Thursday, June 21, 2007

Personal Financial Security Protocols

Note: The following is a work in progress. Comments are greatly appreciated.

There is an old saying, "The cobbler's children have no shoes", implying that experts in a field often neglect their own discipline in their daily lives. For me, as a security "expert", this is not the case. I have a rich and complex set of personal protocols for dealing with financial matters, including protecting my bank accounts, savings, and credit cards. I deliberately designed these protocols to balance security and convenience.

I began with a simple observation: I want to minimize my costs in a security breach. And costs to me can be reduced by either preventing security incidents or ensuring that some other party, not myself, is responsible for the lost. Thus my attitude towards my credit cards, my bank account, and brokerage account are all substantially different.

Credit Cards

I am generally rather cavalier about my credit card. I happily use online shopping, and will even email my credit card number when making a reservation at a small hotel. True, I'm not going to post the number on the Web, but I won't otherwise hesitate to use my credit card and don't take any extra care in safeguarding this information.

Why? Simply because it is not my money at stake!

Until I write the check to the credit card company, it is the credit card company's money. In case of fraud, I am able to dispute the fraudulent transaction before I have to write the check, leaving the credit card company on the hook for all but $50 (in theory) or $0 (in practice). I had this occur once, with a $5 fraudulent charge, and the process of disputing the charge was painless. Rather, it is the merchants who need to take care in accepting credit cards as the merchant ultimately carries the cost of fraud.

Bank Account and ATM Cards

My casual attitude towards my credit cards is sharply contrasted by my attitude towards my ATM card. My ATM card is ATM-only, without a Visa or MasterCard logo. With a "check" card, where the transaction goes through the credit card system, all an attacker needs are the numbers on the card. In contrast, the ATM network requires the PIN number as well as the card's information.

Additionally, I only use my ATM card at a bank branch's ATM (ideally my bank's branches). And even at these ATMs, I physically examine the slot where the ATM card enters to see if someone has attached a card skimmer (a device to read the card as it is inserted into the machine). I NEVER use my ATM card at grocery stores or other stores, as there have been several break-ins where attackers have managed to capture ATM cards as well as credit cards.

Why should I care? Although the fraud protections for ATM/check cards are as good as credit cards, until the dispute is resolved it is my money that is missing, not the banks. If someone fraudulently used my credit card, the worst case would be the card stops working (and I have two cards). If someone fraudulently accessed my bank account my rent check might bounce before I found out. Thus I need to minimize the chance of a breach.

I also do not use any automated or online bill pay or online banking, except for a couple which go to a credit card. My banking and bill payments are all done in person or through the mail. There are too many bots and key logger in this world for me to trust online banking and there is significant comfort in having a real paper-trail for any potentially disputed transaction.

Finally, when I do pay my bills by mail, I drop off the envelopes in a locked mailbox rather than leaving them for the postman to pick up. It is far too easy for someone to steal some checks and modify them if they are out in the open.

Brokerage Account

The one exception to the "No Online Banking" rule is my brokerage account, as the web site provides the only effective interface for managing the account. Fortunately I only need to access it once every few months, as I follow the general economic advice of "Buy index funds and/or CDs and just let them sit" as I know I'm incapable of reliably beating the market.

I use a bootable Linux "Live" CD (in my case, Knoppix, although I need to investigate alternatives as Konqueror doesn't render properly, forcing me to manually download Firefox). I reboot my computer using the live CD so I know that my system is free from viruses, bots, and keyloggers. I then access just my brokerage account, do my necessary changes, and restart my computer. Although significantly inconvenient, I view this as necessary.

Unlike bank accounts, the laws concerning fraudulent brokerage account access are not well-enough settled for my taste. Since I have no assurance that, in case of fraud, I would not lose money, I need to prevent fraud to as great a degree possible. Thus I must be able to trust the computer I'm using, and given the perilous state of end-host security (even Mac security), the only way I can trust the computer is by booting using trusted, read-only media and only connecting to the brokerage account.

Conclusions

Building these financial protocols took me considerable thought and effort. I had to consider what were the possible attacks on my financial data and what the consequences were. In the end, it was the consequences of possible attacks which dictates my policy: if it doesn't cost me much time and money, I don't care. But if its my money on the line, I'll be very careful.

5 comments:

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

My only concern with using an alternative operating system for brokerage accounts would be the occasional incompatibility with non-IE browsers. I've encountered this problem a few times, but thankfully the issues seem to resolve themselves quickly, and I'm able to use Firefox/Safari a few days after calling the bank's tech support.

~Jesse VanWay

Nicholas Weaver said...

Thats the problem with Knoppix, and why I need to look at a replacement. Konqueror doesn't render my brokerage account correctly, but Firefox does.

But I've also gone out of the way to minimize the online banking I need to do, as there is already so much literature showing that actively-traded brokerage accounts are a good way to just lose lots of money.

Anonymous said...

You see financial security from a purely IT standpoint, which is good but incomplete. You must also consider the economics standpoint. The most secure way to store money is not to deposit it into any bank account, ever. Use current bank accounts for everyday transactions, but don't trust your savings in banks. Deposited money is not yours, it is the bank's money which becomes their liability to you. This is evidenced by the fact that the bank pays you interest (if it were your money, you should pay the bank for keeping it). There are other more safe ways of storing your money. You can store your money in safe deposit boxes. But even this is not so secure against inflation and war. Actually, storing your savings in currency, any currency, is a completely flawed idea. The perfect security lies in having no ATM savings and preferring pure gold in bank vaults or bank safe deposit boxes. It's even tax-free in EU, and most national banks happily sell gold OTC (over the counter). You don't need to be rich to enjoy the security of gold, as nowadays gold savings and the fees for bank safe deposit boxes or small bank strongrooms are within the reach of the middle class nowadays.

shannon said...

i can understand why you've drawn to this conclusion regarding credit card processing vs. debit card processing. though, even though you insist it "isn't your money" being used for fraudulent charges on your credit card, what if you cannot prove your case? what if you end up being responsible for your the fraudulent charges on your card? if the theif uses it at a gas station local to you with no cameras before you can report the card missing...

then, it seems, it would NOT be "their money."

this has happened to me before.

when my purse was stolen, i had better luck getting my debit card charges reversed over my credit card ones... the "investigation" stage took a lot longer than with my local bank.

but hopefully you won't ever have to deal with it!