gjb2048
Posts: 22
Joined: Fri Aug 10, 2012 5:07 pm
Contact: Website

Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 6:15 pm

Hello,

Given what Eben has written here: https://www.raspberrypi.org/blog/why-ra ... -meltdown/ and then doing a search on these forums for 'Meltdown' and finding viewtopic.php?f=63&t=201453 - I was wondering if the Pi is a better and more secure computer for doing your internet banking / shopping upon than even a PC running Linux? Also given the situation that you would be running the latest Raspbian Stretch.

What do you think please?

Cheers,

Gareth

User avatar
DarkPlatinum
Posts: 866
Joined: Thu Nov 02, 2017 2:30 pm
Location: Unknown
Contact: Website YouTube

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 6:26 pm

There are a lot variables in this question. While a Pi may not be susceptible to those attacks, it may be vulnerable to other attacks. The first thing you should do on a pi connected to the internet, is to change the password. There is also the fact that many modern PC use intel/AMD chips, whereas a pi is ARM.
1 * Raspberry Pi Zero W, 1 * Raspberry Pi 2, 1 * Raspberry Pi 3 1 * Raspberry Pi 3B + :mrgreen:

Check Out My Raspberry Site (Run on a Raspberry Pi 3B :) ): https://html.dynu.net

gjb2048
Posts: 22
Joined: Fri Aug 10, 2012 5:07 pm
Contact: Website

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 6:34 pm

Thank you for your reply DarkPlatinum. Ok, given that the pi's password is changed and that the ARM CPU is not affected by Spetre / Meltdown, then therefore Raspbian as a distribution of Linux just as secure as any other distribution and as always with risk 'as good as it can be'?

User avatar
DougieLawson
Posts: 37095
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 6:48 pm

It's no more nor no less secure than any other Linux system. Linux systems are no more nor less secure than a fully up to date Windows 10 system with a modern web browser.

I think you're being overly paranoid.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Heater
Posts: 14449
Joined: Tue Jul 17, 2012 3:02 pm

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 7:35 pm

When it comes to interacting with the internet paranoia is a good strategy.

For the paranoid:

In order for Meltdown and Spectre to be a threat on your computer those techniques have to be used my some malware that is running on your machine.

Where would such malware come from and how would it get into your machine? How can you prevent it?

1) You have downloaded and installed some program that contains a Meltdown or Spectre exploit from a random untrusted website. Well don't do that. Only use programs from trusted sources like the Raspbian repositories or perhaps other places that you know something about and can have some trust in.

2) Javascript. If you are visiting some random website it may well include a Meltdown or Spectre exploit in some Javascript that it has fetched from somewhere. If you happen to be visiting your bank in at the time, in another tab, perhaps it can sniff important information from your bank session. Well don't do that. Close all browser tabs and other browsers whilst you deal with your bank. In fact only ever use this machine for bank transactions. Do your hobby and other work on a different Pi or swap SD cards around.

In general I'd say keep the software installed on your banking machine down to the minimum required to do that task. Perhaps even use a read only root file system on that machine.

Of course all of the above applies to many other possible exploits besides Meltdown or Spectre. In general I feel we have enough of those to worry about already to make Meltdown or Spectre a minor concern.
Last edited by Heater on Sun Nov 11, 2018 9:05 pm, edited 1 time in total.
Memory in C++ is a leaky abstraction .

ejolson
Posts: 4268
Joined: Tue Mar 18, 2014 11:47 am

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 8:16 pm

Heater wrote:
Sun Nov 11, 2018 7:35 pm
In general I'd say keep the software installed on your baking machine down to the minimum required to do that task.
This is a very good idea. Otherwise the bread might turn out funny.

Heater
Posts: 14449
Joined: Tue Jul 17, 2012 3:02 pm

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 9:05 pm

banking/baking, oops! Thanks, fixed it.

Thinking about it, it's the same. In either case you don't want the bad guys getting their hands on you dough or stealing your bread.
Memory in C++ is a leaky abstraction .

Ger_Pa
Posts: 56
Joined: Thu Mar 09, 2017 7:00 pm

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 9:07 pm

DougieLawson wrote:
Sun Nov 11, 2018 6:48 pm
It's no more nor no less secure than any other Linux system. Linux systems are no more nor less secure than a fully up to date Windows 10 system with a modern web browser.

I think you're being overly paranoid.
oh oh, now you are going to face the lynching mob of "I use linux because it is SECURE!!!! unlike windows!!"..

