Access Vanguard from Wireless Connection at Coffee Shop???

[cube_rat]

Well, there's security and there's paranoia.

Ms. Paranoia here...

 

[wabmester]

Ms. Paranoia here...

Just because you're paranoid doesn't mean that I'm not stalking you.

I had to double-check on El Guapo's proposed man-in-the-middle attack, but I'm 99% certain that it's not possible.

Both SSL and HTTPS are specifically designed to withstand that sort of replay attack.

If it is possible, I want to learn how to do it!

 

[cute fuzzy bunny]

Oh its quite possible, and doesnt even require a lot of imagination!

But then again, I did get that SIDS monitor to work with no trouble and you made a lawn ornament out of yours!

I'll give you the short version...very short as Mr Gabriel has just announced his desire to get out of bed before he does it himself, which is usually followed by a thump.

You sit in shop, type www.vanguard.com. MITM sees the request, repeats it to vanguard. Sends you the resulting page. You click on 'log in'. It clicks on login and sets up an SSL connection with YOU, then one with vanguard. You form fill the SSL page between you and the MITM with your username. It form fills the SSL page with vanguard with your username. vanguard sends the picture you chose and prompts for password. MITM shows you the same page and prompts for your password. You type it in, MITM fills it in. MITM thereafter just passes keystrokes and data back and forth after storing your username and password.

Obviously not that simple, but then again I had 20 seconds to put it in.

Paranoia is bad, but so is not knowing how much of your information is sent clear text or wide open. Knowledge is power.

 

[mja]

Obviously not that simple, but then again I had 20 seconds to put it in.

Yes, not quite that simple. In your example the MITM would have to have an SSL certificate for www.vanguard.com that's signed by someone your browser trusts. That's no easy task, and I have no recent memory of any of the root CA keys being comprimised.

It's not impossible of course, but the probability of this attack is low enough that I don't generally worry about it.

 

[lazygood4nothinbum]

really good info here and there was another similar post earlier. have a question:

for those frequently on the road, could an institution set up a system whereby you utilize a username and password to see your accounts on a read-only basis without being able to access them online, but then you call in and manipulate your accounts either by voice or a touchtone phone? would that add a layer of security or am i just being unbelievably paranoid?

 

[TromboneAl]

Why in the world would I have a need to look at my ever-changing Vanguard numbers at any place other than at home where it is as safe as it can be?

I decided not to use the Internet at the coffee shop when our Internet connection at home was out, and it cost me about $250. If I'd done my rebalancing there, it would have happened before yesterday's .6% drop.

I realize I'm not being fair, because the market could just as well have gone up.

 

[wabmester]

Yes, not quite that simple. In your example the MITM would have to have an SSL certificate for www.vanguard.com that's signed by someone your browser trusts. That's no easy task, and I have no recent memory of any of the root CA keys being comprimised.

It's not impossible of course, but the probability of this attack is low enough that I don't generally worry about it.

Right, I believe the attack is prevented on at least two levels: the signed certs, and encrypted source and destination address info. You can't simply "replay" the packets.

 

[cute fuzzy bunny]

Thats because what i'm thinking involves neither the need for properly signed certs or replaying packets.

Remember in this case the in-house network is a controlled "fish bowl". You own the network, the proxy, the 'server' and all of the rest of it.

You would be nothing other than a client to the vanguard server externally, and it wouldnt see you as anything other than another client.

Being able to fool a laptop in that controlled fish bowl to think it was talking to vanguard with all the right stuff is not trivial but not that complicated either. Not something anyone would likely bother to do since the most fun thing they could do with your info is sell all your holdings and having a check sent to your house. Not a lot of fun at tax time, but not the end of the world.

But once again, the point isnt to argue the fine bits of what can and cant be done. The question was if it was worth using a coffee shop network to do financial transactions or wait a few days, and is SSL solid enough that your transactions would be fully secure.

I think its worth waiting a few days, and I think its worthwhile knowing that its not that hard to crack or spoof a "secure transaction" or "secure session".

But we do live in a wonderful environment of security by obscurity and lots of people with better things to do with their lives. That's helpful to people who wont spend a few dollars, take a few minutes of time and employ a few common sense rules to keep their identity and information safe.

