/vanguard-2fa-yubikey-google-voice.html

The yubikey article was eye opening to me when I first read it. I like the end-to-end nature of this solution. Keep in mind, you need at least two yubikeys because if you lose one or it malfunctions you'll be locked out as well. The good thing is you can use the yubikeys with phones via NFC.

Which leads to Questrade. I don't know anything about them but you can google/reddit any company with regards to hacking. Personal cybersecurity is a lot weaker than what financial institutions need to comply with. A quick search on Questrade yields some stuff that doesn't look good as far as business practices go, but that's a different subject. Again, it seems highly likely that the hack from earlier this year was because the victim's email was compromised and they didn't contact Questrade right away as the events were taking place.

Vanguard has a feature now that when I go to login to download transactions, the login page shows a QR code. I use my phone camera to look at the code, which then opens the Vanguard app on my phone with FaceID, and then the app asks me if it's me trying to login on such and such browser at such and such IP address. I like this method since I don't actually type anything in; protection against keyloggers. I still wouldn't use this method on any machine that's not mine. 

Security is not convenient. The more convenient it is, typically the less secure it is.

This probably doesn't answer all your questions but at least discussion creates awareness.

Nathan

[Tom Roberts]

Hi Nathan

Many thanks for your many thoughts, the links and, most of all, freely sharing your experience. 

I will go through the links in detail but so far there are good suggestions. The lockdown is useful to prevent transfers out, but once someone has access to the account, they can sell stocks which seems to be what occured with the Questrade incedent. 

Anyway, I will go through the links. I am afraid that our Canadian banks are not very customer-security oriented. 

Indeed, your message has created new awareness in me. 

Thanks again

Tom

--
You received this message because you are subscribed to the Google Groups "Microsoft Money" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microsoft-mon...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/microsoft-money/e9b0441e-eb3b-4b01-a909-cd280d045fbdn%40googlegroups.com.