Online banking from the road

[GalaxyBoy]

I will avoid hotel wifi for sensitive data like bank accounts, but I'll log on via my cellular connection. Since there's no choice for that option, I didn't vote.

 

[harley]

Can't vote as I only use cellular date to do mobil baking when away from home. Would never use a hotel wifi for banking.

+1

 

[OldShooter]

Why base such a decision on advertising? That seems silly. How about basing it on the tech specs and security analysis?

1 - VPN's will tunnel you securely through any malicious or insecure WiFi
2 - Just use your cell phone connection. Also secure. Also can use a VPN if you are paranoid.

Well, in risk management the first thing you do is to identify the event's impact and its probability. High/low in this case IMO. The next thing you look at is cost to mitigate. Zero, in my case.

I really have no reason to put any financial stuff on my phone. The most we are out of the country is about three weeks twice a year. During that time all my autopays and autodeposits at Schwab take care of things. I am a long term investor so I have zero need to access investment accounts. In the near-zero probability event of an emergency I can call my Schwab guy on the phone for help or to give instructions.

Re "security analysis" really that is a joke. First, what do those words even mean when we're talking about tens or hundreds of thousands of lines of code? Presumably Microsoft does "security analysis" and still we get an overwhelming stream of patches from them. And ... who watches the watchers?

It's kind of like religion. If your faith in this stuff makes you happy, I am happy for you. But that doesn't make me a believer.

 

[JustCurious]

My answer does not fit within any of the three categories...I do not use free wifi whereever I am to access banking sites, and I do not use hotel wifi to access banking sites domestically... but it is not true that I "never" logon outside of my home because I also log in from work, and I sometimes log in using wifi from someone else's house whom I trust. I also occasionally log in using the internet access provided by my phone provider when outside of wifi coverage.

I have two factor authentication set up for my banking and brokerage accounts and I would not feel comfortable accessing them away from home without it.

 

[Kwirk]

It's complicated.

I avoid using unprotected public WiFi when I easily can but I would use it if I wanted information and no other mechanism were available. My use of unprotected public WiFi only extends to banks' credit card apps. The banks have, I think, more to lose than I have with credit card fraud.

But, as a rule, I combine any public WiFi with a VPN to my home router. Occasionally, public networks (especially airports, it seems) make the VPN unreliable and I'll use a bare connection.

While traveling the financial accounts that are of most acute interest to me are my credit card accounts. I want to know about specious charges ASAP. I use the company app almost daily (usually with VPN) and I have text alerts active for any charges. When an inappropriate charge appears I can usually dispute it very quickly.

I occasionally get cash from an ATM while traveling outside the US. I am doing this less often and find that money changers (except, possibly, at airports) may now offer better deals than ATMs. (I know I should go to the trouble of setting up a bank account that pays the fees but I haven't done that. I only use cash when I can't use a card. It has been easy to hide some $100s for money exchange and the cost has been reasonable when I avoid tourist locations.) I don't use my ATM card for any other purpose. I do monitor the transactions but avoid using the bank's app without a VPN.

While traveling I do check up on investment accounts but only when I have both a VPN connection and can use remote desktop from my iPad to my home PC. I use Moneydance to manage the data downloads. This seems to be nearly as safe as sitting at my home PC (which is not entirely safe, of course).

I deactivate my Verizon cellular data connection and roaming when I travel. Even their $10 per day bargain rate is ridiculous. I do keep WiFi calling active. Recently, in South America, I was able to easily pick up "chips" that provide a local phone number, gigabytes of cellular data, and free Whatsapp use over several weeks for less than $10 total. (We are paying way too much for our cell phone use in the US!) A cellular connection is presumably more secure than WiFi but I don't always have anything but WiFi when outside the US.

 

[Sunset]

Without getting into technical details, if you are using a browser, the connection between your device and the server is encrypted from end-to-end. The perceived security of the hotel wifi should not factor into this decision.

....

True, however they can see exactly what site you connect to prior to the https handshake. This makes man in the middle attacks possible.

