Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
A question about random wifi security
Old 08-25-2014, 08:09 PM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
haha's Avatar
 
Join Date: Apr 2003
Location: Hooverville
Posts: 22,386
A question about random wifi security

A few days ago I was texting my son who mentioned that his company's stock had had a very good day. Unthinkingly I accessed my broker through its iPhone app. I am not very familiar with how this works. I assumed I would connect via my phone's 4g service. Afterward I checked to see if there were open networks around. I was in a downtown coffee house, and there were several open networks available. I know when I am home my phone will preferentially use my wifi which I specify in my settings, in order to minimize my data usage. My question is whether the phone (Iphone 5c) will also grab any open available network, without me being asked if I want to use it? Any help very welcome!

When I came home I changed my password just in case. I hate to be using something that I really don't understand, but I have certainly quickly become accustomed to having it in my pocket.

I'm going to start another thread abut Google translate. It is phenomenal.

Ha
__________________

__________________
"As a general rule, the more dangerous or inappropriate a conversation, the more interesting it is."-Scott Adams
haha is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 08-25-2014, 08:15 PM   #2
Thinks s/he gets paid by the post
 
Join Date: Mar 2011
Posts: 3,708
AFAIK, you need to select which open wifi network you want unless you have previously selected it in the past.

Long ago I had selected a McDonald's wifi and now it automatically connects each time, but I'm pretty sure you need to originally select it to start.

And, yeah, G-translate is really slick!
__________________

__________________
Living well is the best revenge!
Retired @ 52 in 2005
marko is offline   Reply With Quote
Old 08-25-2014, 08:54 PM   #3
Recycles dryer sheets
jetpack's Avatar
 
Join Date: Aug 2013
Posts: 320
Your broker should be using https in their app or on their website. It's generally safe to access... though, it's not unbreakable (ie. NSA) ..
__________________
jetpack is offline   Reply With Quote
Old 08-25-2014, 10:20 PM   #4
Recycles dryer sheets
 
Join Date: Feb 2014
Location: SF Bay Area
Posts: 252
First off, u did the right thing. You changed your PW. Secondly, statistically, you run a low risk of having an issue as you already know enough not to do financial and highly personal tasks over an open network connection. So lesson learned (and we all do it). HTTPS is good once u get there but your weak point is the open wireless connection from your phone or device prior to getting to the https server. Someone would have had to place a very sophisticated 'sniffer' on that particular network to get your info.

As previous poster indicated, perhaps look into checking your settings..ie don't connect to an open network unless you give the 'ok'.

Also...u can subscribe to any number of VPN services should like to do banking etc. while 'on the run'. They are very secure, even when running on an open network. My guess is you r fine.
__________________
"The only function of economic forecasting is to make astrology look respectable"
- J.K. Galbraith
FireBug is offline   Reply With Quote
Old 08-26-2014, 07:12 AM   #5
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
braumeister's Avatar
 
Join Date: Feb 2010
Location: Northern Kentucky
Posts: 8,620
Typically, your phone will grab onto any network you've used before, so that's normal.

I would not access any "serious" (e.g., brokerage, bank, etc.) site without going through a VPN connection. I use Witopia, but there are several good ones.
__________________
braumeister is offline   Reply With Quote
Old 08-26-2014, 07:24 AM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,646
Sounds like overkill to me Ha. As others point out, unless you logged into the wifi previously you would not log in now. Also, your broker undoubtedly uses https so your password was encrypted. But your underlying concern is well placed. You are undoubtedly better off not accessing sensitive network resources from locations or devices you are not sure are secure. It is easier to postpone your access. One thought - if you want to use your phone but avoid using various wifi networks you may have signed on to in the past, you could simply turn wifi off when you connect to the sensitive site. Just remember that the NSA is in there watching. .
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Old 08-26-2014, 08:55 AM   #7
Thinks s/he gets paid by the post
Cobra9777's Avatar
 
Join Date: Jul 2012
Location: Texas
Posts: 1,136
I use lots of free public WiFi because I always try to minimize mobile data usage on my pay-as-you-go MVNO (Ting). I never intentionally do anything that requires a login on these connections. But I have inadvertently RE-connected to a WiFi that I used previously, and done a login when I thought I was using 4G. So now, I always turn WiFi off before logging in when I'm away from home.
__________________
Retired at 52 in July 2013. On to better things...
AA: 55% stock, 15% real estate, 27% bonds, 3% cash
WR: 2.0% SI: 2 pensions, some rental income, SS later
Cobra9777 is offline   Reply With Quote
Old 08-26-2014, 09:55 AM   #8
Thinks s/he gets paid by the post
 
Join Date: May 2008
Posts: 3,423
You can also forget those networks that you've previously connected to.

