Financial Paranoia 5 - Things we don't need for online banking

 There are several "Privacy tools" that are often recommended which are not necessary nor suitable for online banking.  

About TOR

The purpose of TOR is to make it difficult to for your ISP or the government to tell what sites you are visiting.  With normal HTTPS web sites, the contents of your session are encrypted, but the URLs are easily visible in your internet traffic.  TOR also makes it very difficult for the web sites you access to determine your IP address, and thus your identity or location.  

This makes sense in scenarios where you want to anonymously access blocked or illegal web sites without logging in.  This is why TOR is often used by journalists and activists in countries with governments that have strict punishments and very restrictive ideas on what people should be able to access or post.  This is also why TOR is often used by criminals looking to buy illegal drugs, access illegal pornography, sell stolen credit card numbers, etc.  

For accessing online banking, we generally aren't trying to hide the fact that we are accessing, say, Mitsubishi bank.  In general, it's fine if the government or your ISP knows that you are accessing online banking.  Likewise, since you are going to log into your bank account anyway, the bank will know who you are.

Since TOR could be used by bad actors who have hacked your account to log into your bank, many banks will actively block connections from TOR exit nodes.

Using TOR to access web sites is also usually quite a bit slower than accessing sites directly.  

So, TOR is not recommended for accessing your financial accounts.

About VPNs

The idea behind consumer VPNs is to encrypt all of the data transported, including URLs, and any other data that might normally be unencrypted - but this encryption only lasts until it reaches the VPN exit point.  Another possible advantage is that by choosing an exit node in another country, you can make it appear that you are accessing a site from another country than the one you are actually in.

While this may provide an extra layer of security if you are accessing your banking accounts from somewhere like a Cafe WiFi hotspot - but in general it shouldn't be necessary since banking sites use HTTPS encryption anyway, and it isn't usually a problem is the URLs you are visiting are known by 3rd parties.  

Further, banks may block foreign IP addresses and known VPN servers for similar reasons to TOR.

The end result is that accessing your accounts via a VPN may be slightly slower than accessing them directly, and some banks may block you.

About Tails

The purpose of systems like Tails is to make sure no evidence at all remains on your PC of which sites you have accessed.  This means no cookies, no browser history, cache, etc.  

This may be useful for journalists operating on adversarial environments, spies, and those visiting sites only used for illegal activities because if law enforcement confiscates and analyzes your PC, they will find no evidence of your activities.  

Again, since we generally don't need to hide the fact that we were accessing banking web sites (and they will have access logs anyway), Tails and other zero evidence systems are of limited usefulness in banking. 

There is a limited advantage to using Tails in that if a running Tails instance is hacked, it will be reset back to a non-hacked state when it is rebooted since the system itself is read-only.  This advantage can be emulated by running a VM on your normal OS, and reverting back to a post-install snapshot after every run.  

Summary

Running a locked down and hardened system is recommended for banking to reduce the change of successful attacks, however running systems designed to hide or erase your online activity is not typically necessary or useful.  

System hardening is a separate and complex topic, but there are a few simple things you can do:

1. Don't use an Administrative account for daily use - It's too easy to get tricked into approving something you didn't mean to do.  

2. Use a separate Windows / OS X / Linux login for banking related tasks - The OS has separate accounts for keeping data separate.  While the protection isn't perfect, it's better than nothing.  

3. Make sure your system is up to date - Security flaws are found and fixed all the time.  

4. Enable any firewall software - Prevent connections to your computer from random machines on the internet.  

5. Uninstall unused software and turn off unused services - Software & services can often have vulnerabilities.  For example, turn off remote desktop and file sharing if you don't use them.  

Financial Paranoia 4 - The Bare Minimum - Password Manager & Separate Usernames

 In the last installment, we discussed using a separate email account, email aliases, and a separate smart phone for online banking and credit cards.

All of this compartmentalization will go to waste, however, if you use the same username and password for your banking sites/apps as you use for things like Reddit and Facebook.  

Using a separate password for each site requires either an ironclad memory, a big paper notebook, or a password manager.

The Password Manager

For low priority non-financial sites, I recommend using something like ProtonPass or BitWarden to manage your accounts and passwords.  These work accross smart phones and PCs, sync your passwords, and are easy to use.  

