What's the safest, most secure way to connect to online banking while on a public WiFi?

Melody Scott
Melody Scott used Ask the Experts™
on
Hi, I have a friend who is traveling in Europe soon.  They'll be on public WiFi all the time, wherever they go, and they're concerned about doing things like online banking.

They asked me if they got a good VPN (I use StrongVPN), if that would be secure, because the connection between them and the outside world would be encrypted.

I didn't know the answer, so I am coming to the experts. What's the safest, most secure way for them to connect to online banking while on a public WiFi?

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I have VPN to my home system and so for banking, I can log into home and do banking there. Same for other sensitive things.

For most casual browsing, email and so on, I have top notch firewall and anti virus and then public internet is OK.

When in my own country, I use my HUAWEI Internet stick as it is much more secure than public Wi-Fi.

Be sure to Guest NIC profile and NOT Private. This will be automatic in Windows 10.
Your best bet would be a trusted VPN.

As an extra measure of caution, you could have them record the certificate thumbprint of each banking website before they travel and verify they match each time they connect.

See https://www.grc.com/fingerprints.htm
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Most banks have strong security + I still run a VPN on the laptop I carry when I travel.

I use the VPN PIA for several reasons.

1) They have the fastest IP pools of any VPN I tested. My testing occurred several years ago so might be faster ones now.

2) They're cheap. $33/machine/year.

3) They provide true, zero leakage security.

This last item is essential. When I first started using PIA they had severe leakage.

I must have turned in 4-5 leakage related bugs, first few days I used their product.

One bug was fixed in a few minutes. All other bugs were fixed in less than one day.

If every company ran their customer support system with response time like PIA... well.. the world would be a much better place.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

When you visit a banking site, you only need to make sure they have SSL enabled and you're going to an https://(BANK_NAME) site.  If they have proper TLS1.2 certificates installed, you should already be secure.  By using an unencrypted WiFi and visiting an SSL encrypted site, someone can see that you're visiting the Bank site, but they won't be able to see the contents.  The only thing they'll know is which bank you use.

VPNs don't add extra security, just privacy.  It hides all your traffic by routing everything through the VPN.  The VPN server admins can see your traffic if they really want to.  It's not extra security, just privacy.

Author

Commented:
Thanks, all, great information!!
btanExec Consultant
Distinguished Expert 2018

Commented:
Just to add.

Avoid using unencrypted wifi hotspot, it is tempting but minimally has one that does WPA2 though it can also had weakness.

Turn off wireless once not using and do not have automatic wireless connection so that you are totally in control.

Here are further nore for information
https://www.experts-exchange.com/articles/32690/A-layman's-explanation-and-look-into-Wireless-Security.html

Author

Commented:
Thanks!
It doesn't matter!  You must always treat unknown WiFi as compromised, whether or not it's encrypted, if you truly want to adhere to security practices.  When you travel, everything should be treated as insecure.  Those hotel Wifi aren't very well run.  They usually have outside contractors install them and the hotel staff don't really understand the tech fully themselves.  Their in-house techs travel to several different sites and run things remotely.  Don't trust those WiFi to be secure.

Anyone running the WiFi access point can see your traffic, even if it's encrypted.  The encryption just keeps random other people from seeing your traffic easily.  The encryption is only between you and the access point.  Once it's there, it goes over the internet.  If it's going to an unencrypted http site, then other people can still view your data.  Anyone on that same access point could possibly have access to your system if the admin allowed it.  Usually, they block guests from accessing each other's system, if they're following any standard security practices.  As admins, they can still view your traffic.  The only thing encryption protects you from is outsiders that don't have the password.  Any insider can see any unencrypted traffic.

The main thing an encrypted WiFi really does is to prevent non-technical outsiders from using up the bandwidth.  It's not really about security.  WEP is completed broken and WPA has also been cracked.  WPA2 takes a little longer, but there are hacks to get that password.  People need to stop touting WiFi encryption as security.  It's more of an access restriction.  Sysadmins can read your traffic once you connect to the encrypted WiFi.  If you visit an unencrypted site, other people on the internet can see your data.  Don't treat it as secure.

You should always treat any guest wifi as if it were hacked.  You don't know if someone placed a fake Wifi access point with the same password and SSID in the same location.  You still must make sure that the sites you visit are SSL encrypted.  You also don't know what kind of tracking the WiFi Access point operator may be running.  You must get into the practice of going to an SSL encrypted site, whether or not you get on an encrypted WiFi or not.  Just because it's encrypted, your data traffic may still not be secure.  At home, if you don't want snoopers, turn off WiFi and go wired.
This goes for VPNs as well.  If you visit an unencrypted site through a VPN, that traffic reaching the VPN is secure, but once it leaves the VPN, the unencrypted data is still viewable by anyone along the path.   VPNs are for privacy, not security.  It prevents people at your location from knowing where you visit.  It's not for keeping you secure.  You must still visit an SSL encrypted website to prevent anyone from viewing your private data.

If you're using anonymous VPNs for "security" then you don't understand security.  Those VPNs are for privacy.

Corporate VPNs are different.  They do allow for security, because they get you to one location, work.  You access internal documents through them.  You're not supposed to be going on the internet through them.  These are different types of VPNs.

You still need to visit that SSL encrypted bank site to be secure.
btanExec Consultant
Distinguished Expert 2018

Commented:
Where possible use of mobile dongle or even own mobile mifi. There will always be a window of exposure, so keep the file in the machine encrypted at rest at all times. Host firewall can also consider putting rule to disallow http traffic till VPN is enabled. There are also hotel wifi that has captive portal which preferably avoid using it for long.
No.  That's not security.  That's just other paths to connect to the bank site.  The only part that makes banking secure is the SSL encryption at the bank site.  If you don't have SSL encryption, no matter what connection method you use, someone on the internet can see it in plain text.  You want the encryption to be between you and the bank.  It doesn't matter if you have encrypted WiFi or VPN, as long as the Bank site is SSL encrypted, you are secure.

If it's not SSL encrypted, having encrypted WiFi or encrypted VPN will still not protect you as the traffic leaves the encrytion points.  It will leave the Hotel WiFi network unencrypted.  It will leave the VPN server unencrypted.  It will leave the Mobile Mifi Server unencrypted.

The only encryption that matters is the one at the site you visit.  Everything else is redirection and access restriction, not security.
btanExec Consultant
Distinguished Expert 2018

Commented:
Agree. I am looking at the wifi aspect. Security should be end to end

Author

Commented:
Thanks, everyone- I think the fingerprint info along with a trusted VPN is what he'll go with. The bank is definitely on SSL, with TLS1.2 certificates.

I think he was more worried that someone would gain access to his laptop and be able to follow his keystrokes or something like that. I'll look further at the information you all gave, and pass it along. Very helpful!
Encrypt the disk.  Turn off services that you don't need.  Make sure that the firewall is on.

Author

Commented:
btanExec Consultant
Distinguished Expert 2018

Commented:
Yes disk encryption for MAC OS.

May also consider volume encryption if required
APFS encryption applies to individual volumes and not to entire containers. (Even if you create a new APFS container and format it as Encrypted, that will only apply to the first volume in the container.) In addition, the sensitive data volume could grow and shrink as it needs along with your startup volume, allowing (almost) the entire space of your SSD to be available to either volume.
https://discussions.apple.com/thread/8335752

Author

Commented:
thanks! So much great info everyone!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial