Malware - especially the drive-by trojan download kind exemplified by Zeus - causes widespread anxiety among users who want to bank online but fear identity theft. Criminals infect dozens, hundreds, perhaps thousands of web pages each day with malware, then wait for that one fateful mouse click that costs you your identity or empties your checking account. They morph malware frequently enough that antivirus software are hard pressed to protect you and your computer from threat.
The most common recommendation you'll find to protect yourself from identity theft is the tired mantra, "don't click on suspicious hyperlinks". That's great advice, but for the simple problem of knowing how to distinguish a suspicious link from a legitimate one. The smart criminals make such distinctions hard for the average user in phishing emails or malicious links they inject into web sites they've compromised or host.
What measures can you take to bank safely online when antimalware and antivirus measures can't keep pace and the criminals set their traps so cleverly that it's a only a matter of time before you make that fatal wrong step?
For now, never use a mobile phone or device to bank online
2013 begins on the tail - or possibly, the onset - of what dozens of hysterical security vendors claim as the era of mobile malware (1, 2, 3...). A 12 year old could fill a hundred blog posts with tales of mobile malware. Immunity's Dave Aitel warned, DO NOT use your phone to bank online or to deposit checks to your account" but in the same column, several security experts suggest ways that you can safely bank online from your mobile device.
Others may be comfortable with recommending that the risk of banking from a mobile device is low enough given the convenience. Given the stakes, not only for personal banking but for situations where employees or government officials (think in terms of tax collectors for small municipalities) might choose convenience over risk, a prudent course is to assume that virtually any device that is used for general Internet or web use is unacceptable.
Here's what I suggest.
Hire a personal bank teller
More accurately, create a personal teller using a PC/laptop that's collecting dust in the corner of your home office. Any lappie that can connect to your home network, run Windows XP and a browser will do because you are going to configure this system to do one and only one task: open a browser window to your online banking web site so you can bank safely. By configuring this laptop so that it is exclusively for banking, you greatly reduce the likelihood you'll fall prey to a thief.
Begin by erasing and reformatting the hard drive [1,2]. Reinstall the Windows operating system from the media that came with your PC/laptop. Connect to the Internet to update your version of Windows and Internet Explorer so that you are "patch current", but do nothing else while connected. Seriously: nothing!
Open Internet Explorer. From the Tools menu, choose Internet Options. Set your online banking web page as the home page. You should then never submit or click on a URL in this browser on this laptop again. If you want to use Firefox, then open IE and type (don't search or click) " http://www.mozilla.org/en-US/firefox/new/". While this is perhaps overly cautious, but it will help you establish the mindset for online banking: Trust No URL.
(If you have other computers on your home network, disable sharing and enable Windows Firewall. This isn't a full-blown mitigation strategy for hardening Windows XP; for this, you'd need to invest a bit more time. Whether your "came with" Windows OS version was XP or 7 will affect the additional effort you require but this is a "one time" effort.)
The configuration of your personal bank teller is complete. When you launch IE, you will automatically connect to your online banking web page. Hello, personal bank teller!
Use this PC/laptop for online banking... and nothing else!
Do not install any software on this PC/laptop. Do not add this PC/laptop to a domain or workgroup. Never, ever visit any other site from this PC/laptop. Never check mail or run any other application from this laptop. If you follow these guidelines, you can bank with greater confidence that you've kept the criminals at bay.
If you don't have the OEM disks or a spare copy of Windows to install, try a Linux OS and use Firefox [3,4]. The installation for most Linux OSs is straightforward. More importantly, if you are familiar with Firefo, you really don't have to know anything about Linux, as you are only going to use a browser that's familiar to you. The icon's the same, the UI is very similar, and seriously, this alternative is not nearly as intimidating as you imagine.
Before you scoff at this suggestion, weigh the cost of investing 30 minutes to create a personal bank teller from deprecated hardware against the threat of identity theft. As a side benefit, by using the lappie rather than junking it, you're thinking green.
[Note that while focus on Windows here, Mac users are not impervious to phishing and identity theft and can build a personal teller in a similar manner.]