For banking related stuff, however, I recommend using an offline password manager such as KeePass.   This is simply because it can't be hacked if it's not in the cloud.  You can keep this data on a USB flash drive, and attach that to your computer or phone only when you need it.  

A word of warning about USB flash drives, though.  You should make a backup to a secondary drive at least once every month or so, and you should keep it in a safe place where you won't lose it.  If you lose this drive or it breaks, you could very well lose access to all of your accounts.  

For most financial related sites, you will need some sort of username, which will typically be one of the following:

1. An Account number
2. An email address
3. A separate username

When an account number is used, you will typically not have any choice in the matter, but at least the account number will be unique.

When an email address is used, you can make it unique by using an alias. 

When a separate username is required, this will sometimes be created for you, and sometimes you can choose it yourself (or change it later).  

Since you are using a password manager anyway, I would recommend that you create a separate un-guessable username for each site when you have the opportunity.  

Either way, you for sure want to use a separate hard to guess password for each site.  Most password database tools have a feature that can generate the passwords for you.  Sadly, some sites will only accept relatively short passwords or not allow special symbols.  Use the longest password possible, as you will normally only have to copy & paste to input it.  

You might want to use easy to remember and enter passwords like "Happy-toaster-Fossil-345$" instead of "DdfhjfREgGcED32T42%#!k1$" in case you have to enter them manually ona phone keyboard or something, but even then it is usually only a one time thing.  

Once you have completed the above...

Congratulations!

You have now virtually eliminated the risk that anyone can log into any of your accounts via a password list from data breaches they purchased online.  In fact, they won't even be able to figure out your username, much less password in most cases.  

Financial Paranoia 3 - The Bare Minimum - Separate smart phones & emails

 In the last two installments, we discussed Social Engineering and Phishing, as well as the danger of password re-use.

With reguards to social engineering, the best antidote is probably increased vigilence, however I am here to propose some real world solutions to the more technical attacks.  

We'll start with the most minimal changes you can make without much inconvenience or cost, and we'll more onto more sophisticated options in future installments.  

First, since enhanced security is almost always a trade-off, let's discuss why you might be willing to endure the inconvenience in exchange for more security.  

Value Proposition

If, like many people, you don't have much money in your bank account, you might think that there isn't much to protect - but immagine that you only have $500 in your bank account, and scammers steal it.  You lose your time and effort to reset your accounts, etc., and also the only $500 you had in the world.  Worse yet, if they managed to steal your credit cards, information then they may have stolen money you didn't even earn yet by spending money on your credit cards.  Sure, perhaps you can get that money back after everything is sorted out, but this can be a long and time consuming process and you may have to pay in the meantime.  

On the other hand, if you have a lot of money in the bank, then there is more for the criminals to steal.  This means you have more to protect.  Likewise, your credit cards likely have higher limits as well.  

Step 1: Separate Banking Phone & Accounts

If you are like most people, you probably use a smart phone for some of your online banking, and possibly a computer as well.

The first "trick" is to get a second phone, one dedicated to banking.  Many people already have an old phone laying around from their last upgrade, or could get one relatively easily.  

It would be ideal if you got a separate SIM card with a separate number for your banking phone, however we'll cover that in a future installment.  For now, we'll assume you're going to go with WiFi.  

The first thing to do is to do a factory reset on your old phone, and update the operating to the newest version.  

If it's an android phone and you need to log in using a Google account, create a new one specifically for banking.  Likewise, if it's an iPhone, perhaps you need to register a new Apple account.  

When creating this email address, ideally use a random looking address that has nothing to do with your real name or normal email address.  For example, if your real name is "Akiko Wada", then won't use AkikoWada56, use ChochoHima12.  The idea is that you will only use this email for banking, so you'll never use it to post to social media and the like, and nobody (Except your banks and credit cards) should ever know what it is.  

Make sure you use a different password than your normal account.  Also, don't use your existing account as a backup account allowed to reset your normal account.  You don't want someone who compromises your normal account to be able to use that to reset your banking account.  

Make the password for your banking account sufficiently long, and set it to require an OTP when you log in if that's an option.  You can put the OTP (Authenticator) app on your normal phone for now if you like.  

