Is banking over coffee-shop wifi SAFE?

If my browser shows the padlock and my connection is httpS to the bank, does it matter that I'm banking over public wifi?

My buddy tells me that it would be safer if I was on a VPN, but is that like a tunnel inside a tunnel?  Is that over-kill?   Is httpS enough?

Is the encryption protection that VPN offers any BETTER than httpS?

Please make my latte / banking experience safer!!

Thanks,
Mike
mike2401Asked:
Who is Participating?
 
LearnctxConnect With a Mentor EngineerCommented:
Any network you don't trust is not safe and that includes the Internet...from home. If you trust the Internet then some coffee shop Wi-Fi is no worse. If you're using a browser, validate the certificate. If you're using your mobile banking app, that's another story. You won't visibly be able to see if you're being SSL intercepted; that said most mobile banking apps from any bank worth knowing about use SSL pinning to avoid MiTM attacks. If they don't move to another bank. As long as you establish an SSL connection (>sha1) you'll be fine; let someone sniff all they want.

Does a VPN add extra protection over SSL?  I would say it is not worth the effort unless you can't tell if SSL has been stripped from your session back to HTTP or if you're inclined to ignore untrusted certificate warnings... VPN is more worthwhile to protect your unencrypted traffic or to prevent someone being able to see what destinations you're going to. If you had a device that came pre-installed with some certs which had compromised private keys (Lenovo's, etc.) then I would say yes a VPN would also help you in that scenario.
0
 
AkinsdNetwork AdministratorCommented:
Definitely NOT SAFE!!! whether http or https
Your friend is correct
Use VPN if you have that to a private network you are part of instead

The difference in lay man's terms.
While you're on VPN, you're not sharing the same network as others. Technically, you're no longer on the public wifi even though you're connected to it. So traffic leaving your computer cannot be sniffed by others.

Without the VPN, you're sharing network connection with others and everyone has capability to sniff all the traffic on that network including your bank transactions.
0
 
jmcgOwnerCommented:
HTTPS protocol may be compromised by "man-in-the-middle" attacks, which an attacker can perpetrate if they get you to choose their WiFi as your connection. Coffee shop WiFi is not as bad as airports, but attacks are possible. You might want to use your phone's WiFi hotspot capabilities for more sensitive communications, it's harder for someone to get between your phone and your other device.

A public VPN adds an additional layer of safety. You may still be vulnerable to bad guys at the VPN provider, but nobody else would be able to get into the "middle" and access to your data. So, yes, it <b>is</b> better than just relying on HTTPS.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
mike2401Author Commented:
as to:

"Without the VPN, you're sharing network connection with others and everyone has capability to sniff all the traffic on that network including your bank transactions.":

@akinsd:  Assuming I didn't accept a bogus certificate, and I see the lock and I'm in an SSL session with the bank,  if someone  sniffed my traffic,  wouldn't they just see "white noise"??

Likewise, if I was in a VPN on the same network as someone else, if they sniffed, wouldn't they just see "white noise"??

Thanks for helping me understand useful sniffing,
-Mike
0
 
Don JohnstonInstructorCommented:
If your bank has an app, then that's the best (more secure) way to do banking online.
0
 
Craig BeckCommented:
While you're on VPN, you're not sharing the same network as others. Technically, you're no longer on the public wifi even though you're connected to it. So traffic leaving your computer cannot be sniffed by others.

That depends on whether you're forcing all traffic down the tunnel, and more importantly, what type of VPN you're using.  PPTP VPNs, for example, are mostly unencrypted.  Some VPNs allow split-tunneling.  You need to make sure that split-tunneling isn't enabled if taking this approach and that you use an IPSec VPN at the very least which uses secure hashing and encryption methods.

