Solved

Is banking over coffee-shop wifi SAFE?

Posted on 2016-08-21
16
261 Views
Last Modified: 2016-09-05
If my browser shows the padlock and my connection is httpS to the bank, does it matter that I'm banking over public wifi?

My buddy tells me that it would be safer if I was on a VPN, but is that like a tunnel inside a tunnel?  Is that over-kill?   Is httpS enough?

Is the encryption protection that VPN offers any BETTER than httpS?

Please make my latte / banking experience safer!!

Thanks,
Mike
0
Comment
Question by:mike2401
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +5
16 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 41764723
Definitely NOT SAFE!!! whether http or https
Your friend is correct
Use VPN if you have that to a private network you are part of instead

The difference in lay man's terms.
While you're on VPN, you're not sharing the same network as others. Technically, you're no longer on the public wifi even though you're connected to it. So traffic leaving your computer cannot be sniffed by others.

Without the VPN, you're sharing network connection with others and everyone has capability to sniff all the traffic on that network including your bank transactions.
0
 
LVL 20

Expert Comment

by:jmcg
ID: 41764778
HTTPS protocol may be compromised by "man-in-the-middle" attacks, which an attacker can perpetrate if they get you to choose their WiFi as your connection. Coffee shop WiFi is not as bad as airports, but attacks are possible. You might want to use your phone's WiFi hotspot capabilities for more sensitive communications, it's harder for someone to get between your phone and your other device.

A public VPN adds an additional layer of safety. You may still be vulnerable to bad guys at the VPN provider, but nobody else would be able to get into the "middle" and access to your data. So, yes, it <b>is</b> better than just relying on HTTPS.
0
 
LVL 17

Accepted Solution

by:
Learnctx earned 500 total points
ID: 41764888
Any network you don't trust is not safe and that includes the Internet...from home. If you trust the Internet then some coffee shop Wi-Fi is no worse. If you're using a browser, validate the certificate. If you're using your mobile banking app, that's another story. You won't visibly be able to see if you're being SSL intercepted; that said most mobile banking apps from any bank worth knowing about use SSL pinning to avoid MiTM attacks. If they don't move to another bank. As long as you establish an SSL connection (>sha1) you'll be fine; let someone sniff all they want.

Does a VPN add extra protection over SSL?  I would say it is not worth the effort unless you can't tell if SSL has been stripped from your session back to HTTP or if you're inclined to ignore untrusted certificate warnings... VPN is more worthwhile to protect your unencrypted traffic or to prevent someone being able to see what destinations you're going to. If you had a device that came pre-installed with some certs which had compromised private keys (Lenovo's, etc.) then I would say yes a VPN would also help you in that scenario.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mike2401
ID: 41765078
as to:

"Without the VPN, you're sharing network connection with others and everyone has capability to sniff all the traffic on that network including your bank transactions.":

@akinsd:  Assuming I didn't accept a bogus certificate, and I see the lock and I'm in an SSL session with the bank,  if someone  sniffed my traffic,  wouldn't they just see "white noise"??

Likewise, if I was in a VPN on the same network as someone else, if they sniffed, wouldn't they just see "white noise"??

Thanks for helping me understand useful sniffing,
-Mike
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 41765206
If your bank has an app, then that's the best (more secure) way to do banking online.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41765213
While you're on VPN, you're not sharing the same network as others. Technically, you're no longer on the public wifi even though you're connected to it. So traffic leaving your computer cannot be sniffed by others.

That depends on whether you're forcing all traffic down the tunnel, and more importantly, what type of VPN you're using.  PPTP VPNs, for example, are mostly unencrypted.  Some VPNs allow split-tunneling.  You need to make sure that split-tunneling isn't enabled if taking this approach and that you use an IPSec VPN at the very least which uses secure hashing and encryption methods.