 

[Nords]

But we do live in a wonderful environment of security by obscurity and lots of people with better things to do with their lives. That's helpful to people who wont spend a few dollars, take a few minutes of time and employ a few common sense rules to keep their identity and information safe.

Hey, those coffee shop employees have to supplement their income somehow. The Starbucks stock options at their compensation level won't do it.

Keystroke loggers or a few extra pieces of network gear, one or two "extra special" customers a month who unknowingly leave their personal data with you, and either selling the info to a hacker or doing 3-4 illicit transactions of your own that hopefully won't be traced back to you before you relocate every 6-12 months.

I'll never look at an ordinary ol' barrista again without wondering...

 

[wabmester]

Being able to fool a laptop in that controlled fish bowl to think it was talking to vanguard with all the right stuff is not trivial but not that complicated either. Not something anyone would likely bother to do since the most fun thing they could do with your info is sell all your holdings and having a check sent to your house.

The damage they could do is much worse than that.

"Evil Twin" attacks are definitely out there, but I'm not aware of any that compromises SSL/HTTPS. If you know of a vulnerability, even theoretical, I would like to know. I'd probably stop using hotspots.

This is the closest I could find to what you're suggesting:

Web Form Security and the Middle Man

This doesn't compromise HTTPS, but it could fool a user who wasn't paying attention.

 

[mja]

for those frequently on the road, could an institution set up a system whereby you utilize a username and password to see your accounts on a read-only basis without being able to access them online, but then you call in and manipulate your accounts either by voice or a touchtone phone? would that add a layer of security or am i just being unbelievably paranoid?

It's not quite what you're looking for, but I know Fidelity allows you to grant another person (who must also be a Fidelity customer) "Inquiry Access" to your account. It gives the other person the ability to see balance and holding information, but not to place trades, etc.

I agree that it might be useful to set up an alternate name/password with read-only access that you could use from "less-trusted" locations. I wouldn't mind if more companies provided that feature.

 

[cute fuzzy bunny]

Thats pretty much it Wab...you dont have to play middleman, just fool a fool. Good thing nobody would go through the trouble, but nice to know whats feasible.

Some russian mob dudes (allegedly!) around here came up with a pretty funny MITM. They made up their own credit card boxes, stuck them on over the gas pumps credit card slot in the wee hours of the morning, then came back the next day and pulled them off. In the meanwhile hundreds of people stuck their credit cards and atm cards into the bogus stuck on slots and had their #'s and pins swiped.

I suppose if someone goes through that much trouble to collect some info, and a bunch of people are dumb enough to stick their cards into it, maybe we should be a little more paranoid...

 

[Nords]

Some russian mob dudes (allegedly!) around here came up with a pretty funny MITM. They made up their own credit card boxes, stuck them on over the gas pumps credit card slot in the wee hours of the morning, then came back the next day and pulled them off. In the meanwhile hundreds of people stuck their credit cards and atm cards into the bogus stuck on slots and had their #'s and pins swiped.

I've heard that story told as a "portable ATM".

The "entrepreneurs" wheeled it into a busy open-air mall and left it there, plastered with all the popular local bank logos. At the end of the day they'd take it away for "servicing". Withdrawal attempts were met with apologies ("Out of cash, sorry!") but of course every ATM card & PIN was recorded by the machine. What really surprised the authorities was the number of people depositing checks & cash in an ATM that only had a bank's logo on it.

I'm not looking for a job but...

 

[SecondCor521]

I think that "Catch Me If You Can" Frank Abagnale Jr. told a story in his book about dressing up as a security guard type and standing outside of a bank night deposit box with one of those bank deposit bags, and informing all the people who drove up that the night deposit box was broken but they could leave their deposits with him. Worked quite well.

2Cor521

 

[JohnEyles]

How much less would you be concerned about keystroke loggers and the
like in a public computer area at a library of a major public university ?

 

[cute fuzzy bunny]

Hmmm...hundreds to thousands of smart young mischievous kids with money problems circulating through the place every day...

 

[cute fuzzy bunny]

http://blogs.zdnet.com/security/?p=19

For $3600 (first ships) you can get a nice hand held device already setup to do some fabulous things to public wireless users...