There are probably apps on the phone that you don't need that will be installed by default - particularly on carrier branded Android phones.  Uninstall or disable as many of these as you can.  

Next, verify the login and password for each of your banking apps, and then uninstall them from your normal phone unless you will need them while you are out and about.  Ideally you should have a separate spending money account that isn't connected to your payroll, but more on that in a future installment.  

Install these banking apps on your Banking phone and log in.  Since we'll be using your normal phone number for now, keep your normal phone handy to receive any SMS confirmations.  

I would also highly recommend that you use ProtonMail for banking purposes, a free account is fine for now.  If you already have a Protonmail account, then sign up for a new one just for banking.  

Next, you'll want to log into each of your online banking and other finance related accounts (Credit cards, brokerages, etc), and change your email address to the new banking specific one you just created.  Before you do that, though, let me sell you on another idea.  

If you don't mind too much, it's best to create a separate account for each and every bank, credit card, etc., that you use.  You don't actually have to create separate accounts, though, as you can use so-called +Aliases.  This will work with either Gmail or Protonmail, but with ProtonMail, there is the added advantage that you can send from these addresses as well.  

How does this work?  You simply register mail addresses with each company as follows:

If your real email is xxx@yyy.zzz, you use xxx+ccc@yyy.zzz, where ccc is the company.

• beavis234@protonmail.com (Real/Main Address)
• beavis123+mitsubishi0114@protonmail.com
• beavis123+smbc1102@protonmail.com
• beavis123+mizuho1204@protonmail.com

etc.  Here I also added a number at the end to make it harder to guess.

The advantage of these types of aliases is that they are widely supported, and free.  You also don't have to create them beforehand, you can just make them up on the fly and use them.

The main disadvantage is that someone can tell your real address simply by looking at them and removing everythign between the + and @ symbols.  You also can't easily block mails to such an alias. 

So why bother?  

a. You avoid giving out your "real" address, and potentially avoid spam.

b. You can use it as a check later on to see if emails are legitimate.

c. You can use it to create forwarding rules, etc. in the future.

Whether your use the aliases or not, update each bank account to use the banking email (either normal or alias).  

If you log into your banking email on a PC, do it in a private window, and don't let your PC remember your username or password.  Log out once you are done.  

Once everything above is complete, I would recommend you switch any banking related OTP settings to use an authenticator app on your banking phone, then the separation between your work and financial online identities will be almost complete.  

If you are in the US, then I would consider setting up a Google Voice number for your banking phone, if not, then we will cover setting up a separate number for banking in a future installment.  

Congratulations:

Once this step is done you will have the following enhanced security:

1. If your normal phone is hacked, it won't give anyone access to your financial accounts since there are no banking apps on it.

2. Your banking phone is much less likely to be hacked since it doesn't have any non-financial apps.

3. Accessing your normal email via PC or phone won't give anyone any information in your finances or any way to break into your accounts.

4. If you see an email on your normal account from a bank, you will immediately know it's a phishing attempt (since all your banks will only email your baking email).

5. You are much less likely to receive phishing emails to your banking email address since you only use it for banking.

6. If your normal phone is lost or stolen you don't need to worry about banking apps being lost, and you will still have access to your critical banking apps.  (Leave your banking phone at home and turned off when you don't need it).  

7. If you used aliases, then you can easily tell when an account and the sender don't match.  For example, if you used beavis+mitsubisi0114@protonmail.com with Mitsubishi, then all emails from them should arrive at that address only.  When you receive an email from them, you can check the "to" line to make sure it's correct.  (This is where using a number at the end makes it harder for anyone to guess the correct address).  

8. If your mail account is compromised, they won't be able to use it to figure out where you bank, which credit cards you have, etc.  (You did remember to delete all old mails from those places, right?)  

9. As an added bonus, you won't need to set up all your banking apps and authentication again next time you upgrade or change your mail phone.  

10. Since you don't need to keep your banking phone with you most of the time, you can keep it at home in a safe place so there will be much less risk of it being lost or stolen.  

