UKH

Hi

I have always used my works laptop for accessing my online bank accounts, as this is kept up to date with Anti Virus software, and everything is tunnelled back through centralised firewalls. However, I'm about to lose access to my laptop, and so need to replace with something. 

So, what should I get that's fairly cheap and cost effective, but also secure? At the top end, I could buy a replacement Windows machine and pay for full AV cover, but now also thinking of a Android tablet or Chrome book, but no idea of the relative safety/security of these platforms. If I go for a Windows machine, do I need to pay annually for AV?

Any insight or recommendations gratefully received

thanks 

The banking apps are now pretty-much full-feature, so would that be the easiest option? I'm with Barclays and haven't needed to log-on the web version for c8 years.

Apple have a closed ecosystem, so their iphone/ipad apps have tighter quality control than the android versions. This means that it is less likely, though not impossible, to have bad iphone apps, that may snarf your data.

As for anti virus, you really should run an AV on your PC. Some are free and some start at ~£20 per year. And yes, you need an AV if you run a Mac.

Something never used for anything else.  About the most secure option would be the android with just the banking app installed.

What bank are you with Mick?

RBS give me a full copy of MalwareBytes for free as part of being a customer:  https://personal.rbs.co.uk/personal/fraud-and-security/malwarebytes.html

Also

https://personal.natwest.com/personal/fraud-and-security/malwarebytes.html (part of RBS)

https://www.hsbc.com.tr/en/direct-banking/digital-banking/online-security/m...

AV is part of this .. but its really not the most likely way that someone gets your credentials and gets into your account.  Much more likely to get phished or you use your email + password somewhere else that gets hacked.

I'd recommend the following if you're worried about keeping your bank account safe:

1. Dedicated email account for your financial services.  Use it for nothing but your banking - never use it for anything else.  
2. Many financial services will allow you to specify a different email account to be used for password resets only.  Use this option if it exists (and never ever use that password reset email account for anything but password resets).
3. Dedicated strong password for each financial service you consume.  Never use your bank account password for anything else - ever.  (Never share passwords)
4. Enable 2x factor authentication on your financial services accounts.  SMS is one option.  My preference is something like google authenticator app with rotating 60 second numeric pass code.  In effect ... this means you need to have my username, password and my cell phone with rotating 60 second passcode ... to get into my account.

The latter makes it exceptionally difficult for someone to get into your account.

Tell us what you eventually go for.

Thanks for the replies so far.  I have tried the apps, but for investment sites, HL and II, the Apps are pretty restrictive so I still would like to use a web browser.  I am thinking of having a dedicated device, but hadn't considered a dedicated email account. Why would this help?

Mick

Its verging on overkill assuming you arent someone known to have enough money to be worth personally targeting but assuming the email account is random enough and has bugger all to do with your main account.

Reduces chance of phishing emails being successful. If a shops db is compromised then whoever grabs that data can send you personalised emails every now and again working through the different banks. If the email for the bank is different from the shop though its immediately obvious.

Reduces chances of someone managing a password reset attack.

Short answer

A chrome book would be a great choice. Use a password manager. Use 2FA (yubikey style dongle, google authenticator or SMS in order of preference) and make sure you generate account recovery codes and store them securely. Educate yourself on what phishing attacks look like.

Long answer

(It started getting a bit too close to a book so I'll leave you with the highlights above!)

An honest answer is via two factor authentification and it is an abject disgrace that this isn't implemented for your bank

Make sure none of your finance related email addresses, usernames or passwords are the same as any forums! (Or anything else less secure).

I haven't run an anti virus on my Gaming rig's for the last 7-8 years, the windows 10 standard software is pretty good, but I haven't needed an antivirus software.  Also I recommend getting Noscript if you use firefox or whatever the same thing is on chrome. Not that you shouldn't have an AV but they can be a resource hog. May be better to install a small linux operating system on the same PC.

Of the three options you've suggested (Android, ChromeOS or Windows), ChromeOS is definitely the most secure.

Windows is more flexible about the software it runs, which makes it more powerful but also more open to compromise by malicious software. Though to give credit where it's due, it's a lot more secure than it used to be. And I wouldn't pay for AV software any more, I think the free option from Microsoft (Windows Defender or whatever they're calling it these days) is adequate.

Android and ChromeOS both let you install Android apps (and also Chrome extensions on ChromeOS). Barring deliberate workarounds, which you'd have to actively enable, all that installed software has to come through Google's store. But Google aren't all that good at policing what they let into the store and malicious stuff does regularly slip through. You're still pretty safe if you stick to well-known apps from established developers with good reputations. But it's worth thinking about. The key advantage over Windows is that malicious software would only get installed if you actively chose to install it. It would still be more limited in capability than malicious software on Windows potentially could be. And if it was later found to be malicious, Google might choose to wipe it from people's devices.

Given those similarities between Android and ChromeOS, the reason I would recommend ChromeOS over Android is that Chromebooks will receive security updates more regularly and for longer than Android tablets. And you can get a lot more done on one without installing any apps or extensions at all, whereas Android pretty much requires apps for full functionality. Technically, you could do almost everything you can do in ChromeOS in the Android browser, but it would be much more frustrating.

You didn't list Apple iOS but it's arguably even better. I've never owned an Apple device because I'm too much of a cheapskate and I don't like the over-simplification and lack of options. But they do a great job on security and privacy compared to the others. Update policy on a par with ChromeOS and much better gatekeeping on what gets allowed into the store to keep out malicious apps (though they're also more restrictive about keeping out apps that aren't malicious but which they dislike for a variety of other reasons).

Chequebook... If you think like my boss. 

I just use my android phone and an old Win7 PC. Maybe I'm not paranoid enough especially given the shift away from partial passwords.

Jk

thanks,  how does the Google authenticator work with 3rd part Apps? 

It requires support from the third party app. It's based on a technology called TOTP, Google authenticator is just one app that implements it so you could use the Microsoft version of you preferred.

Both Hardgreaves Lansdown and Interactive Investor support 2 factor authentication Mick - SMS to your cell phone.  You won't be challenged for it on every login from the same device/browser - only when they don't recognize where you're logging in from or if the previous one has expired.

Don't use public wifi while I'm at it.

Thats in many ways a negative though. The chromebook would encourage you to use it for more things whereas a tablet wouldnt.

thanks,  I have the 2FA set up for II, but I cant see it on HL.  Maybe because I haven't traded in a while, or I use the Website instead of the App.  I'll check it out

No intention of using public wifi, though all secure traffic should be encrypted 

Fair point. I guess I can get my head around spending a significant chunk of money on a more secure device but never using it for anything else strikes me as a step too far. I can see the logic, I just wouldn't go that far myself, so I wasn't looking at it from that perspective.

To me, a device with reasonable security and with careful or minimal app/extension installations is plenty secure enough for online banking. Especially considering that a lot of banks require a second factor for access and every bank I've ever used required one to actually transfer any money.

Dedicating that device exclusively to online banking seems wasteful of resources and money for relatively minimal security gains, to my mind. Unless it's a repurposed device that you no longer need in its original role, though that raises other questions about how long it will keep getting updates and whether you can be confident it's clean as a starting point.