As long as the site you access uses HTTPS and is secured with a certificate using SHA256 and an appropriate key-length you will be ok providing that you are sure though that you're actually verifying the correct certificate before you pass any sensitive information over the SSL-encrypted connection.  That comes down to education.  If you're unsure, don't do it.
0
 
John HurstBusiness Consultant (Owner)Commented:
I only use my HUAWEI card or my iPhone as a connection point when not on a known trusted network. I have never had any issues doing this.

My laptop also has commercial antivirus and firewall protection which helps.
0
 
AkinsdNetwork AdministratorCommented:
You can download wireshark and capture traffic for a few seconds while on the public wifi to analyze it. SSL is no longer as secure as it used to be and most secure government sites now require TLS instead. Google recently retired SSL on hosted domains as well.

Simply put
On a public wifi, everyone shares the same IP range and gateway, eg 192.168.1.1 - 253 and maybe a 254 gateway. Everyone on the network has the ability to see every traffic on the network but may not necessarily have the technology or expertise to crack the information. VPN isolates your traffic (uses a separate IP and gateway even though it's still on the public wifi - not all VPN connection use split tunnelling and if it does, the access list can be modified to include banking sites to pass through the tunnel).

My goal is to convince you that your information is not safe on any public network. VPN is very broad and I won't go into details to avoid confusing you any further, at least. for now.

Rule of thumb.
No network connection or environment has full proof security. All security measures are meant to make penetration as difficult as much as possible, hence frequent change in certificate (shorter life span), security keys, passwords, etc.

It's your money and your prerogative how you plan to protect it.
Here are some articles that may help
http://www.darkreading.com/attacks-breaches/ssl-drowns-in-yet-another-serious-security-flaw/d/d-id/1324521
https://en.wikipedia.org/wiki/POODLE
http://heartbleed.com/
https://freakattack.com/
0
 
Craig BeckCommented:
VPN isolates your traffic (uses a separate IP and gateway even though it's still on the public wifi .

As I said, only if it's encrypted, and even then the encryption and hash needs to be good enough.

- not all VPN connection use split tunnelling and if it does, the access list can be modified to include banking sites to pass through the tunnel)

Good luck with that.  I wouldn't want to write the ACL to include each bank's IP address :-)

The links you posted, Akinsd, are all pretty-much old news now for banks if they value security.  DROWN, Heartbleed and Poodle vulnerabilities have been fixed in any reputable system's X.509 certificates so they're really not an issue now and all recent browsers use SSL/TLS and disable legacy protocols.  Of course, they are still an issue for some sites.

As I said, if you don't know what you're doing or know how to properly verify the server certificate, etc, don't do anything that requires security on a public network; wireless or wired.  That's not to say that your home network is completely safe though :-)
0
 
mike2401Author Commented:
Yikes!  Scary @Akinsd:   How do I know if Wells Fargo, ALLY Bank, Citbank, etc. use older SSL vs. newer TLS?

Separate from where I am, I would like to know if they are securing my transaction in Chrome.

Thx

Mike
0
 
John HurstBusiness Consultant (Owner)Commented:
The world is moving to TLS for sure, but SSL is not hopelessly insecure. It is better than nothing for sure. But I still use my own connection and stay away from public connections. Not worth the risk.
0
 
mike2401Author Commented:
Thank you everyone!
0
 
AkinsdNetwork AdministratorCommented:
For whatever it's worth.
Please do NOT use public networks for sensitive transactions.
Most organizations that provide public Wifi usually warn you that your traffic may be visible to others.
Please don't learn the hard way!

That's my 2 cents
0
 
btanExec ConsultantCommented:
How do I know if Wells Fargo, ALLY Bank, Citbank, etc. use older SSL vs. newer TLS?
Try online scan which is also at the same time used commonly for compliance snapshot check.
https://www.ssllabs.com/ssltest/
0
 
mike2401Author Commented:
Great link @btan !!!

Glad my bank gets an A !!!
0
 
btanExec ConsultantCommented:
Thanks mike2401 for sharing if this is a good comment
0
All Courses

From novice to tech pro — start learning today.