Financial Paranoia 2 - Phishing, Account Takeover, Password Re-use, and Typo URLs

 In the last installment, we discussed social engineering scams that were more about misleading trusting people than any technical measures.  This time we will touch on more technical methods of stealing your money.

1. Phishing

Although the term is plain silly, the activity is anything but.  Although there are many variations, this is typically when someone tried to convince you to log into a fake bank web site, etc. through a link in an email.  

It's not always banks, though, email accounts, shopping sites, and delivery services are common targets.  

I get these all the time for Yamato express and other delivery services and Office 365 and occasionally for Gmail.  

The message will usually say something like: Your account will be closed due to non-payment (so log in and update your payment information), your account needs to be re-verified for security reasons (so log in and answer some security questions), etc.

If you click on the link in the email or SMS, it may take you to a page that looks deceptively like the real web site, where you will enter your login information.  They can collect this information, and use it to log in as you to the real site.  The real site may ask them security questions when it sees you logging in from a new computer, but if they have already collected those from you, then it's not a problem.  

Worse yet, things like smart phones and one time password confirmations don't always help if they are attempting to log in with your information in real time.  For example, you enter your username and password into the fake site, and it asks you for your OTP.  Unsuspecting, you enter your OTP, and if they use it immediately, they can now log into the real site with your username, password, and OTP.  

The goals of the attacker can be anything from getting control of your email to use it for spam, buying stuff for themseves (especially gift certificates) from Amazon, redirecting your packages, all the way up to getting control of your bank account.  

Not only might they steal your money, but they might use your account to accept money they scammed from other people in an attempt to hide their idenrity.  

There are various mitigations, including never clicking links in emails for any kind of shopping or banking site, checking the link URLs carefully, checking the sender name carefully, installing anti-phishing software, etc. - but even the most careful person can get tricked occasionally.

All it takes is one wrong click.  

I have some additional suggestions, but we'll go over those in a future entry.  

2. Password Re-use

We've all heard the advice to use different passwords for different accounts and services - but why?  

The main reason is that if the password for one of your accounts is leaked via a data breach or phishing, then the attacker can try that password with your other accounts.  

For example, let's say you have an account with Rakuten Shopping, and their customer database is breached.  This information is collected into lists, and bought and sold by crackers on the dark web, and whoever buys these lists will often try to use the same password with high value services such as online shopping and banking accounts.  

If the attacker has your username "BabyMonkey2024" and your password "Password123" for Rakuten, they can not only log into your Rakuten account, but they can try the same username/email and password with Amazon, Mitsubishi, SMBC, Citibank, and wherever else they can think of.  They will also have scripts to automate this, so they can try hundreds of sites for thousands of users, and focus on the ones where they happened to be able to log in easily.  

Obviously using different passwords for each site is best defence here, but of course remembering passwords for every site is perhaps not realistic.  There are two ways around this:

a. Use a password hashing tool.  These tools will use a shared static password and the site URL to come up with a hash that you use as your password.  The advantage here is that you only need to remember one password, the calculated password for each site will be different, and there is nothing to "store".  The disadvantages are that in real life, many sites have password restrictions that may not be compatible with the generated password, and many sites require you to change your password periodically.

b. Use a password database.  There are cloud tools such as ProtonPass, BitWarden, DashLane, etc., and primarily offline tools such as KeePassXC.  

Theoretically the online tools are secure since any reputable service would encrypt your password database with your password (which they don't know).  This means that even if they are hacked, the attackers would only get a useless encrypted database.  

In reality, if your database password is weak, then it can be cracked.  Even if it is strong, there may be some unknown weakness that could be exploited later.  For these reasons, I tend to be untrusting of public cloud based password management services for personal use.  

Offline tools such as KeePass are safer in that respect, but can be less convenient to use if you have multiple devices, and require you to manage and backup your password database.  You can keep an offline backup of your password database using USB drives, etc., or you can keep a cloud backup using services such as DropBox, OneDrive, iCloud, etc. - but be aware that using cloud services to keep backups of your password databases re-introduces some of the risk associated with cloud password management services mentioned above.  

As far as the password generation itself goes, many tools have built-in to generate hard to guess complex passwords.  These passwords can also be hard to manually enter as well, though, so you might consider using something like: www.correcthorsebatterystaple.net to generate a more human readable password.  

