Author

Topic: using a dedicated $50 "banking station" for enhanced security (Read 212 times)

jr. member
Activity: 30
Merit: 12
Tunneling in would be an option but also opens up the risk if you have a keylogger or for some reason find yourself as a high priority target for somebody that they literally monitor your in real time. It may sound paranoid but it's actually a feature of many commercially available "RATs" aka remote administration tools. They can have 10,000 infected PCs, then begin filtering them by OS, location, installed software, visited websites, recorded keystrokes, etc and then getting screenshots every x seconds and real time keystrokes.

My current setup is a wireless mouse/keyboard dongle that I just unplug from the front of my main PC to my odroid and my monitor lets me switch between multiple inputs so I use that as my display, much easier than the days of messing with wires and constantly rotating usb plugs so until they'd fit  Grin
legendary
Activity: 1624
Merit: 2481
Props.

That's probably the first (real) merit-worthy thread from a newbie account.


I really like your idea. It counters quite some attack vectors in comparison to simply a bootable linux live distro etc. (keyword: trusted hardware / bootloader).
Even though hardware wallets already are very user friendly and can be accessed without much hassle, if you are storing a very high amount of BTC on your hardware wallet you might want to use this as a 2nd wallet (to circumvent some 0day HW exploits).


I just have 1 thing to add:

[...] these SBCs are small enough that you can keep them at your main desk and simply plugin your main monitor/keyboard/mouse as needed[...]


One could simply set up an ssh agent to be started upon booting, then connect to it via live usb boot for example.
IMO it is more convenient to power up the PI, boot your PC from a live linux and connect via SSH to it, instead of re-plugging monitor/keyboard (but maybe that's just me because of my setup at home  Grin)

If you make sure to not permit root-login, set a strong-enough password and shutdown the ssh agent after ~3 failed login attempts (or simply use fail2ban, etc.. ), this also results in a pretty secure setup (not as secure as without any connection between your PC and the PI, but very close to that).


This idea of a 2nd wallet / banking station (regardless of whether with or without SSH connection) is already way more secure than the 'main' wallet of the majority of BTC user.
jr. member
Activity: 30
Merit: 12
PC security should always be a priority but when dealing with crypto wallets I think we can all agree something more besides routine virus scans, automatic updates, and avoiding sketchy sites/applications/emails would be wise. This is especially true if you're frequently using your crypto and can't store 100% of it in a cold wallet or are in a position to serve as a "gateway" for thieves to gain further access/information about other crypto users by attacking you (crypto site owners, mods/admins of telegram/discord/facebook groups, ICO teams, etc)

A few years ago I started playing around with single board computers or SBCs, the most famous one being the raspberry pi which thanks to its low price made it easy to isolate it as a sort of "banking station" to do things that would require extra security such as online banking/billpay or software-wallet crypto transactions. While it's not 100%, it does add an extra layer of security and in 2019 you can buy a decent amount of power from these tiny computers for under $50.

Nothing else is done on my banking station besides online banking and crypto payments, no emails, no youtube or random sites, strictly 100% financial transactions. While nothing will ever be 100% secure it does provide an extra layer in case I accidentally download something malicious, come across a website with an 0day browser exploit, and there is always exploits in common software such as outlook, skype, winrar, etc that don't require any interaction on your part to infect your system.


Getting one setup is pretty simple and you can get a basic idea of the process with this video: https://www.youtube.com/watch?v=lUchfyTpOjU

TLDW:

1) Choose a SBC, good choices would be the rock64 or odroid c2 and odroid xu4. They can be purchased on amazon, aliexpress, and at some microcenter/frys electronics/bestbuy stores. For security purposes its best to avoid buying used ones, the odds of hardware-malware are extremely low, but no point in saving $5 or $10 if your ultimate goal is security.

2) Depending on the board you choose, you may need to buy an additional power supply or USB wifi adapter, since these boards run linux not all USB wifi adapters are 100% compatible. Some can be powered with microusb cables but you'll want to make sure they are at least 5v/2a so most cell phone chargers in the past 5 years or so will do the job - but not all of them. Both rock64 and odroid sell their own power supply for $5-$10 and I like those to avoid the temptation of just plugging it into the usb port of my desktop - remember that our goal is to isolate the system. Rock64 and odroid also sell USB wifi adapters, but I like this one from amazon: https://www.amazon.com/gp/product/B00EQT0YK2/. Nearly all boards will require a microSD card in order for you to store the OS and files on, for maximum compatibility and reliability I'd suggest class 10 cards. This 32gb kingston card is a great deal at under $5 https://www.amazon.com/gp/product/B079GTYCW4/ and if you don't already have one, an sd card reader: https://www.amazon.com/Anker-Portable-Reader-RS-MMC-Micro/dp/B006T9B6R2/

3) Once you have your SBC, microsd card, and reader device, you'll want to look at the manual or read the board manufacturers website to find the operating system image files. It's important to use the operating systems they provide to ensure everything works 100%. Generally speaking your best choice will be either ubuntu or armbian as these are the 2 with the most documentation but if you're more comfortable with another OS the manufacturer provides by all means go for it.

4) After you download the OS of your choice it will either come as a .zip/.rar or .iso file. If it came as a .zip/.rar go ahead and extract it and then plugin your microsd card + reader, and download the program win32diskimager which is available for free. Win32diskimager does a pretty good job of explaining itself but if you're not sure there are plenty of youtube videos showing the process, you just want to select your microsd card, and write the .iso file containing your operating system to it.

5) Once you've finished writing the operating system to the microsd card you're ready to insert it to your SBC, simply pop it in to the correct slot, connect your power source, usb wifi adapter, a monitor, keyboard, and mouse, and boot up! Depending on the operating system you may be greeted with an option to change your default password or be taken straight into a desktop environment. If it's your first time using a linux based OS take a moment to read/watch some tutorials on basic system management so that you can add a non-root user (for security purposes), perform system updates, and familiarize yourself with some basic operations.

Once it's setup and ready to go remember to only use it for banking and financial purposes, these SBCs are small enough that you can keep them at your main desk and simply plugin your main monitor/keyboard/mouse as needed or if you're going to be using it often invest in a cheapo LCD monitor and wireless keyboard/mouse combo.
Jump to: