TromboneAl
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Jun 30, 2006
- Messages
- 12,880
Is it safe to access, for example, my VG account from a wireless connection at a coffee shop??
Access Vanguard from Wireless Connection at Coffee Shop???
- Thread starter TromboneAl
- Start date
Rich_by_the_Bay
Moderator Emeritus
Not safe enough for my comfort level.
At the very least be certain that you are typing your password in scramble mode, as suggested by Nords in a former thread. That is, p,3,backdelete,a,space space space, mouseclick, 3 characters back, a, etc. etc. so that key loggers get botched up.
At the very least be certain that you are typing your password in scramble mode, as suggested by Nords in a former thread. That is, p,3,backdelete,a,space space space, mouseclick, 3 characters back, a, etc. etc. so that key loggers get botched up.
SecondCor521
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I'm not a computer security expert, but I think it is relatively safe. Like just about anything, there are things you have control over to make it safer, in no particular order:
1. Log on directly to the vanguard site; don't click on an email link (Vanguard now recommends this in recent email communiques I have received).
2. Set yourself up on Vanguard's fancy new security question system. This is now required for me by Vanguard and probably is or will be for you shortly also.
3. Make sure nobody is looking over your shoulder when you enter passwords or view sensitive data like account numbers and SSN's.
4. Make sure your PC is up to date on Windows security updates, has a firewall on, etc., etc.
Nothing is absolutely safe; many here go far beyond what I do to be "paranoid" about their financial data security but I am sure many also do less.
If you want the herd approach, personally I regularly access all of my financial accounts - Vanguard, checking, savings, credit cards, mortgages, college funds, etc. - through wireless connections at coffee shops, universities, bookstores, fast food restaurants, etc. My sums are modest compared to many here but are significant compared to most in the US and the rest of the world. I have never had anything happen to me or anyone close to me; I am sure that if something did happen I would become far more attentive to security measures. I guess overall I not only have faith that nothing untoward will happen to my money but also that if something did happen I would be able to work with Vanguard and law enforcement to get my money back.
2Cor521
P.S. -- Just saw RIT's response. My reply above assumes accessing my accounts from my own laptop. I am somewhat more careful but not as careful as RIT suggests when using a public computer, but I also seldom use public computers anyway.
1. Log on directly to the vanguard site; don't click on an email link (Vanguard now recommends this in recent email communiques I have received).
2. Set yourself up on Vanguard's fancy new security question system. This is now required for me by Vanguard and probably is or will be for you shortly also.
3. Make sure nobody is looking over your shoulder when you enter passwords or view sensitive data like account numbers and SSN's.
4. Make sure your PC is up to date on Windows security updates, has a firewall on, etc., etc.
Nothing is absolutely safe; many here go far beyond what I do to be "paranoid" about their financial data security but I am sure many also do less.
If you want the herd approach, personally I regularly access all of my financial accounts - Vanguard, checking, savings, credit cards, mortgages, college funds, etc. - through wireless connections at coffee shops, universities, bookstores, fast food restaurants, etc. My sums are modest compared to many here but are significant compared to most in the US and the rest of the world. I have never had anything happen to me or anyone close to me; I am sure that if something did happen I would become far more attentive to security measures. I guess overall I not only have faith that nothing untoward will happen to my money but also that if something did happen I would be able to work with Vanguard and law enforcement to get my money back.
2Cor521
P.S. -- Just saw RIT's response. My reply above assumes accessing my accounts from my own laptop. I am somewhat more careful but not as careful as RIT suggests when using a public computer, but I also seldom use public computers anyway.
OP
OP
TromboneAl
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Jun 30, 2006
- Messages
- 12,880
I guess it's not worth the small risk. This will be the second year in a row I can't do my rebalancing on Jan 2.
What SecondCor521 said. With those precautions and using my own computer I would not have a problem using a coffeehouse's wireless network.
There is no way I would use a public computer to log into a bank, or even web mail for that matter. It's just too easy to put a key logger on one of those. I only use computers that I own & administer for anything where security matters.
There is no way I would use a public computer to log into a bank, or even web mail for that matter. It's just too easy to put a key logger on one of those. I only use computers that I own & administer for anything where security matters.
Alex
Full time employment: Posting here.
- Joined
- May 29, 2006
- Messages
- 696
If you are using your own computer, I'd say it is ok.TromboneAl said:
lazygood4nothinbum
Thinks s/he gets paid by the post
- Joined
- Feb 27, 2006
- Messages
- 3,895
this same question has been on my mind especially as i contemplate future travel. is it even safe when hard-wired as opposed to wireless? at home i only use comcast so i figure at least i'd know where to find the culprit. but what if i'm hardwired to a hotel here or overseas and enter my accounts? aside from what's been discussed, is there anything inherent about how information moves on the internet that this information is safe once it leaves my computer?
SecondCor521
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Again, I am no expert, but I do believe that the information is transmitted across the internet using several different logical layers. The lowest layer is the physical layer, above that you have Internet Protocol, or IP, above which (maybe several layers, I'm not sure) is HTTP, which is HyperText T-something Protocol.
Certain layers support encryption and certain others don't. I know for sure that HTTP supports a secure version called HTTPS, so if you are using that (and I believe you always are if you see HTTPS in a URL), then your data is encrypted at that level even if the other transmission layers mentioned above don't encrypt it.
So in your case even if the underlying physical layer changes from comcast to a hotel or wireless, the upper layer is still encrypted. So it could be possible for someone to see that IP address 1.2.3.4 is sending stuff back and forth to IP address 5.6.7.8, but it would just be a bunch of jibberish.
I don't know the encryption level on the HTTPS protocol but I personally feel quite safe using it as most financial institutions seem to imply that if you are using HTTPS your data is sufficiently safe for them to claim that it is safe to do business that way.
2Cor521
Certain layers support encryption and certain others don't. I know for sure that HTTP supports a secure version called HTTPS, so if you are using that (and I believe you always are if you see HTTPS in a URL), then your data is encrypted at that level even if the other transmission layers mentioned above don't encrypt it.
So in your case even if the underlying physical layer changes from comcast to a hotel or wireless, the upper layer is still encrypted. So it could be possible for someone to see that IP address 1.2.3.4 is sending stuff back and forth to IP address 5.6.7.8, but it would just be a bunch of jibberish.
I don't know the encryption level on the HTTPS protocol but I personally feel quite safe using it as most financial institutions seem to imply that if you are using HTTPS your data is sufficiently safe for them to claim that it is safe to do business that way.
2Cor521
A while back I saw on raddr's board a reference to a "Portable Automated Password Manager, Form Filler, Password Generator for USB key" at http://www.roboform.com/pass2go.html and I am wondering if anyone has used it. If so, do you think it makes it safe to use public computers for financial transactions?
jdw_fire said:
In my mind, no, there could still be software intercepting the username and password being sent.
I can't imagine any product that would make it safe to use a public computer for financial transactions. Even if you brought your own operating system and browser (e.g. if you could boot from a Knoppix CD) there are inexpensive hardware key loggers out there, and even keyboards with built-in key loggers are easy to come by. Okay, MAYBE if you booted into your own CD or DVD based operating system, AND you use the mouse to enter the characters of your password... but how many public computers will allow you to do that?
Besides, low-end laptops are pretty cheap these days.
Does anyone know if the current PDAs or cell phones with web browsing are up to the task?
wabmester
Thinks s/he gets paid by the post
- Joined
- Dec 6, 2003
- Messages
- 4,459
Baxter said:
Yeah, I think most of the mobile OS's have SSL support, but I always have a small laptop with me when traveling. I'd never use a public computer for sensitive stuff, but borrowing a WiFi connection is fine as long as you're going over an SSL (including HTTPS) connection.
OP
OP
TromboneAl
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Jun 30, 2006
- Messages
- 12,880
Well, we finally have both power and cable at the same time, so I was able to access Vanguard in the privacy of my own home, and do my rebalancing.
The stock percentage changed from 59% to 62% over the course of the year, so I just moved a big hunk from total stock to total bond. This year I'm at an allocation of 58% -- I'm dropping the stock part one percent each year.
Feels good to get that done and "lock in" those gains. I had visions of a major stock collapse while I was waiting for the cable to come back. Now I'll send in my HSA contribution for they year. This will be my first year with no SEP-IRA or Roth IRA contributions!
The stock percentage changed from 59% to 62% over the course of the year, so I just moved a big hunk from total stock to total bond. This year I'm at an allocation of 58% -- I'm dropping the stock part one percent each year.