A talented hacker could play man in the middle, or even spoof the hotel wifi so you are connected to the wrong SSID. Either situation would mean you give them your username and password.

That's why I use a VPN. (better to paranoid than poor )

 

[kimcdougc]

Can't vote as I only use cellular data to do mobile banking when away from home. Would never use a hotel wifi for banking.

+1

 

[kcowan]

My FIs use 2FA which gets invoked on any unknown IP address. So Yes. Always https.

I also check my CC account that has zero FX for fraudulent charges. I have caught those often when travelling.

 

[dixonge]

Well, in risk management the first thing you do is to identify the event's impact and its probability. High/low in this case IMO. The next thing you look at is cost to mitigate. Zero, in my case.

I really have no reason to put any financial stuff on my phone. The most we are out of the country is about three weeks twice a year. During that time all my autopays and autodeposits at Schwab take care of things. I am a long term investor so I have zero need to access investment accounts. In the near-zero probability event of an emergency I can call my Schwab guy on the phone for help or to give instructions.

Re "security analysis" really that is a joke. First, what do those words even mean when we're talking about tens or hundreds of thousands of lines of code? Presumably Microsoft does "security analysis" and still we get an overwhelming stream of patches from them. And ... who watches the watchers?

It's kind of like religion. If your faith in this stuff makes you happy, I am happy for you. But that doesn't make me a believer.

Ya know, you do you. 'nuff said

 

[Unpaintedhuffhines]

Can't vote as I only use cellular date to do mobil baking when away from home. Would never use a hotel wifi for banking.

Yep, this. Public/Hotel WiFi is perfectly fine until it isn't. And it is shockingly easy to sniff out userid/passwords over WiFi.

And as others have said, use 2 factor auth. You can solve 99% of the problems that way.

 

[Teacher Terry]

I use my data only.

 

[OldShooter]

... This isn't about blind faith or religion, it's just common sense and keeping up with technology as it changes.

As you like. I have no interest in discussing with someone who has to have the last word. So have it.

 

[dixonge]

As you like. I have no interest in discussing with someone who has to have the last word. So have it.

 

[MrsHaloFIRE]

I use cell not sketchy public wifi. I also have a vpn to use if i want a belt and suspenders

 

[CaliKid]

Didn't vote.

I NEVER EVER use public WIFI for anything. Not since my email was hacked 7 years ago while using the public WIFI at a cancer treatment center while under going chemo. Embarrassing emails were sent to all my personal and business contacts. No financial impact but it sure made an impression on me.

I try to only use our secured WIFI at home. If access away from home is needed, I use my phone directly or as a hotspot.

I don't understand this. If you got embarrassing emails it just means someone found your email address. Maybe somebody you email to was hacked and a person grabbed all their contacts!? That's pretty common and more likely then the scenario you propose in my humble opinion. I think you might be making life more difficult for yourself without reason.

 

[Aerides]

There's a big annual infosec conference held in Vegas - Defcon. Using the convention hotel's WiFi is one of the surefire ways to end up on the Wall of Sheep. Basically a large number of the attendees are also hackers, and will expose anyone who isn't properly securing their devices.

That's the extreme, but I would expect most public wifi's to be far more vulnerable than your own home network.

We should all already use 2FA for any financial account access, no matter where or what device you are using. And yeah... even with that, if you don't need to look up your bank info when away from home, why risk it.

 

[ERD50]

Can someone post some facts with sources, rather than opinions or just a "this is what I do" example?

What I'd like to know is, are the passwords I use to access a financial site secure, even on a public wi-fi? It was my understanding that the "htpps" in the url does that for me. Am I wrong?

Maybe there are other good reasons to avoid public wi-fi, but if they can't see my passwords, I'm not sure what the concern is. With htpps, can they see anything?


-ERD50

 

[harley]

This is what you need to be concerned about with public wifi - a Man-in-the-Middle attack. Once the bad guy has compromised the public system they can make it look like you are communicating directly with your bank (or whatever), but they can see everything that happens.

