Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 06:46 PM   #21
Recycles dryer sheets
figner's Avatar
 
Join Date: Jan 2007
Location: Los Angeles area
Posts: 329
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by chinaco
My point on MITM is that a different cert could be used to terminate your connection/ssl session at a proxy and the proxy could establish a different ssl connection with the real site. In otherwords, you might not be using their cert. How often do you check (actually look) to validate the cert on your side?
Your browser validates the cert based on the internal list of root CA's it ships with. If the fake cert has not been validly signed by one of the root CA certs (which would only be possible to forge if you had compromised one of the root CA systems), the browser will pop up an error.

Granted, it's possible that if you downloaded and installed new web browser software via an unencrypted connection (and didn't verify the checksum on it), your browser software itself might be compromised. I tend to be careful about things like that, though most casual computer users probably aren't. Even so, I wouldn't recommend that folks like my mom stop accessing their financial data online. I recommend that she take the appropriate precautions:

Turn off all unnecessary services on your computer.
Keep patches up to date at all times.
When online, use an account without administrator privileges as much as possible.
Don't use Internet Explorer or MS Outlook unless absolutely necessary.
Run anti-virus and firewalling software.

If you do this, accessing your online accounts isn't much more of a risk on public wifi than on your home network. In either case, your traffic will be routed through multiple networks until it reaches its destination, and any one of those could have people sniffing traffic on it. Encrypted (SSL) connections are pretty good security, as long as you pay attention to certificate errors from your browser. For even better security, some sites (Etrade is one) offer the one-time-use login number generators so that you need to be looking at the gadget in addition to knowing your username and password.

__________________

__________________
figner is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 06:51 PM   #22
Recycles dryer sheets
 
Join Date: Mar 2007
Posts: 160
Re: Be careful managing assets, accounts, money, over the internet on wireless

I hate to sound so ignorant, but......when you say "don't use Internet Explorer", which is what I usually use, what do you suggest instead? Are you talking about things like Mozilla and Firefox (see how knowledgeable somebody who hasn't got an idea what they're talking about can sound?)......I've heard those names, but don't have the foggiest about them.

If I'm going to be using my laptop in Europe in internet cafes, campgrounds, etc., are you saying to use some other browser?

I appreciate that you guys aren't laughing at me...... ;-)

LooseChickens
__________________

__________________
loosechickens is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-10-2007, 09:01 PM   #23
Thinks s/he gets paid by the post
teejayevans's Avatar
 
Join Date: Sep 2006
Posts: 1,228
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by loosechickens
I hate to sound so ignorant, but......when you say "don't use Internet Explorer", which is what I usually use, what do you suggest instead? Are you talking about things like Mozilla and Firefox (see how knowledgeable somebody who hasn't got an idea what they're talking about can sound?)......I've heard those names, but don't have the foggiest about them.

If I'm going to be using my laptop in Europe in internet cafes, campgrounds, etc., are you saying to use some other browser?

I appreciate that you guys aren't laughing at me...... ;-)

LooseChickens
Microsoft exec once claim they are the most secure OS because they
ship more security patches than any other OS. Does that
tell you something?
TJ
__________________
teejayevans is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-11-2007, 01:42 AM   #24
Recycles dryer sheets
figner's Avatar
 
Join Date: Jan 2007
Location: Los Angeles area
Posts: 329
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by loosechickens
I hate to sound so ignorant, but......when you say "don't use Internet Explorer", which is what I usually use, what do you suggest instead? Are you talking about things like Mozilla and Firefox (see how knowledgeable somebody who hasn't got an idea what they're talking about can sound?)......I've heard those names, but don't have the foggiest about them.
Yes, I prefer Firefox (produced by the Mozilla corp).
http://www.mozilla.com

They tend to fix any vulnerabilities quickly (you still need to make sure to keep it updated), and you can download extensions that will make it even safer (I like NoScript and FlashBlock). But even without the extensions, my opinion is it's much safer than using Internet Explorer, mostly because IE is so integrated into the operating system and has a history of more serious and slowly fixed bugs.

You may still run into the occasional web site that's been customized for IE and simply won't work well with Firefox. I wind up using IE a couple times a month, but I try to keep that to a minimum and visit only sites I trust (i.e. www.fidelity.com, but not www.funwithsheep.com )

__________________
figner is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-11-2007, 04:40 AM   #25
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by figner
Your browser validates the cert based on the internal list of root CA's it ships with. If the fake cert has not been validly signed by one of the root CA certs (which would only be possible to forge if you had compromised one of the root CA systems), the browser will pop up an error.

