If my online banking system uses SSL and has a HTTPS prefix, is it safe to do my banking at wireless hotspots?
Thanks
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Nothing is 100% secure, however, make sure your banks website supports a minimum of 128 bit encryption. Find out a little more about thier site and security policies. Findout what your banks policies are if a compromise does happen. Most banks will have recommendations concerning your device/browser configuration and how to secure it. I feel safe perfoming online banking and have been doing so for several years.
harbor235
Yea the SSL is secure on the banks side, however, the information going from your PC to the banks site would be accessible. So you need to make sure you wireless network is secure as possible, using WPA w/ rotating key, do not broadcast SSID and set up MAC filtering. This will prevent anyone from accessing your network, which would make it easy for them to install a keylogger/backdoor to easily receive your bank info along with anything else you do online.
With all that said, I would have to say if you keep a virus scanner / firewall and updated on Windows Updates and use those wireless tips I gave you above you don't have to worry about it. The thing is, even if the bank is secure, but you have a backdoor/keylogger your banks secuirty doesn't matter because your already compromised. I personally don't use Internet Explorer to check my online banking, try Mozilla Firefox ( www.mozilla.com/firefox ). Don't ever reply to any emails saying you need to update your bank info or paypal info, etc... That is an attempt of phishing your account or personally information.
Please let me know if you have any questions on anything I said, or if you would like more detail in any of the areas.
Thanks in advance,
Jorden
Tech-Security
"Yea the SSL is secure on the banks side, however, the information going from your PC to the banks site would be accessible."
No, it wouldn't. SSL encrypts the whole connection, data flowing both ways is encrypted and secure.
The original poster also said this was a WiFi HotSpot, so there's not much he can do about changing the WiFi security settings. When the connection is using SSL though, lack of WEP isn't a problem for that specific usage. A hacker can tell that you're using your bank, but he can't read any of the information sent both ways. Assuming you check the SSL Certificate as I detailed above, he also can't do a man-in-the-middle attack.
Keyloggers are a valid point, however. Make sure you're running a firewall, and that the firewall is set in Internet mode and not Local Network mode (most Windows personal firewalls have switches like that, AFAIK. In Local Network mode, your file shares and such are accessible to the local net, and if you're on a WiFi, that means the world. In Internet mode, most things should be closed).
"No, it wouldn't. SSL encrypts the whole connection, data flowing both ways is encrypted and secure."
That statement is obvious, considering thats the point of an SSL. I was stating that when entering his login/password that would be picked up no problem ( in certain cases). So worrying about the SSL connection / etc isn't really his issue, His issue would be security on that local computer, as I stated anti virus / firewall / windows updates, different browser than IE. I havn't seen a mode like that on numerous software firewalls. Try Sygate Personal Free or Pro edition, http://smb.sygate.com/prod
Very true about the wifi hotspot, I didn't catch that part when reading the post.
I would only be concerned with your secuirty settings locally. Let me list some programs that will keep your personal PC clean and running smooth with very little time in maintainance.
Detection / Removal:
1) Antivirus:
Kaspersky Antivirus 5.0 (new version) http://www.kaspersky.com/p
This program is the best by far. It updates every 3 hours, scans web browser scripts also.
I've tested many other virus scanners through the years and this is by far the best.
AVG is also a great virus scanner (more for home user) not to mention they have a wonderful FREE edition.
http://www.grisoft.com/us/
2) Adware Personal SE: http://files3.majorgeeks.c
3) CWSheddar - http://files3.majorgeeks.c
4) HiJackThis - Run this program again and then copy/save the log and goto www.hijackthis.de and paste/load your log into there to be analyzed. See if anything is labeled "nasty" if so, in hijack this, put a check in the box next to the items the website labels nasty.
If hijack this looks ok, reboot and move along to PREVENTION.
Prevention:
1) Run windows updates to make sure you are fully patched. Also might want to try: http://www.microsoft.com/t
2) Always a good idea to have a backup browser, these days tons of exploits are publically released against Internet Explorer. I'd check out Firefox: http://www.mozilla.org/pro
3) Software firewall: Sygate Personal Firewall: http://smb.sygate.com/down
4) Virus software: If you have money buy, Kaspersky, www.kaspersky.com , Kaspersky is extremly useful for it blocks malicious scripts from the web, which a large percent of spyware comes from, also has definitions for adware/riskware/malware/et
Additonal clean up:
CCleaner - http://www.majorgeeks.com/
This program will clean out, temp, temp internet files, all the other junk that sites around on the computer, will help performance.
RegCleaner - http://www.majorgeeks.com/
This program will remove any missing or invalid registry entries as well as perform a complete backup of changes you made. Very nice addition to system maintainance
Good Luck,
Jorden
Tech-Security
"No, it wouldn't. SSL encrypts the whole connection, data flowing both ways is encrypted and secure."
The entire session is encrypted, including the authentication via username and password. What would be the point if the entire session was not encrypted. Local security is an issue, I agree, people should follow industry best pratices for setting up thier systems.
harbor235
Since it's a hotspot network, your connection will be secure... most of the time.
Consider the following scenario:
A cunning hacker knows you are going to access your bank's website for online banking. He got to the wireless network before you did, use methods such as arp spoofing so all your wireless connection will be passing through his computer. Then he creates a spoof ssl certificate that looks like the bank's certificate (though not signed properly) and proxy your traffic through. Now you just log on, and he'll just collect your password, plus money perhaps.
Technically challenging, but not impossible to do. Your only bet against this type of attack is to check the digital certificate of the bank properly and make sure it's signed by your trusted CA. Just as Vinterstum said earlier:
"Make sure you double-check the bank's Certificate though, when you are at their secure page (with HTTPS prefix). There should be a small lock icon at the bottom corner of your browser. Double click it, and check that the company name matches the name of your bank. Any other problems with the certificate and your browser will pop up a warning."
HH
Business Accounts
Answer for Membership
by: VinterstumPosted on 2005-01-13 at 07:17:37ID: 13034855
Yes. When the connection between client (your PC) and server (the bank) is encrypted using SSL,
it doesn't matter if a hacker can capture the packets flowing between the two. He can't get any information from them.
Make sure you double-check the bank's Certificate though, when you are at their secure page (with HTTPS prefix). There should be a small lock icon at the bottom corner of your browser. Double click it, and check that the company name matches the name of your bank. Any other problems with the certificate and your browser will pop up a warning.