So no, if you are on a compromised network the encrypted communications are not secure. This can obviously happen in other environments too, but public wifi networks are notoriously bad about security.

 

[donheff]

Can someone post some facts with sources, rather than opinions or just a "this is what I do" example?

What I'd like to know is, are the passwords I use to access a financial site secure, even on a public wi-fi? It was my understanding that the "htpps" in the url does that for me. Am I wrong?

Maybe there are other good reasons to avoid public wi-fi, but if they can't see my passwords, I'm not sure what the concern is. With htpps, can they see anything?


-ERD50

I can't cite references but I have always understood that HTTPS creates an encrypted tunnel such that no one sniffing the network (a very real danger on a public network) can see any of the data packets which includes passwords. There are still a couple of gotchas. Some https sites only use https for the logon and then http for the rest of the session. In those cases the data transferred during the unlocked portion could be sniffed. Looking up at the URL bar now I see this portion of my ER Forums session is not secure so that appears to be the case here. This is extremely unlikely with a financial institution but you can check from home to see if the lock remains on. The other danger that I have heard about is that you might get redirected at the initial public network sign on portion to a malicious site that could trick you into opening an executable that could monitor your screen actions (e.g. a keylogger). This could capture your log on credentials before they transition to the encrypted tunnel. Most stuff I have read suggests this as a pretty remote risk but... I always get nervous at hotels that take you through a proxy server.

I remain paranoid about using open access points for financial sites.

 

[Car-Guy]

There's a big annual infosec conference held in Vegas - Defcon.

Been there many times (6 or 7 times I think) when I was working. There is nothing like attending a week+ long security conference (Blackhat/Defcon) in Las Vegas with all expenses paid (well almost all ) Thousands of security "professionals, hackers, and government agencies" from around the world attend Blackhat/Defcon in Vegas. It's the biggest and most intense IT security conference/training I've ever attended. The only other IT security conference that comes close is RSA, which is held in San Fransisco each year.

I probably spent about 10% of my working days in the last 10 years of my career attending these conferences/training. Probably the only thing I miss about my working years.

One of my favorite topics on this board is when IT security topics are being discussed. I'm "sometimes" impressed with the security knowledge levels of a "few" of the members. "Sometimes"...

 

[Bir48die]

Generally do not in hotels but will when renting houses which is my preference.

 

[mrfeh]

Can someone post some facts with sources, rather than opinions or just a "this is what I do" example?

This is a very technical topic. You aren't going to find a concise summary that accurately describes all the potential issues.

Is a man-in-the-middle attack possible? Yes, but you need to determine if it's something you want to worry about. Personally, I do not.

Some tips:

• use unique passwords
• use 2 factor authentication
• make sure https is being used (in this day and age, that will always be the case)
• use VPN if you're really paranoid

IMO, if you take these steps, using a public wifi network is just fine. Others will disagree; to each his own.

 

[brett]

We have used hotel wifi for the past nine years of travel. Africa, South America, Asia, Europe, NA. Never an issue. We only travel with ipads, no phone.

The two times we have had our cards compromised have been at home. We make a habit of checking our no FX fee credit card while traveling to ensure that it has not been compromised. There is always a first time though. What I do though is only use specific bank accounts when travelling....one with just enough back up cash and no more in case of compromise.

 

[brett]

We have used hotel wifi for the past nine years of travel. Africa, South America, Asia, Europe, NA. Never an issue. We only travel with ipads, no phone.

The two times we have had our cards compromised have been at home. We make a habit of checking our no FX fee credit card while traveling to ensure that it has not been compromised. There is always a first time though. What I do though is only use specific bank accounts when travelling....one with just enough back up cash and no more in case of compromise. We do not have much choice when we are on extended trips.

 

[Rianne]

I try to only use our secured WIFI at home. If access away from home is needed, I use my phone directly or as a hotspot.

+1 IT person cautioned never use outside wifi for anything financial. I always lock my Lastpass outside of my wifi. I do what I"m told