True enough on the CA and the warning. Some exploits get complicated enough that they are theoretically possible... but would be complicated to attempted against individuals. Rather, the criminals go after the large data store by attacking the site.

The CA can check can be circumvented if the attacker can get control of the person's computer. For example, on a rogue WI-FI network (If someone accidentally selected it instead of the intended cafe connection)... The rogue network could employ an internal CA and proxy server. The Hacker could get on someone's computer, then import a new CA in the browser CA list. Then the browser could validate against the internal CA server and not through the warning. Most of this technology could be setup on a single laptop. It is a bit complicated.

Bottom line WIFI is becoming more prevalent. It will be exploited.


All in all (Today!), Phishing is probably a much larger threat to individuals. It is simpler. Many of the current exploits against individuals seem to apply some sort of social engineering to trick people.

__________________
chinaco is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-11-2007, 06:38 AM   #26
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,649
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by figner

You may still run into the occasional web site that's been customized for IE and simply won't work well with Firefox. I wind up using IE a couple times a month, but I try to keep that to a minimum and visit only sites I trust (i.e. www.fidelity.com, but not www.funwithsheep.com )

There is a Firefox extension that lets you open a link in an IE tab. It is convenient but, of course, uses the IE engine exposing you its vulnerabilities.
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-11-2007, 11:59 AM   #27
Recycles dryer sheets
figner's Avatar
 
Join Date: Jan 2007
Location: Los Angeles area
Posts: 329
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by chinaco
True enough on the CA and the warning. Some exploits get complicated enough that they are theoretically possible... but would be complicated to attempted against individuals. Rather, the criminals go after the large data store by attacking the site.
I'm curious which exploits you're referring to? Feel free to PM me if this is getting too esoteric for the thread. I can think of one off the top of my head, but don't think it's likely enough to warrant worrying about.

Quote:
Originally Posted by chinaco
The CA can check can be circumvented if the attacker can get control of the person's computer. For example, on a rogue WI-FI network (If someone accidentally selected it instead of the intended cafe connection)... The rogue network could employ an internal CA and proxy server. The Hacker could get on someone's computer, then import a new CA in the browser CA list. Then the browser could validate against the internal CA server and not through the warning. Most of this technology could be setup on a single laptop. It is a bit complicated.
That again assumes that the user's system is vulnerable. Taking the steps I listed before will generally protect you from attackers. Of course, any system is hackable given enough resources, but it's a lot like home security - if you make yourself a difficult enough target, chances are an attacker will move on to an easier job.

I agree that if you're going to target an individual, it's probably much easier to use social engineering. And also much more profitable to target corporate sites which process lots of user data.

__________________
figner is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-11-2007, 03:16 PM   #28
Recycles dryer sheets
 
Join Date: Dec 2006
Location: Florida
Posts: 249
Re: Be careful managing assets, accounts, money, over the internet on wireless

I just finished "Stealing Your Life" (?) by Frank Abagnale (hero and author of "Catch Me If You Can", although DiCaprio looks a lot better than the real thing...) Abagnale covers a lot of the scams of the modern world. Particularly disturbing is the near lack of accountability the financial institutions have if something goes wrong electronically. Read the book for details, or the dense contract verbiage if you dare. Apparently, if you don't use software provided by the bank/brokerage/etc., you can be SOL if you get your identity lifted.

I'm certainly no expert, but the gist of what I read is that most scamming is done by deception rather than interception. It's much more productive to set up a bogus web site, or skim credit and debit cards at a restaurant or via a phony ATM unit, because you're getting the victim to come to you. Just consider the concept of putting in a sniffer to sift through reams of internet traffic. Sure, it could happen, but the probability of getting anything useful is probably very, very low. It may work in spy movies, or for the NSA, but for Joe Hacker, quite frankly, unlikley he's written code to search through random packets for a credit card # which probably was SSL or other encrypted going past, anyway. OTOH, keystroke logging would be a definite worry. I would never do personal financial transactions at a public internet terminal. I would be somewhat, but less, paranoid using my PC on somebody else's network.
__________________
I've got nothing against an honest day's work, provided that someone else does it.
pedorrero is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-11-2007, 04:24 PM   #29
Recycles dryer sheets
figner's Avatar
 
Join Date: Jan 2007
Location: Los Angeles area
Posts: 329
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by pedorrero
I'm certainly no expert, but the gist of what I read is that most scamming is done by deception rather than interception.
Yeah, that would be my guess too. You probably just need a tiny response rate to your "Make money fast" or phishing spam to rake in the bucks. And I seem to remember that relatively recently, you could google for credit card numbers (maybe using common prefixes) and come up with a lot of valid ones.

