Solved

Is banking over coffee-shop wifi SAFE?

Posted on 2016-08-21
16
112 Views
Last Modified: 2016-09-05
If my browser shows the padlock and my connection is httpS to the bank, does it matter that I'm banking over public wifi?

My buddy tells me that it would be safer if I was on a VPN, but is that like a tunnel inside a tunnel?  Is that over-kill?   Is httpS enough?

Is the encryption protection that VPN offers any BETTER than httpS?

Please make my latte / banking experience safer!!

Thanks,
Mike
0
Comment
Question by:mike2401
  • 4
  • 3
  • 2
  • +5
16 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 41764723
Definitely NOT SAFE!!! whether http or https
Your friend is correct
Use VPN if you have that to a private network you are part of instead

The difference in lay man's terms.
While you're on VPN, you're not sharing the same network as others. Technically, you're no longer on the public wifi even though you're connected to it. So traffic leaving your computer cannot be sniffed by others.

Without the VPN, you're sharing network connection with others and everyone has capability to sniff all the traffic on that network including your bank transactions.
0
 
LVL 20

Expert Comment

by:jmcg
ID: 41764778
HTTPS protocol may be compromised by "man-in-the-middle" attacks, which an attacker can perpetrate if they get you to choose their WiFi as your connection. Coffee shop WiFi is not as bad as airports, but attacks are possible. You might want to use your phone's WiFi hotspot capabilities for more sensitive communications, it's harder for someone to get between your phone and your other device.

A public VPN adds an additional layer of safety. You may still be vulnerable to bad guys at the VPN provider, but nobody else would be able to get into the "middle" and access to your data. So, yes, it <b>is</b> better than just relying on HTTPS.
0
 
LVL 16

Accepted Solution

by:
Learnctx earned 500 total points
ID: 41764888
Any network you don't trust is not safe and that includes the Internet...from home. If you trust the Internet then some coffee shop Wi-Fi is no worse. If you're using a browser, validate the certificate. If you're using your mobile banking app, that's another story. You won't visibly be able to see if you're being SSL intercepted; that said most mobile banking apps from any bank worth knowing about use SSL pinning to avoid MiTM attacks. If they don't move to another bank. As long as you establish an SSL connection (>sha1) you'll be fine; let someone sniff all they want.

Does a VPN add extra protection over SSL?  I would say it is not worth the effort unless you can't tell if SSL has been stripped from your session back to HTTP or if you're inclined to ignore untrusted certificate warnings... VPN is more worthwhile to protect your unencrypted traffic or to prevent someone being able to see what destinations you're going to. If you had a device that came pre-installed with some certs which had compromised private keys (Lenovo's, etc.) then I would say yes a VPN would also help you in that scenario.
0
 

Author Comment

by:mike2401
ID: 41765078
as to:

"Without the VPN, you're sharing network connection with others and everyone has capability to sniff all the traffic on that network including your bank transactions.":

@akinsd:  Assuming I didn't accept a bogus certificate, and I see the lock and I'm in an SSL session with the bank,  if someone  sniffed my traffic,  wouldn't they just see "white noise"??

Likewise, if I was in a VPN on the same network as someone else, if they sniffed, wouldn't they just see "white noise"??

Thanks for helping me understand useful sniffing,
-Mike
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 41765206
If your bank has an app, then that's the best (more secure) way to do banking online.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41765213
While you're on VPN, you're not sharing the same network as others. Technically, you're no longer on the public wifi even though you're connected to it. So traffic leaving your computer cannot be sniffed by others.

That depends on whether you're forcing all traffic down the tunnel, and more importantly, what type of VPN you're using.  PPTP VPNs, for example, are mostly unencrypted.  Some VPNs allow split-tunneling.  You need to make sure that split-tunneling isn't enabled if taking this approach and that you use an IPSec VPN at the very least which uses secure hashing and encryption methods.

