Online banking from the road

[Aerides]

There's a big annual infosec conference held in Vegas - Defcon. Using the convention hotel's WiFi is one of the surefire ways to end up on the Wall of Sheep. Basically a large number of the attendees are also hackers, and will expose anyone who isn't properly securing their devices.

That's the extreme, but I would expect most public wifi's to be far more vulnerable than your own home network.

We should all already use 2FA for any financial account access, no matter where or what device you are using. And yeah... even with that, if you don't need to look up your bank info when away from home, why risk it.

[ERD50]

Can someone post some facts with sources, rather than opinions or just a "this is what I do" example?

What I'd like to know is, are the passwords I use to access a financial site secure, even on a public wi-fi? It was my understanding that the "htpps" in the url does that for me. Am I wrong?

Maybe there are other good reasons to avoid public wi-fi, but if they can't see my passwords, I'm not sure what the concern is. With htpps, can they see anything?


-ERD50

[harley]

This is what you need to be concerned about with public wifi - a Man-in-the-Middle attack. Once the bad guy has compromised the public system they can make it look like you are communicating directly with your bank (or whatever), but they can see everything that happens.

So no, if you are on a compromised network the encrypted communications are not secure. This can obviously happen in other environments too, but public wifi networks are notoriously bad about security.

[donheff]

Quote:

Originally Posted by ERD50 Can someone post some facts with sources, rather than opinions or just a "this is what I do" example? What I'd like to know is, are the passwords I use to access a financial site secure, even on a public wi-fi? It was my understanding that the "htpps" in the url does that for me. Am I wrong? Maybe there are other good reasons to avoid public wi-fi, but if they can't see my passwords, I'm not sure what the concern is. With htpps, can they see anything? -ERD50

I can't cite references but I have always understood that HTTPS creates an encrypted tunnel such that no one sniffing the network (a very real danger on a public network) can see any of the data packets which includes passwords. There are still a couple of gotchas. Some https sites only use https for the logon and then http for the rest of the session. In those cases the data transferred during the unlocked portion could be sniffed. Looking up at the URL bar now I see this portion of my ER Forums session is not secure so that appears to be the case here. This is extremely unlikely with a financial institution but you can check from home to see if the lock remains on. The other danger that I have heard about is that you might get redirected at the initial public network sign on portion to a malicious site that could trick you into opening an executable that could monitor your screen actions (e.g. a keylogger). This could capture your log on credentials before they transition to the encrypted tunnel. Most stuff I have read suggests this as a pretty remote risk but... I always get nervous at hotels that take you through a proxy server.

I remain paranoid about using open access points for financial sites.

[Car-Guy]

Quote:

Originally Posted by Aerides There's a big annual infosec conference held in Vegas - Defcon.

Been there many times (6 or 7 times I think) when I was working. There is nothing like attending a week+ long security conference (Blackhat/Defcon) in Las Vegas with all expenses paid (well almost all ) Thousands of security "professionals, hackers, and government agencies" from around the world attend Blackhat/Defcon in Vegas. It's the biggest and most intense IT security conference/training I've ever attended. The only other IT security conference that comes close is RSA, which is held in San Fransisco each year.

I probably spent about 10% of my working days in the last 10 years of my career attending these conferences/training. Probably the only thing I miss about my working years.

One of my favorite topics on this board is when IT security topics are being discussed. I'm "sometimes" impressed with the security knowledge levels of a "few" of the members. "Sometimes"...

[Bir48die]

Generally do not in hotels but will when renting houses which is my preference.

[mrfeh]

Quote:

Originally Posted by ERD50 Can someone post some facts with sources, rather than opinions or just a "this is what I do" example?

This is a very technical topic. You aren't going to find a concise summary that accurately describes all the potential issues.

Is a man-in-the-middle attack possible? Yes, but you need to determine if it's something you want to worry about. Personally, I do not.

Some tips:

• use unique passwords
• use 2 factor authentication
• make sure https is being used (in this day and age, that will always be the case)
• use VPN if you're really paranoid

IMO, if you take these steps, using a public wifi network is just fine. Others will disagree; to each his own.

[brett]

We have used hotel wifi for the past nine years of travel. Africa, South America, Asia, Europe, NA. Never an issue. We only travel with ipads, no phone.

The two times we have had our cards compromised have been at home. We make a habit of checking our no FX fee credit card while traveling to ensure that it has not been compromised. There is always a first time though. What I do though is only use specific bank accounts when travelling....one with just enough back up cash and no more in case of compromise.