But what he say is true any OS (that's online) is vulnerable to attacks, no matter what a group of fans may say. The best thing to do is use common sense and have good habits to make surfing a safer (which is not the same as 100% safe)

ejolson
Posts: 4268
Joined: Tue Mar 18, 2014 11:47 am

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 9:27 pm

Ger_Pa wrote:
Sun Nov 11, 2018 9:07 pm
But what he say is true any OS (that's online) is vulnerable to attacks, no matter what a group of fans may say. The best thing to do is use common sense and have good habits to make surfing a safer (which is not the same as 100% safe)
I think the idea of using a different computer like a Pi for banking is that it would then not be used for surfing. One difficulty with having two computers is that they both need to be maintained. In particular, if you don't devote sufficient resources towards maintaining the banking-only computer, it could end up being less secure than your general use machine.

User avatar
DougieLawson
Posts: 37095
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 9:35 pm

ejolson wrote:
Sun Nov 11, 2018 9:27 pm
Ger_Pa wrote:
Sun Nov 11, 2018 9:07 pm
But what he say is true any OS (that's online) is vulnerable to attacks, no matter what a group of fans may say. The best thing to do is use common sense and have good habits to make surfing a safer (which is not the same as 100% safe)
I think the idea of using a different computer like a Pi for banking is that it would then not be used for surfing. One difficulty with having two computers is that they both need to be maintained. In particular, if you don't devote sufficient resources towards maintaining the banking-only computer, it could end up being less secure than your general use machine.
Lots of us use an alternative computer all of the time. Mine is a Samsung Galaxy S5 (my wife's old cast-off cell phone) running Android 6 (Marshmallow) - which is likely a security minefield. I use that for online banking - I think nothing of it. My online banking has a 2FA that uses a key generator that is hardened behind a six digit PIN.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Ger_Pa
Posts: 56
Joined: Thu Mar 09, 2017 7:00 pm

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 9:39 pm

ejolson wrote:
Sun Nov 11, 2018 9:27 pm
Ger_Pa wrote:
Sun Nov 11, 2018 9:07 pm
But what he say is true any OS (that's online) is vulnerable to attacks, no matter what a group of fans may say. The best thing to do is use common sense and have good habits to make surfing a safer (which is not the same as 100% safe)
I think the idea of using a different computer like a Pi for banking is that it would then not be used for surfing. One difficulty with having two computers is that they both need to be maintained. In particular, if you don't devote sufficient resources towards maintaining the banking-only computer, it could end up being less secure than your general use machine.
As soon as you connect a rj45 to the Pi or connect it to the wi-fi. Your little pi is out there in the sea waiting for the waves, you are open to attacks. The only way to have a true 100% secure OS is that is not connect to anything that allows to reach the outside world and that only you have physical acces to the machine.
Since it will be used to banking it means you need to have an active connection to the net, which means that you are no more truly secure.

Down the road, the security of your machines depends more on what you do as an user than what kind of OS you are using.

LTolledo
Posts: 2587
Joined: Sat Mar 17, 2018 7:29 am
Location: Anime Heartland

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 9:55 pm

I use this RPi3B+ for my online shopping, for RPi accessories, other electronics/pc hardware, and other stuff that fancy me.
As I always pay by COD/Gift Cards, I have no worries.

I dont do online banking on my RPi, my online banking is only done via ATM machines...
"Don't come to me with 'issues' for I don't know how to deal with those
Come to me with 'problems' and I'll help you find solutions"

Some people be like:
"Help me! Am drowning! But dont you dare touch me nor come near me!"

User avatar
DougieLawson
Posts: 37095
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 10:13 pm

LTolledo wrote:
Sun Nov 11, 2018 9:55 pm
I dont do online banking on my RPi, my online banking is only done via ATM machines [sic]...
Which are some of the most insecure hardware I've ever met as they're running unpatched OS/2, unpatched Win7 or unpatched AIX.
https://www.engadget.com/2018/11/08/nor ... h-atm-hack
https://www.itproportal.com/features/th ... usinesses/
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Ger_Pa
Posts: 56
Joined: Thu Mar 09, 2017 7:00 pm

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 11:14 pm

Yes, ATM has to be one of most insecure methods to do banking next NFC payments....

Just google ATM debit card Cloning... clone contacless payment device etc

Heater
Posts: 14449
Joined: Tue Jul 17, 2012 3:02 pm

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Sun Nov 11, 2018 11:19 pm

And in the news today:

Credit Card Chips Fail to Halt Fraud, Survey Says : http://fortune.com/2018/11/05/credit-ca ... rvey-says/
Memory in C++ is a leaky abstraction .

gjb2048
Posts: 22
Joined: Fri Aug 10, 2012 5:07 pm
Contact: Website

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Mon Nov 12, 2018 5:24 pm

Thank you to everyone who has replied so far. Really pragmatic advise.