For instance, Xfinity Wifi, AT&T Wifi, etc.

I believe apps. use SSL.

We've all heard about websites being hacked, credit card numbers being stolen from POS terminals or backend systems.

But so far, nothing about apps. or banking web sites.

The greater risk at the coffee shop is if you pay for your coffee with a magnetic stripe credit card.

Maybe in the future, with mobile payments, there could be concerns about contact-less methods (where data is transmitted in short distances, either NFC or Bluetooth) could be intercepted by hacker.

Also, your home isn't necessarily safe. Millions of PCs have been hijacked into botnets.
__________________
explanade is offline   Reply With Quote
Old 08-26-2014, 11:43 AM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,337
Sorry to get into this late, but I had to make a quick call to my broker and buy some stock. Just got a hot tip from a friend who hangs out in Seattle area coffee shops.

I may be wrong, but I think most financial institution iOS apps work with encrypted data.

FWIW, I do all my financial work from a computer that is only used for financial sites. And I only do them at home or using wifi source I know can be trusted (usually at the home of a fellow geek.)

I reality, I think it is much more likely that any compromise of my sensitive information will occur when some outfit I do business with gets hacked. Alas, I have little control over that.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 08-26-2014, 12:41 PM   #10
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
haha's Avatar
 
Join Date: Apr 2003
Location: Hooverville
Posts: 22,386
Thanks everyone. I think I will use the "turn off wifi " protocol when doing something that needs privacy in a public space.

Ha
__________________
"As a general rule, the more dangerous or inappropriate a conversation, the more interesting it is."-Scott Adams
haha is offline   Reply With Quote
Old 08-26-2014, 12:53 PM   #11
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,709
Quote:
Originally Posted by haha View Post
Thanks everyone. I think I will use the "turn off wifi " protocol when doing something that needs privacy in a public space.
That's the best route to take.
An article about the public wifi danger:
Here’s Why You Should Think Twice About Using AT&T Or Comcast WiFi Hotspots – Consumerist

It will never be 100% safe, so you must keep adapting to the new threats.
__________________
target2019 is offline   Reply With Quote
Old 08-26-2014, 01:01 PM   #12
Thinks s/he gets paid by the post
 
Join Date: Sep 2006
Posts: 1,695
Quote:
Originally Posted by haha View Post
Thanks everyone. I think I will use the "turn off wifi " protocol when doing something that needs privacy in a public space.

Ha
I always turn off WIFI on my iPhone when I leave the house, it saves on the battery from the phone searching for wifi and I do not trust public WIFI. As long as you are not streaming music or video, the amount of data use for normal websites is really quite low.
__________________
Running_Man is offline   Reply With Quote
Old 08-26-2014, 08:51 PM   #13
Dryer sheet wannabe
 
Join Date: Jul 2013
Posts: 15
Be careful assuming that by turning off WIFI and using your cellular provider that you are then secure. There is absolutely no reason to assume that a cellular provider is securing your data for you. In 3G and 4G networks today, your data is only encrypted between your device and the cell tower. Once the cell tower has it, it is sent over whatever backhaul the operator could most cost effectively use to get it to their network. This could be fiber or it could be microwave. I have seen plenty of operators deploy microwave equipment without enabling encryption....meaning with the right equipment anyone can intercept the cell tower backhaul traffic and capture data.

Any site worth doing business with these days will protect their site with HTTPS (TLS/SSL) which is basically encryption for your application. When you log into your bank, or broker or whatever, the FIRST thing that happens is an encrypted connection gets setup between your phone and the service you are contacting. This occurs whether you are on an open WIFI access point at McDonalds, or over a cellular carrier. This makes it virtually impossible for anyone intercepting the traffic anywhere along its path to be able to see your data or recover your password.

