how is it done? intercepting email and bank details.

PHARR

A very educational thread for me.

securityguy

esuhl wrote: »

As securityguy says, they'll perform a "man in the middle" attack by setting up their laptop so that it appears to be the McDonald's wi-fi access point. You connect to the attacker thinking it's McDonalds. The attacker forwards everything you do to the real wi-fi point (so it appears to be working correctly for you). You then type your log in details (or whatever) and, since they're routed through the attacker's laptop first, they can capture them and empty your account.

They can only do this if they can man-in-the-middle the SSL connection. With reasonable precautions, they can't.

Most banks also require some other security (a phone call or text message to your phone, the use of a handheld device which encodes various stuff) before you can set up a new payment recipient, which rather limits the ability of the attacker to profit.

So even if the attacker does capture your login details (perhaps by the rather cruder method of filming people using a laptop in public) all they can do is transfer money between your existing accounts and to your existing payees, which is highly unlikely to include them.

It's become something of a commonplace for people to imply that using public wifi is unfeasibly risky, and that intercepting bank login credentials is a routine attack. I don't believe there's much evidence for either contention. Most attacks on bank credentials are phishing attacks, which work just as well against people at home as in cafes, but even those are not desperately effective against current UK banking security: they're going to hit the problem of the attacker needing to set up a recipient to catch the money.

On the other hand, frauds involving simple, century-old properties of the PSTN are effective. See here (which caught a relative of mine a few weeks ago). Rather than worry about esoteric attacks on computer banking, people would do well to think more broadly.

NowRetired

So I can quite happily go on holiday next week leaving my money in a high interest bank account and if I see something I fancy and need cash I can transfer my money from my high interest account into the account that lets me withdraw cash from an ATM without any charges?

And I can do all this from my hotel's free WI-FI on my Kindle and not worry about someone reading my e-mails and stealing my money from my bank account?

If I can manage to tap in the right place on my Kindle.:eek:

Perhaps I should take my laptop as well.

Lum

securityguy wrote: »

Correctly used SSL provides a complete defence against this.

The thread says "email and bank details". Most folk still aren't using SSL for their email.

For bank details the good old phishing scam is still the best option, and it will be so long as people keep falling for it.

I do occasionally go to those phishing sites and fill in a load of crap just to pollute their database a bit, but you do need to be careful that the site isn't full of malware too.

Plus if you get onto the network, that's then a platform for other funky stuff. Reconfigure the router to hand out a proxy server IP address for a proxy you control and then you can sniff everything.


Also, screen grab from a hotel stay I was at many years back, the night before this was taken that network was called "belkin54g".

securityguy

NowRetired wrote: »

So I can quite happily go on holiday next week leaving my money in a high interest bank account and if I see something I fancy and need cash I can transfer my money from my high interest account into the account that lets me withdraw cash from an ATM without any charges?

And I can do all this from my hotel's free WI-FI on my Kindle and not worry about someone reading my e-mails and stealing my money from my bank account?

Email's a matter of whether your email provider uses SSL. Gmail do, but you should check that you have the options set to enforce only permitting access over SSL. And you should turn on two-factor authentication (that's a universal truth: Google, Ebay/Paypal all support it, and it's strongly recommended).

Perhaps I should take my laptop as well.

I've not looked at the security properties of the Kindle (interesting piece of research). I'd be slightly skeptical at how well you can check a certificate. A laptop's a good idea. A laptop using the Google Chrome browser is a very good idea if you're accessing Gmail, because Chrome now support Certificate Pinning (look it up).

securityguy

Lum wrote: »

The thread says "email and bank details". Most folk still aren't using SSL for their email.

Are there still email providers which do not offer whose-session SSL? It's been the default for Google since 2010. Oh, I see, a quick shufty says that Yahoo only started offering it this year and still don't have it as the default: what a surprise that a second-rate offering is second-rate.

The OP should check that he has the "always use https" or whatever setting is turned on for email, and go elsewhere if they don't offer it. Sorry, I didn't realise that in the three years since Google made it the default there were still major players who hadn't.

Reconfigure the router to hand out a proxy server IP address for a proxy you control and then you can sniff everything.

In an SSL connection? How? You'd need to convince the user to either accept a new root certificate, which is how Bluecoat and similar products work, or ignore the increasingly shrill warnings about a bad certificate, or have managed to get a hooky certificate from a corrupt issuer. The first two it sounds like the OP is unlikely to fall for, the last, well, it's an active research topic...

patman99

If you intend to use a lot of public WiFi hotspots, then it is worth setting-up an OpenDNS account. By specifying a DNS on a PC's network settings, the data you send/receive is encrypted by the PC at either end. So even if you use unsecured (no password needed) hotspots such as those used by Sainsburys, Tesco & ASDA in their cafes, your data is still safe from interception.
It is worth noting that some hotspots such as the ones in my local pub, require a password & are therefore secure (as long as you obtain the password from the barkeep & not from someone playing on their laptop.

Lum

patman99 wrote: »

If you intend to use a lot of public WiFi hotspots, then it is worth setting-up an OpenDNS account. By specifying a DNS on a PC's network settings, the data you send/receive is encrypted by the PC at either end.

No it isn't. The only thing that using OpenDNS might protect you against is being redirected to a malicious website, email service etc. by the DNS server on that wireless network.

Your communications between yourself and that website remain exactly as before, i.e. unencrypted if you use HTTP and encrypted if you use HTTPS.

Don't get me wrong it's still worth doing, but don't think that just this will protect you.

NowRetired

I would still like to know how someone, one of my neighbours for instance, as there are a few wireless networks around my home, can read my email or see what letter I pick from the drop down menu to access my bank account?

So basically all those who complain about their email being hacked and their passwords being stolen are simply victims of phishing or downloading some malicious software?

Because as I stated in my original post

Am I just lucky that I have never had my email or bank account details compromised in the past 17 years that I have had internet access?

andrewjf

NowRetired wrote: »

I would still like to know how someone, one of my neighbours for instance, as there are a few wireless networks around my home, can read my email or see what letter I pick from the drop down menu to access my bank account?

I suspect you've been overwhelmed by all the technical jargon in this thread. To put it simply, your neighbours can't do those things if

1. Your network is password protected
2. You use secure websites

Even if your network is unsecured, it's still unlikely your neighbours would be able to do those things because it requires a certain amount of technical knowledge which they probably don't have.

However it does allow someone to connect to your network and use it without your consent.

So basically all those who complain about their email being hacked and their passwords being stolen are simply victims of phishing or downloading some malicious software?

Yes

Because as I stated in my original post

Am I just lucky that I have never had my email or bank account details compromised in the past 17 years that I have had internet access?

No, because you're aware of dangers of phishing and downloading malicious software, and have installed anti-virus software. You're taking active measures to protect yourself.

You'd be lucky if you did none of these things over 17 years and had no incidents of virus infection, email hacking or computer hijacking.

So to sum up, you're doing all the right things, are aware of the dangers, so I would say your Internet activities are completely safe, and you can access your email and bank accounts without fear of anyone accessing your personal details.