So what if the bank / shop had their JS compromised by a third party update, like was on the news that month? Would legally they be the problem even if your device for whatever reason was subseptable to the Meltdown / Spectre issue?

Yes I am paranoid, I'll admit that. But I am a software engineer who did a course on computer security on my MSc. But as no one person knows everything about computing, then we all ask about things when we don't know ourselves. Security for me is about mitigating risk to a failure happening and if you can't prevent one weakness then you look at how you can put in place measures to prevent it. I do have a Model B+ and a 3 Pi, sadly my original model B passed away, along with a working PC, netbook and Android phone. Keeping things up to date is time consuming but not technically an issue or having to swap SD cards. I normally a separate private browser instance with no other tabs open for online shopping etc. then close (so the cache is not stored) before using for something else.

By asking the original question I do wish to mitigate risk as much as possible by understanding the potiential of one device on a given operating system to be possibly more secure than another if configured correctly, up to date and using the most secure procedure.

ejolson
Posts: 4268
Joined: Tue Mar 18, 2014 11:47 am

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Mon Nov 12, 2018 6:33 pm

gjb2048 wrote:
Mon Nov 12, 2018 5:24 pm
Thank you to everyone who has replied so far. Really pragmatic advise.

So what if the bank / shop had their JS compromised by a third party update, like was on the news that month? Would legally they be the problem even if your device for whatever reason was subseptable to the Meltdown / Spectre issue?

Yes I am paranoid, I'll admit that. But I am a software engineer who did a course on computer security on my MSc. But as no one person knows everything about computing, then we all ask about things when we don't know ourselves. Security for me is about mitigating risk to a failure happening and if you can't prevent one weakness then you look at how you can put in place measures to prevent it. I do have a Model B+ and a 3 Pi, sadly my original model B passed away, along with a working PC, netbook and Android phone. Keeping things up to date is time consuming but not technically an issue or having to swap SD cards. I normally a separate private browser instance with no other tabs open for online shopping etc. then close (so the cache is not stored) before using for something else.

By asking the original question I do wish to mitigate risk as much as possible by understanding the potiential of one device on a given operating system to be possibly more secure than another if configured correctly, up to date and using the most secure procedure.
From my point of view, the main advantage of the Pi is that there are no onboard programmable firmwares that can be modified to hold an advanced persistence threat. There is also the affordability factor that allows you to devote an entire computer for financial transactions and nothing else. The main disadvantage is that the default operating system Raspbian is designed to support an easy introduction to programming for children and is not as secure as many other Linux distributions by default. While security has generally improved over time, it would be reasonable to read some tutorials on hardening the Rasperry Pi to make it more secure. It is also the case that if you don't already understand Linux security and system management, things are likely turn out much less secure than if you do. For people who already have significant experience securing and maintaining Windows computers, better results may follow from having a separate Windows computer used exclusively for financial transactions.

Having said this, for online purchases, credit-card payments and banking I personally use a Linux desktop that is also used for many other things. If I did any online stock trading or bitcoin, however, I would consider using a separate computer for that.

gjb2048
Posts: 22
Joined: Fri Aug 10, 2012 5:07 pm
Contact: Website

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Mon Nov 12, 2018 6:57 pm

Thank you ejolson, very informative. Linux security is not something I know much about and can do a little system management, will definitely read up on this.

k-pi
Posts: 930
Joined: Sun Feb 12, 2017 1:46 pm
Location: Upper Hale, Surrey, UK.

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Mon Nov 12, 2018 7:05 pm

(I only read the original post, so am just answering to that.)

I have used my RPi3B for online banking, & online shopping - what I advise, & do myself, is that after making a transaction, you switch off completely to let the ram clear, about 10 seconds - then reboot if you want to continue using the computer.

It's an old habit from my early days of using computers, & it has kept me safe. :)

Edit: If you use a laptop, remove the battery for the 10 seconds. ;)

User avatar
DougieLawson
Posts: 37095
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Mon Nov 12, 2018 8:39 pm

k-pi wrote:
Mon Nov 12, 2018 7:05 pm
(I only read the original post, so am just answering to that.)

I have used my RPi3B for online banking, & online shopping - what I advise, & do myself, is that after making a transaction, you switch off completely to let the ram clear, about 10 seconds - then reboot if you want to continue using the computer.

