What's the safest, most secure way to connect to online banking while on a public WiFi?

I have VPN to my home system and so for banking, I can log into home and do banking there. Same for other sensitive things.

For most casual browsing, email and so on, I have top notch firewall and anti virus and then public internet is OK.

When in my own country, I use my HUAWEI Internet stick as it is much more secure than public Wi-Fi.

Be sure to Guest NIC profile and NOT Private. This will be automatic in Windows 10.

Your best bet would be a trusted VPN.

As an extra measure of caution, you could have them record the certificate thumbprint of each banking website before they travel and verify they match each time they connect.

See https://www.grc.com/fingerprints.htm

Most banks have strong security + I still run a VPN on the laptop I carry when I travel.

I use the VPN PIA for several reasons.

1) They have the fastest IP pools of any VPN I tested. My testing occurred several years ago so might be faster ones now.

2) They're cheap. $33/machine/year.

3) They provide true, zero leakage security.

This last item is essential. When I first started using PIA they had severe leakage.

I must have turned in 4-5 leakage related bugs, first few days I used their product.

One bug was fixed in a few minutes. All other bugs were fixed in less than one day.

If every company ran their customer support system with response time like PIA... well.. the world would be a much better place.

Thanks, all, great information!!

Just to add.

Avoid using unencrypted wifi hotspot, it is tempting but minimally has one that does WPA2 though it can also had weakness.

Turn off wireless once not using and do not have automatic wireless connection so that you are totally in control.

Here are further nore for information
https://www.experts-exchange.com/articles/32690/A-layman's-explanation-and-look-into-Wireless-Security.html

Thanks!

It doesn't matter!  You must always treat unknown WiFi as compromised, whether or not it's encrypted, if you truly want to adhere to security practices.  When you travel, everything should be treated as insecure.  Those hotel Wifi aren't very well run.  They usually have outside contractors install them and the hotel staff don't really understand the tech fully themselves.  Their in-house techs travel to several different sites and run things remotely.  Don't trust those WiFi to be secure.

Anyone running the WiFi access point can see your traffic, even if it's encrypted.  The encryption just keeps random other people from seeing your traffic easily.  The encryption is only between you and the access point.  Once it's there, it goes over the internet.  If it's going to an unencrypted http site, then other people can still view your data.  Anyone on that same access point could possibly have access to your system if the admin allowed it.  Usually, they block guests from accessing each other's system, if they're following any standard security practices.  As admins, they can still view your traffic.  The only thing encryption protects you from is outsiders that don't have the password.  Any insider can see any unencrypted traffic.

The main thing an encrypted WiFi really does is to prevent non-technical outsiders from using up the bandwidth.  It's not really about security.  WEP is completed broken and WPA has also been cracked.  WPA2 takes a little longer, but there are hacks to get that password.  People need to stop touting WiFi encryption as security.  It's more of an access restriction.  Sysadmins can read your traffic once you connect to the encrypted WiFi.  If you visit an unencrypted site, other people on the internet can see your data.  Don't treat it as secure.

You should always treat any guest wifi as if it were hacked.  You don't know if someone placed a fake Wifi access point with the same password and SSID in the same location.  You still must make sure that the sites you visit are SSL encrypted.  You also don't know what kind of tracking the WiFi Access point operator may be running.  You must get into the practice of going to an SSL encrypted site, whether or not you get on an encrypted WiFi or not.  Just because it's encrypted, your data traffic may still not be secure.  At home, if you don't want snoopers, turn off WiFi and go wired.

This goes for VPNs as well.  If you visit an unencrypted site through a VPN, that traffic reaching the VPN is secure, but once it leaves the VPN, the unencrypted data is still viewable by anyone along the path.   VPNs are for privacy, not security.  It prevents people at your location from knowing where you visit.  It's not for keeping you secure.  You must still visit an SSL encrypted website to prevent anyone from viewing your private data.

If you're using anonymous VPNs for "security" then you don't understand security.  Those VPNs are for privacy.

Corporate VPNs are different.  They do allow for security, because they get you to one location, work.  You access internal documents through them.  You're not supposed to be going on the internet through them.  These are different types of VPNs.

You still need to visit that SSL encrypted bank site to be secure.

Where possible use of mobile dongle or even own mobile mifi. There will always be a window of exposure, so keep the file in the machine encrypted at rest at all times. Host firewall can also consider putting rule to disallow http traffic till VPN is enabled. There are also hotel wifi that has captive portal which preferably avoid using it for long.

No.  That's not security.  That's just other paths to connect to the bank site.  The only part that makes banking secure is the SSL encryption at the bank site.  If you don't have SSL encryption, no matter what connection method you use, someone on the internet can see it in plain text.  You want the encryption to be between you and the bank.  It doesn't matter if you have encrypted WiFi or VPN, as long as the Bank site is SSL encrypted, you are secure.

If it's not SSL encrypted, having encrypted WiFi or encrypted VPN will still not protect you as the traffic leaves the encrytion points.  It will leave the Hotel WiFi network unencrypted.  It will leave the VPN server unencrypted.  It will leave the Mobile Mifi Server unencrypted.

The only encryption that matters is the one at the site you visit.  Everything else is redirection and access restriction, not security.

Agree. I am looking at the wifi aspect. Security should be end to end

Thanks, everyone- I think the fingerprint info along with a trusted VPN is what he'll go with. The bank is definitely on SSL, with TLS1.2 certificates.

I think he was more worried that someone would gain access to his laptop and be able to follow his keystrokes or something like that. I'll look further at the information you all gave, and pass it along. Very helpful!

Encrypt the disk.  Turn off services that you don't need.  Make sure that the firewall is on.

would this be of help? https://support.apple.com/en-us/HT204837

Yes disk encryption for MAC OS.

May also consider volume encryption if required

APFS encryption applies to individual volumes and not to entire containers. (Even if you create a new APFS container and format it as Encrypted, that will only apply to the first volume in the container.) In addition, the sensitive data volume could grow and shrink as it needs along with your startup volume, allowing (almost) the entire space of your SSD to be available to either volume.

https://discussions.apple.com/thread/8335752

thanks! So much great info everyone!