On a browser you know this is working when there is a 'lock' icon in the URL of the web page you are visiting. With Apps, you really have no way of knowing it...but as I said, use a reputable service and they will enable security as I described.

Conclusion: It is very likely that using a financial service on an Open WIFI access point did not disclose any personal data to anyone at the location you were at, or over the Internet.
__________________
LongTerm is offline   Reply With Quote
Old 08-27-2014, 01:07 AM   #14
Confused about dryer sheets
 
Join Date: Jul 2014
Location: Bay Area
Posts: 5
Presuming your broker's website or your apps use HTTPS is about a safe as presuming that one night stand wore a condom.

Sorry for the graphic metaphor, but public wifi is perhaps best avoided unless you're wearing a condom - er, I mean, using VPN.

The apps on our smartphones are constantly sending/receiving a whole bunch of data in the background, on whatever network we provide. Not sure which apps use HTTPS? Unless I see the app's verified SSL certificate, neither am I.

A cafe filled with 5 or more wired peeps is like taking candy from a baby. It is really, really easy to steal unencrypted data. Previous to 2014, I thought this task was strictly for the uber-genius crypto nerds, until I checked out two free tools: Wireshark and Firesheep. Pick-pocketing for the layperson. I'm sold. When I'm public, it's VPN for me.
__________________
bribri is offline   Reply With Quote
Old 08-27-2014, 09:50 AM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
braumeister's Avatar
 
Join Date: Feb 2010
Location: Northern Kentucky
Posts: 8,620
Quote:
Originally Posted by bribri View Post
When I'm public, it's VPN for me.
+1
I don't know about other phones, but at least on iPhones it's very easy to use VPN.
__________________
braumeister is offline   Reply With Quote
Old 08-27-2014, 01:08 PM   #16
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,847
Quote:
Originally Posted by haha View Post
...accessed my broker through its iPhone app...
I'd bet 100 to 1 that the connection from the app to the broker back-end is appropriately encrypted. That means you have so very little to worry about, that you shouldn't worry

Given the above, there is zero chance of a man in the middle attack working; either you get or don't get a connection to the broker's service.*

If the app had a vulnerability, that would be your only worry. But once the first customer got hit while using the app, it would become apparent to the broker, and the service would be shut-down. So the hacker would get a tiny timeframe to steal money or wreak havoc. Totally not worth the time to do the hack. In other words, one broker's app is not a juicy target.

The bigger problem with wireless hotspots is the rather idiotic method that some web sites manage authentication....they only use TLS protocol during login, and thereafter go unencrypted and simply rely on a token that's in the clear (cookie). That's often why you get spam from people you have emailed in the past...a bad guy sniffs the token while your friend is at the airport, the bad guy enters the web email account using the sniffed cookie (concurrent, but unbeknownst to your friend), and spams everyone in the address book.

*Wireless hotspots where you do not need to enter a password are "sniffable", but current encryption is not crackable, even if a third party sees every byte between the two endpoints that are negotiating the encryption.
__________________
sengsational is offline   Reply With Quote
Old 08-27-2014, 05:27 PM   #17
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,594
Quote:
Originally Posted by sengsational View Post
I'd bet 100 to 1 that the connection from the app to the broker back-end is appropriately encrypted. That means you have so very little to worry about, that you shouldn't worry

Given the above, there is zero chance of a man in the middle attack working; either you get or don't get a connection to the broker's service.*
.......snip....
+1

Brokers have to provide evidence data are encrypted for formal audits.

Given we're just asking a web sever something it already does(HTTPS), I'd be more worried about crossing the street.
__________________

__________________
MRG is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question for the Docs: some random speculation MichaelB Health and Early Retirement 32 07-09-2011 01:56 PM
Security on Municipal WiFi Service kaneohe Other topics 1 11-28-2009 08:37 PM
A portfolio with random performance - Question TorC FIRECalc support 0 08-05-2009 09:47 PM
Random car maintenance question brewer12345 Other topics 7 11-07-2005 11:10 AM

 

 
All times are GMT -6. The time now is 12:44 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.