3. Account Takeover

This is when someone takes over your email account, via Phishing or password re-use, and then they use the email account to either send emails to your contacts to scam them, reset & verify your shopping and banking accounts, or (usually) send spam.  

You'll know this has happened if you start receiving lots of bounce messages from addresses you never sent email to, or if you suddenly get locked out of your account because the attacker changes the password.  

Also, if an attacker gets access to your email account, they can see which other services you are signed up for and know where to attack next.  For example, if you have emails from Mitsubishi bank or Amazon, they will know you have accounts there, and possibly your username or account number.  

It's best to use MFA mechanisms and use different passwords for each account in order to prevent this from happening, but that won't stop all phishing attacks.  

4. Typo URLs & Evil SEO

These go hand in hand with Phishing, but is a bit narrower in scope.  For people who type a URL directly into the browser, they might mistype the URL.  For example, Mitsubishi's online banking URL is https://direct.bk.mufg.jp, but one might mistakenly enter  one of the following:

• https://direct.bk.mufj.co.jp
• https://direct.bk.mufg.com
• https://direct.bk.mufg.net
• https://direct.bk.mufj.jp
• https://direct.hk.mufj.jp

An attacker can register these and other likely mistyped URLs, and since they will own the domain, they can set up sites that mimic the look and feel of the real web site.  

The victim enters the URL, the site is displayed, and they enter their login information.  At that point, an error might be displayed after their login information is logged, or in some  cases, they might even redirect the user to the real site so they never know the difference.  

Depending on the domain and other factors, it may be possible for the attacker to obtain a valid SSL certificate (since they do own the URL) so the Key icon in the browser will even show up.

There are anti-phishing plugins and browsers that blacklist these types of sites, but the best defense is to keep the known good URL somewhere (like a password database) where you can copy &  paste it when needed, or at least store it as a bookmark in your browser. 

Another tactic that relies on user laziness and the blurring of the lines between the search box and the URL box in many browsers is that a scammer will set up a fake banking site mimicing a real bank, perhaps using a similar URL (Either a typoURL or a URL that uses obscure Unicode characters to make it look identical to the real domain name while actualy being different), and use systems like AdWords to make sure it appears high in the ranking.  

This means that if a user doesn't type in a URL manually or use a bookmark, but simply types "Mitsubishi Direct" and then clicks on a displayed URL, they may be taken to the evil site.  Of course search Engines like Yahoo and Google will try to detect this and delete such entries, but there is no guarantee.  

The best defence is to never search for an important URL.  Where money is involved, you should know the URL for sure and enter it directly.  Again this can be through a browser bookmark or copy & pasting it from a password database.  There should be no reason you ever need to ask Yahoo or Google where your bank's official web sire is.  

Financial Paranoia 1 - Social Engineering Scams

 This series is about online banking and operational security.  As such it is relevant to jot just Japan, but online banking (including smartphone banking) in general.  In fact, there is little specific to Japan, but the bank names, etc. we use here for example will be Japanese - but everything here could just as easily apply to Korea, the UK, or the US.  

We will discuss the common problems and solutions, ranging from the simple easily implemented solutions and best practices all the way to the super paranoid.

First, let's discuss the common problems, as understanding the threat model is key:

1. Offline & Social Media Social Engineering - These are when someone attempts to convince you to "invest" or outright sent them money.  

I'll give three examples:

a. The "Ore Ore" scam.  This one is popular in Japan and many other countries.  The scammer will call random phone numbers from a burner phone and claim to be a relative in trouble.  The conversation will usually go something like this:

Victim: Hello?

Scammer: Hi, it's me!

Victim: Takeshi, is that you?

Scammer: Yes, I'm in trouble.  Listen, I don't have much time to talk, but it's an emergency, I need you to send me money.

Victim: Okay, I can send some money to your account.

Scammer: I can't access my account right now, but can you sent the money to my friend's account? I'll send you the information.

Victim: Okay, I see.

Scammer: (Sends account information)

Victim: (sends money)

In this case, the scammer usually knows nothing about the victim, but just calls lots of people randomly in the hopes that someone who isn't very vigilent will assume their child, grandchild, etc. is calling, and will send the money without thinking too much due to a sense of urgency.