That Abagnale book sounds interesting, it's now on my to-read list.

__________________
figner is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-11-2007, 05:42 PM   #30
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by figner
I'm curious which exploits you're referring to? Feel free to PM me if this is getting too esoteric for the thread. I can think of one off the top of my head, but don't think it's likely enough to warrant worrying about.

That again assumes that the user's system is vulnerable. Taking the steps I listed before will generally protect you from attackers. Of course, any system is hackable given enough resources, but it's a lot like home security - if you make yourself a difficult enough target, chances are an attacker will move on to an easier job.

I agree that if you're going to target an individual, it's probably much easier to use social engineering. And also much more profitable to target corporate sites which process lots of user data.


Yup... almost exploit all require the system to be vulnerable in some way, or to trick someone, or both.
__________________
chinaco is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-12-2007, 09:44 AM   #31
Recycles dryer sheets
 
Join Date: Aug 2006
Posts: 53
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by teejayevans
Its not Man in the middle attack, its the man on the other end is not who you
think it is.
TJ
Dude, that doesn't matter. I said I would attempt to directly access https://www.fidelity.com
They can point that to any IP address they want, but they (given no compromise of fidelity's key, or one of the root CAs) can't present a certificate that my browser will accept without presenting a warning.
__________________
mja is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-12-2007, 09:55 AM   #32
Recycles dryer sheets
 
Join Date: Aug 2006
Posts: 53
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by chinaco
And then, they could issue a redirect to send you to the real home page after they capture the info. This is part of the reason the VG split the login id and the PW page apart. But, I think some newer browser can be set to warn on the redirect to a different site
That's why I access fidelity (et al) by going to https://www.fidelity.com instead of http://www.fidelity.com
There will be no redirect trickery since I'm not going to proceed to login after I get an unverified cert.

Quote:
If it is their cert, I would think you would be OK. As someone said earlier unless they were compromised.

My point on MITM is that a different cert could be used to terminate your connection/ssl session at a proxy and the proxy could establish a different ssl connection with the real site. In otherwords, you might not be using their cert. How often do you check (actually look) to validate the cert on your side?
I'll know immediately that they're not using fidelity's cert. My browser will pop up a message saying it was unable to verify the identity of the site. How often do I actually look at the cert on my side? If I get an "unable to verify" when talking to a financial site, *every time*.

Quote:
My point on the topic was: Do not take security for granted. There are ever emerging threats and cleaver techniques to trick people and/or compromise you computer.
An important and valid point. I'm just saying that it's possible to do this safely, and to point out that SSL used properly hasn't been compromised in the way you stated.
__________________
mja is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-13-2007, 12:55 AM   #33
Dryer sheet wannabe
 
Join Date: May 2007
Posts: 11
Re: Be careful managing assets, accounts, money, over the internet on wireless

To get around MITM attacks, many financial websites now present a picture that tells the client that this is not a fake website. The picture is assigned to the client when he register. I think this is a clever and cheap way to get around the MITM.
__________________
Islandboy is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-13-2007, 05:17 AM   #34
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by Islandboy
To get around MITM attacks, many financial websites now present a picture that tells the client that this is not a fake website. The picture is assigned to the client when he register. I think this is a clever and cheap way to get around the MITM.
That does not guard against MITM. You are thinking about phishing and/or fake site.

MITM is basically like a wiretap... listening in! Although, they could take some form of control/alter since they have your http request.
__________________
chinaco is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-18-2007, 01:09 PM   #35
Recycles dryer sheets
 
Join Date: Apr 2004
Posts: 98
Re: Be careful managing assets, accounts, money, over the internet on wireless

My Fidelity account was hacked two weeks ago. Don't know how. It could have been via WiFi. Apparently someone was able to duplicate my keystrokes for ID and password and get access to my accounts. Fidelity's fraud unit caught it almost immediately and phoned me at home. All my assets were frozen temporarily while Fidelity transferred everything to new accounts.

