A special browser designed for online banking. Good idea, or not so much?

A special browser designed for online banking. Good idea, or not so much?

The German Sparkasse bank has launched a browser that is especially designed to do your online banking. The browser called S-Protect is available for macOS and Windows users.

The idea is interesting, since having a separate browser for banking can certainly add an extra layer of security.

Separate browsers

Unfortunately there is a low correlation factor between what most people find the best browsers and what are the best browsers when it comes to privacy and security. If you look at the market share of the most popular browsers, there is one browser that steals the crown without a lot of competition: Google’s Chrome. But as we all know there are more secure and privacy oriented browsersavailable.

I have personally advocated for using different browsers for different things in the past and I still use that method myself, but using a browser that is designed for banking alone? Why not use the app instead? What’s the difference?

S-Protect

According to the Sparkasse’s website[in German] S-Protect is a so-called ‘hardened banking’ browser. You can best think of it as an additional protective screen for online banking. S-Protect prevents Trojans and other malicious programs that may have hidden on your computer from spying on or manipulating online banking. Setting up and using S-Protect is child’s play and gives you a great security advantage in all financial transactions.

The browser has been built for Sparkasse by Coronic GmbH who has built a “protect browser” for other clients and who add that:

“with PROTECT you can work securely on any PC and smart device – even if the computer is already compromised. Malware and hackers don’t stand a chance. Banking and payment remain secure. This helps bank customers who are still reluctant to do online banking.”

Advantages

Your advantages with S-Protect would be:

  • Additional protection against data theft, phishing attacks, fake websites
  • Easy handling, no installation or configuration
  • Automatic login function
  • No interference with other security procedures

Access to third-party websites, like manipulated or fake banking sites will be automatically blocked, because the browser is based on the “know your friends” principle, which limits the sites it can visit to that of the bank and their partners.

Phishing

In addition, the browser checks the security certificates of the pages to ensure their authenticity. However, if a user clicked on a phishy link in their email client then the URL will be opened in their default browser. If that default browser is not S-Protect—and why would it be, given its limited reach—the phishing site will be opened. That’s not S-Protect’s fault, but it just means that users will still need to keep their wits about them to make sure they’re using the correct browser.

Infected system

Sparkasse claims that the browser can be safely used for banking on an infected system, but we would advice very strongly against doing this. We also could not find any information about how the browser is hardened. For example, S-Protect claims to block screenshots of the browser, but would it stop a keylogger from being able to intercept what you are doing?

Disclaimer

Even though the idea deserves merit, I think we should be careful and not expect miracles to happen. Many browsers already have sandboxing in place. Sandboxing is the practice where an application, a web browser, or a piece of code is isolated inside a safe environment against any external security threat. That will stop malware from escaping the browser onto the system or the network. But none have demonstrated a good level of the other way around—stopping malware on the system affecting the browser—however hardened the browser may be. I can only hope Coronic will prove me wrong.

I would have loved to try some of the features of this browser, but I was unable to install S-Protect on my Windows 7 VM so the testing ended there for me.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.