It's an old habit from my early days of using computers, & it has kept me safe. :)

Edit: If you use a laptop, remove the battery for the 10 seconds. ;)
That all gives you just enough time to make sure the tin-foil hat is placed centrally on your head, since that level of paranoia will need a tin-foil hat.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Heater
Posts: 14449
Joined: Tue Jul 17, 2012 3:02 pm

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Mon Nov 12, 2018 11:10 pm

k-pi,
...what I advise, & do myself, is that after making a transaction, you switch off completely to let the ram clear, about 10 seconds - then reboot if you want to continue using the computer.
If it makes you feel safe and secure then please do continue.

However I feel it is very bad advice. Offering nothing in the way of securing ones activities. Irresponsible in that it might make the naive feel secure as well, when it does not.

Unless that is, you can refer us to even one exploit that is mitigated by this habit.

Now, if you were doing that whilst also using a read-only file system, and that system is only booted to make the transactions then powered down, I might be more convinced of it's effectiveness.
Memory in C++ is a leaky abstraction .

ejolson
Posts: 4268
Joined: Tue Mar 18, 2014 11:47 am

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Tue Nov 13, 2018 4:25 am

Heater wrote:
Mon Nov 12, 2018 11:10 pm
k-pi,
...what I advise, & do myself, is that after making a transaction, you switch off completely to let the ram clear, about 10 seconds - then reboot if you want to continue using the computer.
If it makes you feel safe and secure then please do continue.

However I feel it is very bad advice. Offering nothing in the way of securing ones activities. Irresponsible in that it might make the naive feel secure as well, when it does not.

Unless that is, you can refer us to even one exploit that is mitigated by this habit.

Now, if you were doing that whilst also using a read-only file system, and that system is only booted to make the transactions then powered down, I might be more convinced of it's effectiveness.
I think the idea is that passwords, random state and authentication tokens might be left in RAM by an irresponsible program even after the program exits. If later another program reads the contents of RAM by exploiting a side-channel attack such as Meltdown or likely a more obvious kernel security fault, it would help to have cleared RAM by means of a power cycle as described. For those who store passwords as plaintext in a file named secret.txt, clearing RAM may not be a sufficient precaution. In that case, the addition of a tin-foil hat should short out the GPIO and render all data secure again.

User avatar
DavidS
Posts: 4334
Joined: Thu Dec 15, 2011 6:39 am
Location: USA
Contact: Website

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Tue Nov 13, 2018 6:40 am

While there are a lot of veriables in the question at hand, many already mentioned:

NO computer is a good computer for internet banking. Not even the systems used in the banking system, they have many known security holes, because of the need to maintain compatibility and the inability to have any means for all banks to be updated for security. If they close the holes the system fails do to those parts not updated, if they try to force it the system fails because you are dealing with to many that do not understand what is going on.

That said we live in a world where all banks are online, at least with one another. This tells us that if we need to bank we have to live with the fact that there is no security, and can not be any security. Thankfully it is just the value of money, nothing important.

ANY computer is good for online shopping, as long as you are using a one time fill throw away prepaid credit card (see banking issue above). This includes all possible systems, as no personal data is transfered (unless you consider the shipping address personal).

If your conserns sit in the area of security, it does not matter for the purpose at hand the banks are less secure than any of our systems.
RPi = The best ARM based RISC OS computer around
More than 95% of posts made from RISC OS on RPi 1B/1B+ computers. Most of the rest from RISC OS on RPi 2B/3B/3B+ computers

k-pi
Posts: 930
Joined: Sun Feb 12, 2017 1:46 pm
Location: Upper Hale, Surrey, UK.

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Tue Nov 13, 2018 2:44 pm

:lol: Tin foil hat or not - I forgot to mention that all important details are only entered whilst online, nothing is held on my computers, that being my motivation for clearing the ram. 8-)

Heater
Posts: 14449
Joined: Tue Jul 17, 2012 3:02 pm

Re: Q. Is a Raspberry Pi a good computer for internet banking / shopping?

Tue Nov 13, 2018 4:16 pm

Not a bad plan.

Not really effective unless you have a read-only file system that cannot be corrupted permanently whilst you are on line.

Still leaves you open to exploits that can occur whilst you are on line.

Of course this make it harder to keep your software up to date such that you have the latest security vulnerabilities fixed.

This paranoia business is hard work :)
Memory in C++ is a leaky abstraction .

Return to “General discussion”