As long as the site you access uses HTTPS and is secured with a certificate using SHA256 and an appropriate key-length you will be ok providing that you are sure though that you're actually verifying the correct certificate before you pass any sensitive information over the SSL-encrypted connection.  That comes down to education.  If you're unsure, don't do it.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41765225
I only use my HUAWEI card or my iPhone as a connection point when not on a known trusted network. I have never had any issues doing this.

My laptop also has commercial antivirus and firewall protection which helps.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 41766521
You can download wireshark and capture traffic for a few seconds while on the public wifi to analyze it. SSL is no longer as secure as it used to be and most secure government sites now require TLS instead. Google recently retired SSL on hosted domains as well.

Simply put
On a public wifi, everyone shares the same IP range and gateway, eg 192.168.1.1 - 253 and maybe a 254 gateway. Everyone on the network has the ability to see every traffic on the network but may not necessarily have the technology or expertise to crack the information. VPN isolates your traffic (uses a separate IP and gateway even though it's still on the public wifi - not all VPN connection use split tunnelling and if it does, the access list can be modified to include banking sites to pass through the tunnel).

My goal is to convince you that your information is not safe on any public network. VPN is very broad and I won't go into details to avoid confusing you any further, at least. for now.

Rule of thumb.
No network connection or environment has full proof security. All security measures are meant to make penetration as difficult as much as possible, hence frequent change in certificate (shorter life span), security keys, passwords, etc.

It's your money and your prerogative how you plan to protect it.
Here are some articles that may help
http://www.darkreading.com/attacks-breaches/ssl-drowns-in-yet-another-serious-security-flaw/d/d-id/1324521
https://en.wikipedia.org/wiki/POODLE
http://heartbleed.com/
https://freakattack.com/
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 41766803
VPN isolates your traffic (uses a separate IP and gateway even though it's still on the public wifi .

As I said, only if it's encrypted, and even then the encryption and hash needs to be good enough.

- not all VPN connection use split tunnelling and if it does, the access list can be modified to include banking sites to pass through the tunnel)

Good luck with that.  I wouldn't want to write the ACL to include each bank's IP address :-)

The links you posted, Akinsd, are all pretty-much old news now for banks if they value security.  DROWN, Heartbleed and Poodle vulnerabilities have been fixed in any reputable system's X.509 certificates so they're really not an issue now and all recent browsers use SSL/TLS and disable legacy protocols.  Of course, they are still an issue for some sites.

As I said, if you don't know what you're doing or know how to properly verify the server certificate, etc, don't do anything that requires security on a public network; wireless or wired.  That's not to say that your home network is completely safe though :-)
0
 

Author Comment

by:mike2401
ID: 41767029
Yikes!  Scary @Akinsd:   How do I know if Wells Fargo, ALLY Bank, Citbank, etc. use older SSL vs. newer TLS?

Separate from where I am, I would like to know if they are securing my transaction in Chrome.

Thx

Mike
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41767031
The world is moving to TLS for sure, but SSL is not hopelessly insecure. It is better than nothing for sure. But I still use my own connection and stay away from public connections. Not worth the risk.
0
 

Author Closing Comment

by:mike2401
ID: 41772139
Thank you everyone!
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 41772248
For whatever it's worth.
Please do NOT use public networks for sensitive transactions.
Most organizations that provide public Wifi usually warn you that your traffic may be visible to others.
Please don't learn the hard way!

That's my 2 cents
0
 
LVL 61

Expert Comment

by:btan
ID: 41773414
How do I know if Wells Fargo, ALLY Bank, Citbank, etc. use older SSL vs. newer TLS?
Try online scan which is also at the same time used commonly for compliance snapshot check.
https://www.ssllabs.com/ssltest/
0
 

Author Comment

by:mike2401
ID: 41784678
Great link @btan !!!

Glad my bank gets an A !!!
0
 
LVL 61

Expert Comment

by:btan
ID: 41784890
Thanks mike2401 for sharing if this is a good comment
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now