Is it safe accessing bank websites without any protection?

I have aa old laptop which I intend to use ONLY for accessing bank websites and making transactions. I was going to install all kinds of anti-virus on it, but for some reason Windows 7 won’t install the necessary updates in order to install protection software like Malwarebytes, so I gave up. If needed be, I make a fresh windows install.

Anyway, MY QUESTION is: is it safe to use a PC with windows 7 without any updates or any kind of protection whatsoever ONLY to access bank webpages and never saving any passwords? Or am I still under some considerable risk?

muguetao said:

Anyway, MY QUESTION is: is it safe to use a PC with windows 7 without any updates or any kind of protection whatsoever ONLY to access bank webpages and never saving any passwords? Or am I still under some considerable risk?

If you only, and I mean ONLY visit bank websites, then the possible risk of somehow getting malware is highly unlikely. You want to go to the bank website directly though. Don't use Google or some other search engine. Reason I say this is then you'll need Ad mitigation since Ads can be laced with a malicious payload. It's called Malvertising. Bank website's can be hacked, but it's not that easy to do and would be something more for a state sponsored actor.


I'm here to tell you it's a bit of a fallacy that you need every Windows update imaginable otherwise you're somehow "exposed". I only have but four updates installed for software/hardware needs. I'm a bit unorthodox., but this ship is pretty tight none the less, let me tell you. Emphasis on the unorthodoxy on my malware protection/anti-hacking strategy. I look for things like alternative data streams, hooks, rouge modules, etc. I go above and beyond and I don't use an anti-virus. Last time I got infected was when I ran Windows 98se. And I had AVG installed of all things. Anti-virus software now-a-days is full of shenanigans with the interception of your TLS encrypted connections and sending telemetry back to home base. I think it's Norton that now packs a crypto miner. Ah, hello? what ever happened to the core of the software of virus mitigation? Modern day anti-virus software is vastly over bloated and useless for many reasons. Chances are you'll get more false positives then negatives. I also run my browser in Sandboxie. So if you're interest in that, and willing to learn check that out. My install is highly customized though.

What I do in the absence of anti-virus software is just upload each and every single cotton picking download (some images as well) to Virus Total. The general consensus is four hits and you toss. But it depends on what you have there, and if you know how to read the relations and behaviors if available at VirusTotal. Read my post here on how I use a file hash. Firewall recommendation for Win7

It's probably waaay over the top for you though. I should do a video post on my website for this. Been meaning to.

Anyway, your router is probably more prone to being infected. Not saying Windows updates and software updates or even firmware updates should be avoided. It's just how you use them and which you decide to install. I can tell you a lot of the Windows updates invoke telemetry beyond what your other installed software does behind the scenes you don't know about.

I've been of the opinion that the likelihood of an "update" turning into a downgrade is more statistically probable than lightning on the moon. I can't tell you how many times something I've had here whether it be hardware, software or an OS get completely hosed because of an "update." And it looks true for lots for others as well just me being on various tech forums for almost two decades. Heck, just two days ago an update to a software I use hosed it over. It's called Protonmail Bridge. I'll spare the description of what it does...

If there's one thing you should keep updated on that old laptop is the browser. Eventually that may be harder to do as updates progress...

Something else. You said, " I was going to install all kinds of anti-virus on it." Bad idea. They'll work against each other.

Being perfectly honest. I'd just install Linux if you're just going to use this old laptop for banking transactions. Plus, you'll benefit from the speed improvement from Linux. Linux isn't for everyone, but simple browser apping shouldn't be much of an issue. Zorin looks promising. Zorin OS - Make your computer better.

The other thing about Linux is you petty much don't need anti-virus software and don't have to scan everything and what not like I do all the time in Windows. Yes, Linux has viruses and there's still a hack potential, but it's not as prevalent as Windows. Heck, most servers run Linux and they're hacked all the time. The chief difference though is that a server has open ports utilizing all or damn near all seven layers of the OSI model. Without an open port you can't connect to that website, cloud service, and everything under the sun you may connect to.

F22 Simpilot said:

...

People in other forums also suggested me Linux. I'll probably lose a few hours to get the hang of it, but it seems to be the best solution.

In any case, thanks for your answer, sir!

muguetao said:

People in other forums also suggested me Linux. I'll probably lose a few hours to get the hang of it, but it seems to be the best solution.

Some bank websites will not allow you to log-in with Linux. For example, Chase.
They somehow can detect that you are not running Windows or Mac OS, and deny your log-in.

And it looks like you're correct. Chase Bank Login Using Linux - Linux Mint Forums

Total nonsense given their lackluster of REAL security hygiene. I'll state two prime examples:

1) They don't use real 2FA with Authy, Aegis authenticator, andOTP, or something like a Yubikey which I believe Google touts on about given its apparent track record of account take over mitigation. JP Morgan Chase, one of the largest banks in the world, worth ~550 billion with > 2.6 trillion in assets can't afford to use this? Can they afford a PR nightmare upon account takeover I wonder? Database leaks are huge business now-a-days. Once that information becomes public record in some hacker forum it's game over for the customer's banking, personal and financial life. No, instead Chase uses two weaklings: SMS or email 2FA. The two biggest no, no's in 2FA implementation since trying to take an emotional support peacock onboard a commercial aircraft was stupid. Where's my emotional support wolf! Get that peacock som bitch!

2) Denying the use of the Linux OS is like saying because "this broadsword" can be used for this and that we won't allow it even though its a double edged broadsword. Chase seems to think if it's Linux it's automatically a strong indicator of hack potential. Thus its blacklisted. Nothing could be farther from the truth. For one, anyone running a Linux OS is going to be on an order of magnitude more secure than a Windows OS. Even if a customer uses a mobile device running Android or iOS, that platform can incur shenanigans because of its take over capable framework to the mobile device. You can hear the microphone, record text input, watch the camera, track location, etc. And this idea Linux is the only OS used by a bad actor isn't true at all. You can run copious amounts of glorious hacker crap Python scripts right in Windows 10 or 11 for Zeus sakes!


There are way better security mitigation paths to go by. HTTP version, headers, useragent (for what ever that's worth, but a useful metric I suppose), PTR of connecting IP, IP reputation, any open web sockets? How about ports 1 through 65535? The bloody list goes on and on. I know because when I secured the absolute living Hades out of my website I structured everything in a way to make it more difficult to hack while at the same time try to make it less cumbersome to a legit user. Although, the way I currently roll means most VPNs are blocked. Certainly Tor is blocked.

At any rate, I wouldn't use the OS as a metric for possible shenanigans. There are way better metrics to go by, and those "fingerprints" need to be quantified for severe to less severe. Example: IP address 1.2.3.4 is using HTTP version 1.1, IP is a legit ISP, and has an open port of 7547. I'd treat it as a possible hacked router or modem based on its fingerprint. Did an OS play a roll here? No, no it didn't. The OS indicator, the user agent, can be spoofed. That's what I'd do. Heck, I do this in Nmap all the damn time to test my security setup at home and on the Internet!

Now what's so damn astonishing is that I use 2FA for websites that don't even come close to the mass of capital that JP Morgan Chase is in possession of. Yet these "peasant" websites pay for the 2FA API with no issues that I know of knowing they'd rather keep their users safe rather than sorry. And 99% of these websites I use that employ 2FA don't even deal with money as their product! What does this say about JP Morgan Chase? To me it means use more Monero! LOL! And of course that means more and more governments will try and ban it which will only back fire harder than a pit bull that just ate a Taco Bell 12 pack!