Feels good to get that done and "lock in" those gains. I had visions of a major stock collapse while I was waiting for the cable to come back. Now I'll send in my HSA contribution for they year. This will be my first year with no SEP-IRA or Roth IRA contributions!
REWahoo
Give me a museum and I'll fill it. (Picasso) Give
TromboneAl said:
Al, do you make the full-year contribution up front? I started my HSA on 12/1 and have been wondering if I should make the 2007 contribution monthy, quarterly or do it all now.
OP
OP
TromboneAl
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Jun 30, 2006
- Messages
- 12,880
Yes, full contribution as close to Jan 2 as possible. This lets me maximize the tax-free compounding. Worse case is I change to a non-HSA plan sometime during the year -- I can still fix things if that happens.
I'd recommend the same strategy with all tax-free investing -- it's a free lunch. Every day that your money sits in a taxable account you are paying taxes on the gain, but don't need to.
I'd recommend the same strategy with all tax-free investing -- it's a free lunch. Every day that your money sits in a taxable account you are paying taxes on the gain, but don't need to.
REWahoo
Give me a museum and I'll fill it. (Picasso) Give
TromboneAl said:
Gotcha. Since I'm moving money from one tax-free account to another, I don't think moving it ASAP will make any difference for me. I'll probably do it quarterly.
REWahoo! said:
REW, why would you move money from one "tax-free account to another" unless all of your money is in a tax-free account? The beauty of a HSA is that is gives people with high income or no earned income a way to make a tax deductible "contribution" to a tax-free account, but only if they use taxed money. Or are you just trying to make medical payments with an IRA/401K?
REWahoo
Give me a museum and I'll fill it. (Picasso) Give
jdw_fire said:
Yes, I'm retired, no pension or SS (yet) and don't have much after tax savings. What I do have I'm using to manage my income below the 25% tax rate plus convert some TIRA money to a Roth.
OP
OP
TromboneAl
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
- Joined
- Jun 30, 2006
- Messages
- 12,880
Thanks, Baxter. The relevant part for my original question is this:
* If you see the little padlock in the corner of your Web-browser window (or if the Web address begins with “https://” instead of “http://”), you’re connected to a secure Web site. Your transmissions are encrypted in both directions, so you have little to fear from casual packet sniffers. Banking and brokerage sites, for example, are protected in this way.
* If you see the little padlock in the corner of your Web-browser window (or if the Web address begins with “https://” instead of “http://”), you’re connected to a secure Web site. Your transmissions are encrypted in both directions, so you have little to fear from casual packet sniffers. Banking and brokerage sites, for example, are protected in this way.
mickeyd
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I would never try it no matter how "safe" others say it is. Why in the world would I have a need to look at my ever-changing Vanguard numbers at any place other than at home where it is as safe as it can be?
The negatives are just too darn severe for me to consider otherwise.
The negatives are just too darn severe for me to consider otherwise.
cute fuzzy bunny
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Internet security is a rather tenuous thing, even in your own home.
Many cable and DSL modems can be put into a 'promiscuous mode' (hey, I didnt name it) by a reasonably skilled hacking type and all the data sent and received in the neighborhood/area may possibly be captured for later analysis. Outside of your little loop of the 'net, your data passes through dozens of accessibility points where the data could be tapped off.
The good news is that as pointed out, SSL (the little padlock when using an HTTPS: connection) is fairly secure although a number of agencies (like the NSA) likely have real-time SSL busting tools and its long rumored that Broadcom has produced a real-time SSL decryption system that is in use by a number of law enforcement agencies and perhaps even large corporations that handle sensitive data. Outside of funny hardware, a skilled person using todays high power PC's could conceivably crack a captured SSL stream between a few hours and a month or so. Heck, in a public challenge some guys did it in a month about 11 years ago using the computing power available then. Remember when a Pentium 133 was a big deal?
The bad news is that a "man in the middle" attack where a naughty coffee shop was proxying your connections through a 3rd party that acted like your target web site (say vanguard) while passing along your keystrokes and vanguards responses could conceivably (and without great complications) capture your username and password. Basically you'd have a nice secure SSL connection to the "man in the middle" and the MITM would have a nice secure SSL connection to vanguard.