[brett]

We have used hotel wifi for the past nine years of travel. Africa, South America, Asia, Europe, NA. Never an issue. We only travel with ipads, no phone.

The two times we have had our cards compromised have been at home. We make a habit of checking our no FX fee credit card while traveling to ensure that it has not been compromised. There is always a first time though. What I do though is only use specific bank accounts when travelling....one with just enough back up cash and no more in case of compromise. We do not have much choice when we are on extended trips.

[Rianne]

Quote:

Originally Posted by Splash I try to only use our secured WIFI at home. If access away from home is needed, I use my phone directly or as a hotspot.

+1 IT person cautioned never use outside wifi for anything financial. I always lock my Lastpass outside of my wifi. I do what I"m told

[Rianne]

Quote:

Originally Posted by donheff Looking up at the URL bar now I see this portion of my ER Forums session is not secure so that appears to be the case here.

I guess all we share here is safe and confidential?

[jazz4cash]

This is something I really don’t worry too much about. When I was traveling for work I was always using VPN. I don’t understand the risk wrt financial accounts that are not credit cards. I’m very unlikely to take any actions with an account that would not involve 2FA or another form of notification. Thanks to advice here I’ll definitely use cell data in the future.

[Kwirk]

I like to be careful, paranoid even, when using public WiFi. BUT...

Everyday there appear to be literally millions of unsophisticated users of public WiFi. Yet I never seem to hear any of the horror stories about public WiFi like I hear stories about email phishing, key loggers, and even SIM swapping. I can find plenty of stories touting the presumed risks of public WiFi but not actual instances of recent fraud. These stories do seem to sell a lot of VPN subscriptions and malware software. The warnings do not appear to be coming from banks or internet merchants. I'm inclined to believe that public WiFi is now reasonably safe for most uses. (I still wouldn't suggest entering credit card information on a random site that may not be using HTTPS.)

I'd be interested to hear of any actual and recent cases of fraud resulting from public WiFi use. There should be many thousands of such cases if all of the warnings are to be believed.

[harley]

Quote:

Originally Posted by Car-Guy Been there many times (6 or 7 times I think) when I was working. There is nothing like attending a week+ long security conference (Blackhat/Defcon) in Las Vegas with all expenses paid (well almost all )

Especially since it's usually the same week as the AVN Adult Entertainment Expo. Nothing like putting a bunch of unsocialized nerds next door to a major porn convention.

ERD50, here's an interesting article if you're interested in nuts and bolts. They're trying to sell their services, but there's a lot if information in the article. https://news.netcraft.com/archives/2...m-attacks.html

As far as the people saying they've done it a million times with no issues, that's fine and true. Personally I don't think too many people are lurking waiting for innocent victims to log onto the hotel wifi. ANd 2FA helps a lot. But they really aren't very safe, and you never know when lightning will strike.

[JustCurious]

Quote:

Originally Posted by harley As far as the people saying they've done it a million times with no issues, that's fine and true. Personally I don't think too many people are lurking waiting for innocent victims to log onto the hotel wifi. ANd 2FA helps a lot. But they really aren't very safe, and you never know when lightning will strike.

Right. It's sort of like someone saying "I've been driving without using a seatbelt for years and I've never been injured, so it's safe."

[btdt22]

I never use free wifi for banking or other secure transactions, but I have used my Verizon connection for bank transfers etc.

[GrayHare]

https does not encrypt metadata, meaning it leaks all sorts of information about you and the sites you access, though probably not your password. By gathering your metadata a hacker can learn much about you, perhaps enough information to impersonate you online.

[Ed_The_Gypsy]

Quote:

Originally Posted by donheff I'm paranoid about this and never contact my financial institutions while on the road, But I have things set up so I don't need to. I would not be uncomfortable accessing banking over the cellular connection on my phone or via the phone's hotspot. If I ever run into a situation where it becomes critical to use public wifi I would risk it because I am confidant that my financial institutions use end to end https.

Same here.

[jazz4cash]

Quote:

Originally Posted by JustCurious Right. It's sort of like someone saying "I've been driving without using a seatbelt for years and I've never been injured, so it's safe."

Not at all unless I’m REALLY missing something. Driving with no seatbelt will get you killed.

Maybe I’m naive. I do check on account activity and use billpay but don’t do much beyond that. Just about anything else involves 2FA or some other means of notification. The most important piece is to be alert to scam calls and emails.

[jazz4cash]

And I’ll add that checking balances daily is all part of detecting issues ASAP.