A question about random wifi security

[haha]

A few days ago I was texting my son who mentioned that his company's stock had had a very good day. Unthinkingly I accessed my broker through its iPhone app. I am not very familiar with how this works. I assumed I would connect via my phone's 4g service. Afterward I checked to see if there were open networks around. I was in a downtown coffee house, and there were several open networks available. I know when I am home my phone will preferentially use my wifi which I specify in my settings, in order to minimize my data usage. My question is whether the phone (Iphone 5c) will also grab any open available network, without me being asked if I want to use it? Any help very welcome!

When I came home I changed my password just in case. I hate to be using something that I really don't understand, but I have certainly quickly become accustomed to having it in my pocket.

I'm going to start another thread abut Google translate. It is phenomenal.

Ha

 

[marko]

AFAIK, you need to select which open wifi network you want unless you have previously selected it in the past.

Long ago I had selected a McDonald's wifi and now it automatically connects each time, but I'm pretty sure you need to originally select it to start.

And, yeah, G-translate is really slick!

 

[jetpack]

Your broker should be using https in their app or on their website. It's generally safe to access... though, it's not unbreakable (ie. NSA) ..

 

[FireBug]

First off, u did the right thing. You changed your PW. Secondly, statistically, you run a low risk of having an issue as you already know enough not to do financial and highly personal tasks over an open network connection. So lesson learned (and we all do it). HTTPS is good once u get there but your weak point is the open wireless connection from your phone or device prior to getting to the https server. Someone would have had to place a very sophisticated 'sniffer' on that particular network to get your info.

As previous poster indicated, perhaps look into checking your settings..ie don't connect to an open network unless you give the 'ok'.

Also...u can subscribe to any number of VPN services should like to do banking etc. while 'on the run'. They are very secure, even when running on an open network. My guess is you r fine.

 

[braumeister]

Typically, your phone will grab onto any network you've used before, so that's normal.

I would not access any "serious" (e.g., brokerage, bank, etc.) site without going through a VPN connection. I use Witopia, but there are several good ones.

 

[donheff]

Sounds like overkill to me Ha. As others point out, unless you logged into the wifi previously you would not log in now. Also, your broker undoubtedly uses https so your password was encrypted. But your underlying concern is well placed. You are undoubtedly better off not accessing sensitive network resources from locations or devices you are not sure are secure. It is easier to postpone your access. One thought - if you want to use your phone but avoid using various wifi networks you may have signed on to in the past, you could simply turn wifi off when you connect to the sensitive site. Just remember that the NSA is in there watching. .

 

[Cobra9777]

I use lots of free public WiFi because I always try to minimize mobile data usage on my pay-as-you-go MVNO (Ting). I never intentionally do anything that requires a login on these connections. But I have inadvertently RE-connected to a WiFi that I used previously, and done a login when I thought I was using 4G. So now, I always turn WiFi off before logging in when I'm away from home.

 

[explanade]

You can also forget those networks that you've previously connected to.

For instance, Xfinity Wifi, AT&T Wifi, etc.

I believe apps. use SSL.

We've all heard about websites being hacked, credit card numbers being stolen from POS terminals or backend systems.

But so far, nothing about apps. or banking web sites.

The greater risk at the coffee shop is if you pay for your coffee with a magnetic stripe credit card.

Maybe in the future, with mobile payments, there could be concerns about contact-less methods (where data is transmitted in short distances, either NFC or Bluetooth) could be intercepted by hacker.

Also, your home isn't necessarily safe. Millions of PCs have been hijacked into botnets.

 

[Chuckanut]

Sorry to get into this late, but I had to make a quick call to my broker and buy some stock. Just got a hot tip from a friend who hangs out in Seattle area coffee shops.

I may be wrong, but I think most financial institution iOS apps work with encrypted data.

FWIW, I do all my financial work from a computer that is only used for financial sites. And I only do them at home or using wifi source I know can be trusted (usually at the home of a fellow geek.)

I reality, I think it is much more likely that any compromise of my sensitive information will occur when some outfit I do business with gets hacked. Alas, I have little control over that.

 

[haha]

Thanks everyone. I think I will use the "turn off wifi " protocol when doing something that needs privacy in a public space.

Ha

 

[target2019]

Thanks everyone. I think I will use the "turn off wifi " protocol when doing something that needs privacy in a public space.