There are bootable read-only USB/CD/DVD images, usually using LINUX although i've seen one using XP, which boot to a fairly unassailable image, connect to an external hard proxy using a secure protocol, optionally route through a series of anonymous proxies (TOR is common) and give the public user some measure of security...or a home user a great deal of security.
In short, I wouldnt use a public computer for any purpose that you wouldnt describe to your mother, your wife, and the local judge while carrying a large white cardboard sign containing the passed information. I would use my own computer judiciously on a public network operated by someone I know that has a lot to lose if it were found that they were tampering with the data. In other words, "Bobs java house" in Singapore would lose out to Starbucks in San Francisco. I would never log into a bank/financial web site or pass significant personal information unless I was using my own machine in my own home on my own network or at a well-trusted 3rd parties network.
As an aside, since I know many people do it, I would consider some unknown "neighbors" open wireless connection to be a very plausible "MITM".
When I left my fortune 500 company 6 years ago, we were often reading peoples email, logging which web sites they went to, evaluating the information that went through our proxies to external sources, and enjoying dozens of daily attempts to intercept or break into the network. And that was when we had tools that were comparatively simple to todays offerings.
So in short Al, I'd wait a few more days to do my rebalancing instead of doing it from a public network inside a coffee house. In fact, i'd wait a long dang time to do it.
Many cable and DSL modems can be put into a 'promiscuous mode' (hey, I didnt name it) by a reasonably skilled hacking type and all the data sent and received in the neighborhood/area may possibly be captured for later analysis. Outside of your little loop of the 'net, your data passes through dozens of accessibility points where the data could be tapped off.
The good news is that as pointed out, SSL (the little padlock when using an HTTPS: connection) is fairly secure although a number of agencies (like the NSA) likely have real-time SSL busting tools and its long rumored that Broadcom has produced a real-time SSL decryption system that is in use by a number of law enforcement agencies and perhaps even large corporations that handle sensitive data. Outside of funny hardware, a skilled person using todays high power PC's could conceivably crack a captured SSL stream between a few hours and a month or so. Heck, in a public challenge some guys did it in a month about 11 years ago using the computing power available then. Remember when a Pentium 133 was a big deal?
The bad news is that a "man in the middle" attack where a naughty coffee shop was proxying your connections through a 3rd party that acted like your target web site (say vanguard) while passing along your keystrokes and vanguards responses could conceivably (and without great complications) capture your username and password. Basically you'd have a nice secure SSL connection to the "man in the middle" and the MITM would have a nice secure SSL connection to vanguard.
There are bootable read-only USB/CD/DVD images, usually using LINUX although i've seen one using XP, which boot to a fairly unassailable image, connect to an external hard proxy using a secure protocol, optionally route through a series of anonymous proxies (TOR is common) and give the public user some measure of security...or a home user a great deal of security.
In short, I wouldnt use a public computer for any purpose that you wouldnt describe to your mother, your wife, and the local judge while carrying a large white cardboard sign containing the passed information. I would use my own computer judiciously on a public network operated by someone I know that has a lot to lose if it were found that they were tampering with the data. In other words, "Bobs java house" in Singapore would lose out to Starbucks in San Francisco. I would never log into a bank/financial web site or pass significant personal information unless I was using my own machine in my own home on my own network or at a well-trusted 3rd parties network.
As an aside, since I know many people do it, I would consider some unknown "neighbors" open wireless connection to be a very plausible "MITM".
When I left my fortune 500 company 6 years ago, we were often reading peoples email, logging which web sites they went to, evaluating the information that went through our proxies to external sources, and enjoying dozens of daily attempts to intercept or break into the network. And that was when we had tools that were comparatively simple to todays offerings.
So in short Al, I'd wait a few more days to do my rebalancing instead of doing it from a public network inside a coffee house. In fact, i'd wait a long dang time to do it.
cube_rat
Thinks s/he gets paid by the post
- Joined
- Jul 12, 2005
- Messages
- 1,466
Thank you, ahem...El Guapo for a such great answer!
I've done a lot of reading on prime numbers and the huge impact on E Commerce security and frankly it's not the secure sites itself that's the issue, it's the man in the middle as you put it, culling information along the way.
for a such great answer! I've done a lot of reading on prime numbers and the huge impact on E Commerce security and frankly it's not the secure sites itself that's the issue, it's the man in the middle as you put it, culling information along the way.