As long as the site you access uses HTTPS and is secured with a certificate using SHA256 and an appropriate key-length you will be ok providing that you are sure though that you're actually verifying the correct certificate before you pass any sensitive information over the SSL-encrypted connection.  That comes down to education.  If you're unsure, don't do it.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41765225
I only use my HUAWEI card or my iPhone as a connection point when not on a known trusted network. I have never had any issues doing this.

My laptop also has commercial antivirus and firewall protection which helps.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 41766521
You can download wireshark and capture traffic for a few seconds while on the public wifi to analyze it. SSL is no longer as secure as it used to be and most secure government sites now require TLS instead. Google recently retired SSL on hosted domains as well.

Simply put
On a public wifi, everyone shares the same IP range and gateway, eg 192.168.1.1 - 253 and maybe a 254 gateway. Everyone on the network has the ability to see every traffic on the network but may not necessarily have the technology or expertise to crack the information. VPN isolates your traffic (uses a separate IP and gateway even though it's still on the public wifi - not all VPN connection use split tunnelling and if it does, the access list can be modified to include banking sites to pass through the tunnel).

My goal is to convince you that your information is not safe on any public network. VPN is very broad and I won't go into details to avoid confusing you any further, at least. for now.

Rule of thumb.
No network connection or environment has full proof security. All security measures are meant to make penetration as difficult as much as possible, hence frequent change in certificate (shorter life span), security keys, passwords, etc.

It's your money and your prerogative how you plan to protect it.
Here are some articles that may help
http://www.darkreading.com/attacks-breaches/ssl-drowns-in-yet-another-serious-security-flaw/d/d-id/1324521
https://en.wikipedia.org/wiki/POODLE
http://heartbleed.com/
https://freakattack.com/
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41766803
VPN isolates your traffic (uses a separate IP and gateway even though it's still on the public wifi .

As I said, only if it's encrypted, and even then the encryption and hash needs to be good enough.

- not all VPN connection use split tunnelling and if it does, the access list can be modified to include banking sites to pass through the tunnel)

Good luck with that.  I wouldn't want to write the ACL to include each bank's IP address :-)

The links you posted, Akinsd, are all pretty-much old news now for banks if they value security.  DROWN, Heartbleed and Poodle vulnerabilities have been fixed in any reputable system's X.509 certificates so they're really not an issue now and all recent browsers use SSL/TLS and disable legacy protocols.  Of course, they are still an issue for some sites.

As I said, if you don't know what you're doing or know how to properly verify the server certificate, etc, don't do anything that requires security on a public network; wireless or wired.  That's not to say that your home network is completely safe though :-)
0
 

Author Comment

by:mike2401
ID: 41767029
Yikes!  Scary @Akinsd:   How do I know if Wells Fargo, ALLY Bank, Citbank, etc. use older SSL vs. newer TLS?

Separate from where I am, I would like to know if they are securing my transaction in Chrome.

Thx

Mike
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41767031
The world is moving to TLS for sure, but SSL is not hopelessly insecure. It is better than nothing for sure. But I still use my own connection and stay away from public connections. Not worth the risk.
0
 

Author Closing Comment

by:mike2401
ID: 41772139
Thank you everyone!
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 41772248
For whatever it's worth.
Please do NOT use public networks for sensitive transactions.
Most organizations that provide public Wifi usually warn you that your traffic may be visible to others.
Please don't learn the hard way!

That's my 2 cents
0
 
LVL 64

Expert Comment

by:btan
ID: 41773414
How do I know if Wells Fargo, ALLY Bank, Citbank, etc. use older SSL vs. newer TLS?
Try online scan which is also at the same time used commonly for compliance snapshot check.
https://www.ssllabs.com/ssltest/
0
 

Author Comment

by:mike2401
ID: 41784678
Great link @btan !!!

Glad my bank gets an A !!!
0
 
LVL 64

Expert Comment

by:btan
ID: 41784890
Thanks mike2401 for sharing if this is a good comment
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question