That's the best route to take.
An article about the public wifi danger:
Here’s Why You Should Think Twice About Using AT&T Or Comcast WiFi Hotspots – Consumerist

It will never be 100% safe, so you must keep adapting to the new threats.

 

[Running_Man]

Thanks everyone. I think I will use the "turn off wifi " protocol when doing something that needs privacy in a public space.

Ha

I always turn off WIFI on my iPhone when I leave the house, it saves on the battery from the phone searching for wifi and I do not trust public WIFI. As long as you are not streaming music or video, the amount of data use for normal websites is really quite low.

 

[LongTerm]

Be careful assuming that by turning off WIFI and using your cellular provider that you are then secure. There is absolutely no reason to assume that a cellular provider is securing your data for you. In 3G and 4G networks today, your data is only encrypted between your device and the cell tower. Once the cell tower has it, it is sent over whatever backhaul the operator could most cost effectively use to get it to their network. This could be fiber or it could be microwave. I have seen plenty of operators deploy microwave equipment without enabling encryption....meaning with the right equipment anyone can intercept the cell tower backhaul traffic and capture data.

Any site worth doing business with these days will protect their site with HTTPS (TLS/SSL) which is basically encryption for your application. When you log into your bank, or broker or whatever, the FIRST thing that happens is an encrypted connection gets setup between your phone and the service you are contacting. This occurs whether you are on an open WIFI access point at McDonalds, or over a cellular carrier. This makes it virtually impossible for anyone intercepting the traffic anywhere along its path to be able to see your data or recover your password.

On a browser you know this is working when there is a 'lock' icon in the URL of the web page you are visiting. With Apps, you really have no way of knowing it...but as I said, use a reputable service and they will enable security as I described.

Conclusion: It is very likely that using a financial service on an Open WIFI access point did not disclose any personal data to anyone at the location you were at, or over the Internet.

 

[bribri]

Presuming your broker's website or your apps use HTTPS is about a safe as presuming that one night stand wore a condom.

Sorry for the graphic metaphor, but public wifi is perhaps best avoided unless you're wearing a condom - er, I mean, using VPN.

The apps on our smartphones are constantly sending/receiving a whole bunch of data in the background, on whatever network we provide. Not sure which apps use HTTPS? Unless I see the app's verified SSL certificate, neither am I.

A cafe filled with 5 or more wired peeps is like taking candy from a baby. It is really, really easy to steal unencrypted data. Previous to 2014, I thought this task was strictly for the uber-genius crypto nerds, until I checked out two free tools: Wireshark and Firesheep. Pick-pocketing for the layperson. I'm sold. When I'm public, it's VPN for me.

 

[braumeister]

When I'm public, it's VPN for me.

+1
I don't know about other phones, but at least on iPhones it's very easy to use VPN.

 

[sengsational]

...accessed my broker through its iPhone app...

I'd bet 100 to 1 that the connection from the app to the broker back-end is appropriately encrypted. That means you have so very little to worry about, that you shouldn't worry

Given the above, there is zero chance of a man in the middle attack working; either you get or don't get a connection to the broker's service.*

If the app had a vulnerability, that would be your only worry. But once the first customer got hit while using the app, it would become apparent to the broker, and the service would be shut-down. So the hacker would get a tiny timeframe to steal money or wreak havoc. Totally not worth the time to do the hack. In other words, one broker's app is not a juicy target.

The bigger problem with wireless hotspots is the rather idiotic method that some web sites manage authentication....they only use TLS protocol during login, and thereafter go unencrypted and simply rely on a token that's in the clear (cookie). That's often why you get spam from people you have emailed in the past...a bad guy sniffs the token while your friend is at the airport, the bad guy enters the web email account using the sniffed cookie (concurrent, but unbeknownst to your friend), and spams everyone in the address book.

*Wireless hotspots where you do not need to enter a password are "sniffable", but current encryption is not crackable, even if a third party sees every byte between the two endpoints that are negotiating the encryption.

 

[MRG]

I'd bet 100 to 1 that the connection from the app to the broker back-end is appropriately encrypted. That means you have so very little to worry about, that you shouldn't worry

Given the above, there is zero chance of a man in the middle attack working; either you get or don't get a connection to the broker's service.*
.......snip....

+1

Brokers have to provide evidence data are encrypted for formal audits.

Given we're just asking a web sever something it already does(HTTPS), I'd be more worried about crossing the street.