What's the safest, most secure way to connect to online banking while on a public WiFi?

Hi, I have a friend who is traveling in Europe soon.  They'll be on public WiFi all the time, wherever they go, and they're concerned about doing things like online banking.

They asked me if they got a good VPN (I use StrongVPN), if that would be secure, because the connection between them and the outside world would be encrypted.

I didn't know the answer, so I am coming to the experts. What's the safest, most secure way for them to connect to online banking while on a public WiFi?

Thanks!
Melody ScottAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I have VPN to my home system and so for banking, I can log into home and do banking there. Same for other sensitive things.

For most casual browsing, email and so on, I have top notch firewall and anti virus and then public internet is OK.

When in my own country, I use my HUAWEI Internet stick as it is much more secure than public Wi-Fi.

Be sure to Guest NIC profile and NOT Private. This will be automatic in Windows 10.
Giovanni HewardCommented:
Your best bet would be a trusted VPN.

As an extra measure of caution, you could have them record the certificate thumbprint of each banking website before they travel and verify they match each time they connect.

See https://www.grc.com/fingerprints.htm
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Most banks have strong security + I still run a VPN on the laptop I carry when I travel.

I use the VPN PIA for several reasons.

1) They have the fastest IP pools of any VPN I tested. My testing occurred several years ago so might be faster ones now.

2) They're cheap. $33/machine/year.

3) They provide true, zero leakage security.

This last item is essential. When I first started using PIA they had severe leakage.

I must have turned in 4-5 leakage related bugs, first few days I used their product.

One bug was fixed in a few minutes. All other bugs were fixed in less than one day.

If every company ran their customer support system with response time like PIA... well.. the world would be a much better place.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

serialbandCommented:
When you visit a banking site, you only need to make sure they have SSL enabled and you're going to an https://(BANK_NAME) site.  If they have proper TLS1.2 certificates installed, you should already be secure.  By using an unencrypted WiFi and visiting an SSL encrypted site, someone can see that you're visiting the Bank site, but they won't be able to see the contents.  The only thing they'll know is which bank you use.

VPNs don't add extra security, just privacy.  It hides all your traffic by routing everything through the VPN.  The VPN server admins can see your traffic if they really want to.  It's not extra security, just privacy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Melody ScottAuthor Commented:
Thanks, all, great information!!
btanExec ConsultantCommented:
Just to add.

Avoid using unencrypted wifi hotspot, it is tempting but minimally has one that does WPA2 though it can also had weakness.

Turn off wireless once not using and do not have automatic wireless connection so that you are totally in control.

Here are further nore for information
https://www.experts-exchange.com/articles/32690/A-layman's-explanation-and-look-into-Wireless-Security.html
Melody ScottAuthor Commented:
Thanks!
serialbandCommented:
It doesn't matter!  You must always treat unknown WiFi as compromised, whether or not it's encrypted, if you truly want to adhere to security practices.  When you travel, everything should be treated as insecure.  Those hotel Wifi aren't very well run.  They usually have outside contractors install them and the hotel staff don't really understand the tech fully themselves.  Their in-house techs travel to several different sites and run things remotely.  Don't trust those WiFi to be secure.

Anyone running the WiFi access point can see your traffic, even if it's encrypted.  The encryption just keeps random other people from seeing your traffic easily.  The encryption is only between you and the access point.  Once it's there, it goes over the internet.  If it's going to an unencrypted http site, then other people can still view your data.  Anyone on that same access point could possibly have access to your system if the admin allowed it.  Usually, they block guests from accessing each other's system, if they're following any standard security practices.  As admins, they can still view your traffic.  The only thing encryption protects you from is outsiders that don't have the password.  Any insider can see any unencrypted traffic.

The main thing an encrypted WiFi really does is to prevent non-technical outsiders from using up the bandwidth.  It's not really about security.  WEP is completed broken and WPA has also been cracked.  WPA2 takes a little longer, but there are hacks to get that password.  People need to stop touting WiFi encryption as security.  It's more of an access restriction.  Sysadmins can read your traffic once you connect to the encrypted WiFi.  If you visit an unencrypted site, other people on the internet can see your data.  Don't treat it as secure.

You should always treat any guest wifi as if it were hacked.  You don't know if someone placed a fake Wifi access point with the same password and SSID in the same location.  You still must make sure that the sites you visit are SSL encrypted.  You also don't know what kind of tracking the WiFi Access point operator may be running.  You must get into the practice of going to an SSL encrypted site, whether or not you get on an encrypted WiFi or not.  Just because it's encrypted, your data traffic may still not be secure.  At home, if you don't want snoopers, turn off WiFi and go wired.
serialbandCommented:
This goes for VPNs as well.  If you visit an unencrypted site through a VPN, that traffic reaching the VPN is secure, but once it leaves the VPN, the unencrypted data is still viewable by anyone along the path.   VPNs are for privacy, not security.  It prevents people at your location from knowing where you visit.  It's not for keeping you secure.  You must still visit an SSL encrypted website to prevent anyone from viewing your private data.

If you're using anonymous VPNs for "security" then you don't understand security.  Those VPNs are for privacy.

Corporate VPNs are different.  They do allow for security, because they get you to one location, work.  You access internal documents through them.  You're not supposed to be going on the internet through them.  These are different types of VPNs.

You still need to visit that SSL encrypted bank site to be secure.
btanExec ConsultantCommented:
Where possible use of mobile dongle or even own mobile mifi. There will always be a window of exposure, so keep the file in the machine encrypted at rest at all times. Host firewall can also consider putting rule to disallow http traffic till VPN is enabled. There are also hotel wifi that has captive portal which preferably avoid using it for long.
serialbandCommented:
No.  That's not security.  That's just other paths to connect to the bank site.  The only part that makes banking secure is the SSL encryption at the bank site.  If you don't have SSL encryption, no matter what connection method you use, someone on the internet can see it in plain text.  You want the encryption to be between you and the bank.  It doesn't matter if you have encrypted WiFi or VPN, as long as the Bank site is SSL encrypted, you are secure.

If it's not SSL encrypted, having encrypted WiFi or encrypted VPN will still not protect you as the traffic leaves the encrytion points.  It will leave the Hotel WiFi network unencrypted.  It will leave the VPN server unencrypted.  It will leave the Mobile Mifi Server unencrypted.

The only encryption that matters is the one at the site you visit.  Everything else is redirection and access restriction, not security.
btanExec ConsultantCommented:
Agree. I am looking at the wifi aspect. Security should be end to end
Melody ScottAuthor Commented:
Thanks, everyone- I think the fingerprint info along with a trusted VPN is what he'll go with. The bank is definitely on SSL, with TLS1.2 certificates.

I think he was more worried that someone would gain access to his laptop and be able to follow his keystrokes or something like that. I'll look further at the information you all gave, and pass it along. Very helpful!
serialbandCommented:
Encrypt the disk.  Turn off services that you don't need.  Make sure that the firewall is on.
Melody ScottAuthor Commented:
btanExec ConsultantCommented:
Yes disk encryption for MAC OS.

May also consider volume encryption if required
APFS encryption applies to individual volumes and not to entire containers. (Even if you create a new APFS container and format it as Encrypted, that will only apply to the first volume in the container.) In addition, the sensitive data volume could grow and shrink as it needs along with your startup volume, allowing (almost) the entire space of your SSD to be available to either volume.
https://discussions.apple.com/thread/8335752
Melody ScottAuthor Commented:
thanks! So much great info everyone!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.