SecondCor521
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I think there are two kinds of errors to be made here. I think they're called Type I and Type II errors but I can't remember where I remember that terminology from.
1. Not taking security precaution X when you should have. Gain: Not having to spend the time taking the security precaution. Loss: Identity theft, or whatever.
2. Taking security precaution X when you didn't need to. Gain: Feeling secure. Loss: The time of your life you spent taking an unneeded security precaution.
The point is there is a tradeoff, and most people here have not discussed the drawbacks of committing a bunch of errors of the second kind above in an endless pursuit to avoid making a single error of the first type. Personally I justify my current security practices by evaluating the gain and losses above multiplied by their prospective likelihoods. Although identity theft is a problem, I don't fear it very much because I can and do check my account balances regularly if not daily, so I feel I could quickly catch any problems to minimize the damage; also, I judge the likelihood of the event to be quite small compared to the probability of my transactions and balances and passwords going through un-hacked.
For those of you who do all this security, do you also buy airplane crash insurance from the kiosks in the airport?
2Cor521
1. Not taking security precaution X when you should have. Gain: Not having to spend the time taking the security precaution. Loss: Identity theft, or whatever.
2. Taking security precaution X when you didn't need to. Gain: Feeling secure. Loss: The time of your life you spent taking an unneeded security precaution.
The point is there is a tradeoff, and most people here have not discussed the drawbacks of committing a bunch of errors of the second kind above in an endless pursuit to avoid making a single error of the first type. Personally I justify my current security practices by evaluating the gain and losses above multiplied by their prospective likelihoods. Although identity theft is a problem, I don't fear it very much because I can and do check my account balances regularly if not daily, so I feel I could quickly catch any problems to minimize the damage; also, I judge the likelihood of the event to be quite small compared to the probability of my transactions and balances and passwords going through un-hacked.
For those of you who do all this security, do you also buy airplane crash insurance from the kiosks in the airport?
2Cor521
cute fuzzy bunny
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Its neither time consuming nor expensive to keep yourself 99% secure. The point is to not make it too easy for any bad actors and to be aware of what is free and clear to see. Your point about not going overboard is well taken. Most people are simply not that interesting
Email and non encrypted web page transactions are all sent clear text. Encrypted wireless and SSL connections can be fooled and decoded.
Do's:
- Use your own computer and internet connection at home when transmitting sensitive information
- Use virus/firewall software you can get for free with a new computer or from your ISP or via freeware/trial offers
- Use an inexpensive or free-after-rebate router that incorporates NAT and a half decent firewall on your broadband connection. Enable wireless encryption (WPA or better, not WEP), change the router name and password.
- Update your operating system with the latest patches from the manufacturer
Donts:
- Use public computers or "open" networks to transmit sensitive information
- Connect to a network without any firewall or virus protection
- Leave your network "open" or set to defaults
- Click on links from emails or through 3rd party sites (phishing opportunity)
Email and non encrypted web page transactions are all sent clear text. Encrypted wireless and SSL connections can be fooled and decoded.
Do's:
- Use your own computer and internet connection at home when transmitting sensitive information
- Use virus/firewall software you can get for free with a new computer or from your ISP or via freeware/trial offers
- Use an inexpensive or free-after-rebate router that incorporates NAT and a half decent firewall on your broadband connection. Enable wireless encryption (WPA or better, not WEP), change the router name and password.
- Update your operating system with the latest patches from the manufacturer
Donts:
- Use public computers or "open" networks to transmit sensitive information
- Connect to a network without any firewall or virus protection
- Leave your network "open" or set to defaults
- Click on links from emails or through 3rd party sites (phishing opportunity)
wabmester
Thinks s/he gets paid by the post
- Joined
- Dec 6, 2003
- Messages
- 4,459
El Guapo said:
Well, there's security and there's paranoia.
First, Vanguard and others have added various security measures to protect against spoofing. I'm sure everybody has seen the new two-step login that displays your own special picture and phrase at the second step, for example.
Second, cybercrooks get plenty of what they're looking for from easy targets, so most of them don't even bother with decryption. They go after the low-hanging fruit.
Finally, if a crook is really targeting you, you are probably doomed. It's much easier to go through your trash, steal your mail, or place a phone call to you pretending to be a trusted agent than it is to do any tricky cybersnooping.
