Online banking privacy hack: Use 2 browsers to increase your security


Online shopping and banking is efficient and convenient, but it just takes one security breach for tons of personal information to get in the wrong hands. With every financial transaction, people share an array of private information, from emails, passwords and credit card numbers, to phone numbers and home addresses. This is what makes a potential data breach so terrifyingly invasive.

There's a school of thought that online shopping and banking can be more secure if you have a dedicated browser exclusively for those transactions. Isolating financial proceedings may sound logical to the average person, but it is a partial solution at best, and far from being a panacea for all online security threats.

How can a second browser help?

Using a second browser dedicated exclusively to online shopping and banking can offer some added security from specific types of attacks, according to Justin Cappos, a computer security professor at NYU's Tandon School of Engineering. "Having the separate browser still doesn't protect you from things like key loggers or malware that's on your device," Cappos said. "It protects you from certain types of attacks that websites can do when you visit a malicious website."

Separate browsers are not a foolproof solution.

But Cappos, who personally uses a Chrome browser, notes that having separate browsers is far from a full-proof solution, since certain plugins, like Flash, have the ability to track users between different browsers. Ilaria Liccardi, Michael Specter, Cecilia Testart and Ben Z. Yuan, researchers at CSAIL's Internet Policy Research Initiative, explained over email: 

"Having two browsers allows people to keep certain information contained within each browser. There are some advanced fingerprinting techniques which would only be able to gather metrics from a single browser, e.g. the user's agent flows and font resolutions that can potentially identify the specific browser. Even when using separate browsers, there can be instances in which an action taken within one can be used or affect the other. Third-party plugins, like Flash, can create cross-browser identifiable information, and malware infecting one browser might compromise the whole device, and therefore the activity on the other browser. In this sense, using two browsers may actually cause more harm than good -- you're effectively doubling your attack surface."

When it comes to protecting financial and identity information, Allison Berke, executive director of the Cyber Initiative at Stanford University, says there's no real advantage for having separate browsers unless online tracking is a concern.

"If you're worried about tracking of your online browsing being used to target ads or price discriminate, using a separate browser in private mode, with tracking blockers enabled and cookies disabled can cut down on common forms of ad-based tracking," Berke said.

That said, Berke warns that using a separate browser won't protect a user from other "fingerprinting techniques" that can identify a user based on unique characteristics: operating system, screen size and installed fonts. Berke further adds that once payment details or an email address is provided, any future activity can be linked back to back to the user.

There are other measures users can take for added security

For better security while online shopping and banking, Internet users can take several cautionary steps. Berke, Cappos and the CSAIL researchers all advise setting up two-factor authentication whenever possible — though Cappos and CSAIL's team warn that two-factor authentication using codes sent via SMS has security limitations.

"Some high-profile attacks have used social engineering on telecommunications companies to redirect SMS messages to attacker-controlled phones," Liccardi, Specter, Testart and Yuan said. "If you have a large public presence or a significant internet following, you should know that SMS-based two-factor authentication may not keep your accounts safe."

Berke also recommends turning on the "Do Not Track" feature on a web browser and using extensions that limit trackers and ads, like Privacy Badger or Ghostery. When submitting personal information on the internet, Liccardi, Specter, Testart and Yuan advise users to be vigilant and "always check to ensure that the URL bar has a lock [icon] and is using 'HTTPS' instead of 'HTTP.'" The most important thing, says Cappos, is to use a password manager and create strong, unique passwords.

Nothing provides guaranteed safety

Using separate browsers certainly doesn't guarantee a user won't be vulnerable to a security risk.

"It's not a perfect solution to have separate browsers," Cappos said. "But, in general, it's better than just using the same browser. Especially using the same browser when you're still logged in on other windows to other things you're doing."