The scammer will likely be using a stolen account they have access to, and withdraw the money in cash as soon as it is sent.  By the time the victim realizes what's happened, it will be too late.  Even if they report the crime, the police are left with a burner phone number, and two victims, the one who sent the money, and the one who's account was used.  

Sadly, this type of crime most often affects elderly people, who seem less likely to stop and think before blindly sending money to a loved one in need.  

As cold as it may sound, the best way to stop this type of crime is simply to verify the story before sending any money to anyone.  Don't say "Is this Takeshi?", but ask "Who is this?"  If they won't tell you, or say something like "It's me!", then it's almost for sure a scam.  

You can hang up and call them on their normal number to verify the story - even if they claim they lost their phone or whatever.  It's very unlikely that anything would be that urgent that it can't wait a few hours while you check.  

b. The account takeover / POSA Gift Card Scam

In this case, someone you know will contact you by chat (f.e. LINE), SMS, email, etc., claiming to need a favor.  They may ask you to send the cash, or more often, gift cards.  Of course they will often offer to pay you back in cash the next time they see you.  Gift cards are preferable because they can be exchanged for cash without needing a bank account - so there is less evidence.  

This usually means that someone's phone has been stolen, or their email account has been taken over.  The best solution to this is to ask them to call you so you can discuss it.  If it's somene you know, you probably know what their voice sounds like, and can quickly determine if it's someone else.  You could also ask why they need the gift card, why they can't buy it themselves, etc.

This actually happened to me, with a wealthy friend suddenly asking that I buy them Amazon gift cards at 7-11 via Line.  When I asked them to call me to discuss it, they started in with "Don't you trust me?", etc.  That friend had two phones, so I called the other one and asked them about it.  They said "Oh, I lost my phone in Thailand".  I told them they should contact Line to have the account disabled, and quickly warn their other friends not to send any money to the scammer.  

I also had a similar experience where another friend sent me a message from their Gmail account explainoing how they were traveling and in trouble, and wanted me to send them money via Western Union.  I contacted them via Skype and of course it turned out to be a scam.  they were not traveling at all and were in fact at work at the time.  

c. The new friend / investment scam - Someone you don't know will contact you via some chat app, often saying they were referred to you by someone with a common name.  They will try to talk to you, and over the course of weeks will try to befriend you, or perhaps make you believe they are a romantic partner. 

At some point, the discussion will inevitably turn to money, and they will often try to "help" you by letting you know about an amazing investment opportunity.  This will often be crypto related.  

This happened to someone I know, and they were asked to invest a small amount in some crypto site.  The amazing opportunity was that they would earn 1% per month just by having money in this account.  So they invested a small amount, for example $100, and saw after a few months that they were indeed getting 1% interest per month.  That's over 12% per year compounded, so it seems like a great deal, and they invested a lot more.  The new "Friend" discouraged them from taking their winnings, suggesting they should inveest more and more.  Eventually when he did try to withdraw the money, it never arrived, and the new friend blocked them.  Of course the site was fake, and the money was long gone.  

The sage advice "Don't talk to strangers" applies here, but more to the point, most chat programs can be set to simply not allow contact from unknown accounts.  This may mean requiring that you have their phone number in your address book, making your ID non-searchable, etc.  This is the best option - but even if you allow strangers to contact you, you should never take investment advice from them or send them money.  A stranger you've been chatting with for 6 months is still a stranger if you've never met them in person.  

Sadly this person lost about $30k to their online girlfriend.  

Summary:

All of the above are social engineering scams that work based on technology, but the solutions are mainly not technological in nature - but simply verifying identity, not trusting strangers, not allowing yourself to be rushed, and thinking deliberatly before you act.  

Also, a 12% risk free investment simply doesn't exist.  In Japan if a company needs to raise capital, they can go to the bank and get a loan for less than 5%, so there is absolutely no reason they would pay individual investors 12%.  The best stable returns you can get are form a stock market index, at around 7% - and that is risky in the short term.  If someone is willing to pay you 12%, it must be riskier than that.  You should always thinkg about the transaction from the other party's point of view to see if it makes sense.