Should You Limit Online Banking to One Computer?
CREDIT: Stuart Miles/Shutterstock.com
Using a separate computer just for banking and other financial transactions is an idea that is gaining some attention.
The prevalence of banking Trojans, spyware, keyloggers and other forms of malware aimed at financial fraud means it might be best to set aside a single PC used solely for online banking, online purchases and other financial transactions.
For people who conduct a lot of business online, including those who run small businesses, having a dedicated computer for finances especially makes sense. Even home users could benefit from designating an old PC as the "money machine."
Pros and cons
According to Paul Wood, cybersecurity intelligence manager at Mountain View, Calif.,-based anti-virus firm Symantec, a computer dedicated to business transactions can certainly beef up financial security.
Wood gives us some reasons why:
1) In an office environment, physical access to the dedicated computer can be controlled if the machine is placed behind a locked door.
2) The dedicated computer can use an isolated Internet connection, separating it from the corporate local network.
(However, this could introduce other security issues, Wood pointed out, such as the need to duplicate firewall protection, malware protection and patch management, Wood pointed out.)
3) Users won't be able to mix financial transactions with email and general Web browsing, which will minimize opportunities for malware infection and phishing.
Will it really work?
Based on these points, having a dedicated computer for financial transactions appears to be a sound security idea — but perhaps we’re looking at the security problem in the wrong way.
"A better question is this: What do we need to do to ensure that normal online behavior is better protected from fraud?" asked BC Krishna, president and CEO of MineralTree, a Cambridge, Mass.- based company that provides secure, online payment solutions.
"Computers themselves are always vulnerable," Krishna said. "Your financial data can still be obtained by insiders at financial institutions, for example, or by external fraudsters. The computer itself isn't as important as the mechanisms and policies that are in place to protect sensitive information."
That's why it's important to ensure that security best practices — such as two-factor authentication, transaction verification, segregation of duties and transaction monitoring — are all followed when financial transactions are performed.
For example, two-factor authentication or verification, also called two-step authentication or verification, is a simple process that takes only a few seconds yet adds a significant amount of protection.
"Two-factor authentication verifies your identity by sending out a onetime code to your phone, after you enter your login credentials, that you'll then have to submit before accessing your account," Krishna explained.
Split up the job
For small businesses, segregation of duties is another strategy that works because it increases internal controls.
For instance, when businesses make payments, at least two different employees should handle the transaction: One should write the check or order the transfer, and another should approve the payment. The result: No single person can compromise security controls.
Another benefit from segregation of duties: The chances that two computers and two sets of credentials will be compromised are vastly smaller than the odds that one single computer and set will be.
Furthermore, having a computer dedicated only to financial transactions can create a false sense of security across your computer platforms.
If you are paying close attention to protecting banking and credit-card numbers on one computer, will you pay equal attention to the personal information being shared on the other computers, particularly on social media sites?
Users must also be aware that financial sites can spread malware just as easily as any other site, and that financial institutions don't always institute security best practices.
In other words, there's no right or wrong answer to the question of whether to have a computer dedicated solely to financial transactions.
"The right approach," said Wood, "depends on finding the right balance between peace of mind and security, and management and maintenance of the banking system."