how is it done? intercepting email and bank details.

NowRetired

I keep reading about emails being read by hackers, bank details being stolen while online via Wi-Fi etc., but how is it done?

How can someone who is in range of my WI-FI router, which is password protected, get my bank details when I sign into my bank even although I use a cable to connect my computer?

How do they even know when I am signing onto my online bank?

How can they intercept my email as I send it?

How do they know I am even writing an email then sending it?

How can they connect to my computer when it is connected to my router by a cable?

Or am I just lucky that I have never had my email or bank account details compromised in the past 17 years that I have had internet access?

securityguy

NowRetired wrote: »

I keep reading about emails being read by hackers, bank details being stolen while online via Wi-Fi etc., but how is it done?

It involves convincing you to visit a website which looks like your bank's, but isn't. The SSL mechanism (which shows up as a padlock or a green bar) should protect you against this, but people don't check as carefully as they should. Provided you have a properly secured SSL connection, then attacks involving looking at the traffic on the network won't be effective, even if you're using a completely open wireless facility. There's an endless list of ways to try to convince you to visit a fake version of your bank's website, ranging from phishing emails through to quite exotic (and rather less common than is made out) attacks using rogue wireless networks which re-route access to specific websites to hostile imposters.

Another attack is via somehow infecting your machine with software which sends a record of your keystrokes and possibly even what's on your screen. This is harder to guard against, although security software on Windows doesn't do a bad job, and real-world attacks on OSX and Linux are thin on the ground.

Two-factor authentication makes all these attacks less useful, although not completely useless. If your bank issues you with a device into which you put information about transactions, as well as using it to log in, that is a very strong countermeasure. If your bank calls your mobile for confirmation whenever you set up a new payment recipient, that also prevents most attacks.

If you check your padlock/green bar, use two-factor authentication via your phone or a hardware device for everything you can, avoid using an administrator account, use appropriate security software and take care following links in misspelt pieces of email offering you limitless riches.

Ectophile

If it's your own WiFi, and it's properly encrypted, then it's very difficult to intercept. Any on-line banking will be doubly encrypted - once by SSL on your PC and again by the wireless router.

Public WiFi is another matter. it's relatively easy to set up a fake wireless hotspot using a laptop computer. The laptop connects to the real public WiFi, and then re-broadcasts it. If an unwitting user connects to the fake hotspot, then all traffic travels through that on its way to the real hotspot.

securityguy

Ectophile wrote: »

Public WiFi is another matter. it's relatively easy to set up a fake wireless hotspot using a laptop computer. The laptop connects to the real public WiFi, and then re-broadcasts it. If an unwitting user connects to the fake hotspot, then all traffic travels through that on its way to the real hotspot.

Yes, that's right. But so what? The whole point of SSL is that, modulo some exotic attacks which simply aren't relevant here, it's robust in the face of the attacker owning the network. The literature is all in terms of an attacker who can read, synthesise, intercept and modify every message. SSL is robust in face of an extremely strong opponent. If the user doesn't check that SSL is properly negotiated, then a trustworthy local network won't help. If the user does check that SSL is properly negotiated, then a network completely controlled by the attacker won't be a problem.

Lum

Ectophile wrote: »

If it's your own WiFi, and it's properly encrypted, then it's very difficult to intercept

Depends.

If it's using older encryption such as WEP, it is trivial to break into, you may as well not even bother.

If it's using modern WPA2 encryption, but also has Wireless Protected Setup enabled, it is trivial to break into thanks to an idiotic design decision in how WPS works.

There are exploits for WPA2 as well, but these are more involved and generally it's easier to drive down the road and attack your neighbour with the unencrypted wireless network that is still named "Netgear".


For bank details, you can send out those "Access to your online account has been suspended, please confirm your identity" emails as there are still plenty of people dumb enough to hand over all their details in response to a completely fake form hosted on a hacked website in China.

NowRetired

I know about phishing and such, what I want to know is if I go to a wireless hot spot/internet cafe or even MacDonalds and use my Kindle or laptop to connect to my bank, for instance, how can someone get my log-in details?

securityguy

Lum wrote: »

If it's using modern WPA2 encryption, but also has Wireless Protected Setup enabled, it is trivial to break into thanks to an idiotic design decision in how WPS works.

Although that doesn't allow you to read other traffic. WPA2 uses pairwise keys, so although you can break into the network to use the bandwidth (and although automated tools are available, it will still take several hours) you can't read traffic to and from other devices on the network, whether using WPS or some other keying mechanism.

There are exploits for WPA2 as well, but these are more involved and generally it's easier to drive down the road and attack your neighbour with the unencrypted wireless network that is still named "Netgear".

I'm not aware of any generalised attacks, assuming that the PSK is sensibly chosen (a big assumption, of course). They mostly relate to mechanisms which allow someone who is already connected to the network to attack other users of it, usually by ARP spoofing. Correctly used SSL provides a complete defence against this.

securityguy

NowRetired wrote: »

I know about phishing and such, what I want to know is if I go to a wireless hot spot/internet cafe or even MacDonalds and use my Kindle or laptop to connect to my bank, for instance, how can someone get my log-in details?

Provided you check that the SSL is correctly set up (and you don't accept a certificate for 11oydstsb or h5bc or something) then they can't. If you were feeling paranoid, you could use the Cert Patrol add-on to Firefox to inform you if the certificate claimed by a site changes. It's important, I think, to worry about risks in rough order of plausibility, and most of the risks of online banking are independent of whose WiFi you're using.

andrewjf

NowRetired wrote: »

I know about phishing and such, what I want to know is if I go to a wireless hot spot/internet cafe or even MacDonalds and use my Kindle or laptop to connect to my bank, for instance, how can someone get my log-in details?

Because wireless is a broadcast system, and there are tools available to capture the packets of data sent on the network to and from your computer (the term for this is 'packet sniffing'). Someone could be sitting in a corner of the cafe literally capturing everything that's sent to/from your computer.
The packets contain your login/password details. If the data isn't encrypted, it's possible to reassemble the data and reconstruct your login credentials.
That's why using a secure encrypted link to your website is very important (any URL starting with https is secure).

securityguy

andrewjf wrote: »

(any URL starting with https is secure).

An active attacker who controls the network (a reasonable assumption in a cafe) can trivially man-in-the-middle an https: connection. It's the certificate that protects you in that case. https: is necessary for security, but is not sufficient: the key thing is that you have to check that the certificate is correct. If all the user does is check that the URL starts with https: then it is trivial for an active attacker to recover the clear text.

esuhl

NowRetired wrote: »

I know about phishing and such, what I want to know is if I go to a wireless hot spot/internet cafe or even MacDonalds and use my Kindle or laptop to connect to my bank, for instance, how can someone get my log-in details?

As securityguy says, they'll perform a "man in the middle" attack by setting up their laptop so that it appears to be the McDonald's wi-fi access point. You connect to the attacker thinking it's McDonalds. The attacker forwards everything you do to the real wi-fi point (so it appears to be working correctly for you). You then type your log in details (or whatever) and, since they're routed through the attacker's laptop first, they can capture them and empty your account.