I'm no longer trading on-line. The only thing I can do now on my Fidelity site is check balances. From now on I'm going into the nearest Fidelity office to trade or doing transactions over the phone. Otherwise, too risky.
__________________
Traveler is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-18-2007, 05:51 PM   #36
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by Traveler
My Fidelity account was hacked two weeks ago. Don't know how. It could have been via WiFi. Apparently someone was able to duplicate my keystrokes for ID and password and get access to my accounts. Fidelity's fraud unit caught it almost immediately and phoned me at home. All my assets were frozen temporarily while Fidelity transferred everything to new accounts.

I'm no longer trading on-line. The only thing I can do now on my Fidelity site is check balances. From now on I'm going into the nearest Fidelity office to trade or doing transactions over the phone. Otherwise, too risky.
You might want to check your PC for a key logger.

http://en.wikipedia.org/wiki/Keystroke_logging
__________________
chinaco is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-19-2007, 07:40 PM   #37
Dryer sheet wannabe
 
Join Date: Mar 2006
Posts: 16
Re: Be careful managing assets, accounts, money, over the internet on wireless

chinaco, your tag line is:

Memorable Moments at Paris Island

Actually, it should be 'Parris Island,' not 'Paris Island.'

Graduate of platoon 160, MCRD Parris Island, September, 1975.
__________________
safari is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-19-2007, 07:57 PM   #38
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by safari
chinaco, your tag line is:

Memorable Moments at Paris Island

Actually, it should be 'Parris Island,' not 'Paris Island.'

Graduate of platoon 160, MCRD Parris Island, September, 1975.
You are correct. Thanks. I updated it.

Platoon 174, A company. Arrived on the yellow foot prints in July '75
__________________
chinaco is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-19-2007, 11:35 PM   #39
Dryer sheet wannabe
 
Join Date: May 2007
Posts: 11
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by Traveler
My Fidelity account was hacked two weeks ago. Don't know how. It could have been via WiFi. Apparently someone was able to duplicate my keystrokes for ID and password and get access to my accounts. Fidelity's fraud unit caught it almost immediately and phoned me at home. All my assets were frozen temporarily while Fidelity transferred everything to new accounts.

I'm no longer trading on-line. The only thing I can do now on my Fidelity site is check balances. From now on I'm going into the nearest Fidelity office to trade or doing transactions over the phone. Otherwise, too risky.
It is amazing that Fidelity still only requires the minimum for signing on : userid and password. When are they going to start catching up with better security ?
__________________
Islandboy is offline   Reply With Quote
Re: Be careful managing assets, accounts, money, over the internet on wireless
Old 05-20-2007, 02:56 AM   #40
Dryer sheet wannabe
 
Join Date: Mar 2006
Posts: 16
Re: Be careful managing assets, accounts, money, over the internet on wireless

Quote:
Originally Posted by chinaco
Platoon 174, A company. Arrived on the yellow foot prints in July '75
I arrived there on 30 May 1975, got formed into A Company, Platoon 157. Then at the end of 1st phase I broke my foot, got sent to MRP (Medical Rehabilitation Platoon -- which was right next to Motivation (remember that? ) A couple of weeks into MRP my foot was healed enough that they let me and a few others go to the rifle range each day for 2 weeks for rifle qualification. Then after a total of 4 weeks at MRP I got put in Platoon 172 for the rest of 2nd phase. When Platoon 172 went to the rifle range (which I had already done) they put me ahead to Platoon 160 to do 3rd phase. I graduated with Platoon 160 on 12 September 1975. By the way, you have probably guessed that I'm pretty good with dates! I think that for the couple of weeks or so I was with Platoon 172 we were probably in the same series. Small world!!!

By the way, in April 2000 I happened to be in SC and visited Parris Island for the first time since leaving in 1975. Seeing the place after 25 years was really cool. The old WWII-era white receiving and forming barracks were all gone, but our A company red brick barracks next to the Grinder were still there and still being used. I also got out to the old gas chamber. No one was around at the time, but it was obvious that it was still being used. The whole placed seemed smaller than I remembered since the last time I was there I marched or ran everywhere instead of driving around in a car. I was lucky I visited when I did because after 9/11 I think it is difficult for a civilian to go on base. I visited in the afternoon and then about 5:30 AM the next morning (spent the night in Beaufort) I arrived at the gate hoping to see all the platoons doing morning PT. At first the guard wouldn't let me on base because it was too early for visitors but I told him I had graduated there 25 years earlier and just wanted to see the recruits doing morning PT so he let me on base.
__________________

__________________
safari is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


 

 
All times are GMT -6. The time now is 01:36 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.