We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
ipad2 Security for internet banking
Dunwunderin
Posts: 163 Forumite
in Techie Stuff
I am going to Tenerife shortly and would like to use the hotel Wifi connection for internet banking with an ipad2.
How secure are such hotel connections for such type of work?
How secure are such hotel connections for such type of work?
0
Comments
-
You'll probably get conflicting advice, but speaking as a professional, using any public wifi puts you at risk and therefore cannot be guaranteed secure.
Obviously ensure the pages you visit are all https rather than http, and enter the domain yourself not from a link via a search.
But there are numerous ways a hacker can compromise wi-fi, but probably the bigger risk is being in a hotel with lots of strangers about watching what you are doing.0 -
Its not worth it if your account gets compromised0
-
On an Apple product using Ios? Eh?0
-
albionrovers wrote: »On an Apple product using Ios? Eh?
Is that a "Apple prodcuts should be/are secure " kind of reply ?0 -
albionrovers wrote: »On an Apple product using Ios? Eh?
Not au-fait with the technology we are discussing? The OS is a largely irrelevant issue in this conversation, we are talking about the security of, and over, wi-fi, you can be on Linux, OS X, iOS, Windows, Android etc it'll still be the same - you data packets still could be intercepted.0 -
If the website is via HTTPS, which would be the norm for banks websites, all data will be encrypted before it is sent over the Wifi. So intercepted packets would be of no use to anyone.0
-
TadleyBaggie wrote: »If the website is via HTTPS, which would be the norm for banks websites, all data will be encrypted before it is sent over the Wifi. So intercepted packets would be of no use to anyone.
The attack that worries me is this:
The attacker controls the access point, and is able to re-route DNS requests to a server they control (which is trivial if, indeed, they control the access point). They are therefore in a position to provide the IP number of their server in response to a request for online.mybank.co.uk. They then need to convince you to accept a hooky certificate, which is not remotely as hard as it should be, especially on older browsers or (ludicrously) mobile browsers. And the certificate may not even be hooky: there are an awful lot of CAs in the root store on Windows, OSX, iOS and Linux, most of whom I wouldn't trust any further than I could throw them. They can then man-in-the-middle the connection to the bank.
But that's assuming you're smart and at least have a bookmark directly referencing the https URL of the bank you use. A lot of people don't do that, and instead Google for the bank. Then it's game over: the attacker provides a fake response from Google pointing to https://on1ine.11oydsbank.co.uk.com/ or something, and uses a certificate they've "legitimately" obtained for that domain: remember, a certificate only proves ownership of the domain, not the search you used to locate it. iOS and Android browsers don't provide means to examine certificates in detail, and anyway 99% of people wouldn't know what they were looking at.
When I'm using a public WiFi and want to use a banking website, I either check the certificate by hand (I have a list of the fingerprints of the banks I use) or I use a VPN with software that contains a copy of their certificate for me to confirm I'm talking to the right endpoint.0 -
A mixed response so far.
I forgot to say I use a banking card reader to input my sign on details.
Does this make it more secure?0 -
TadleyBaggie wrote: »If the website is via HTTPS, which would be the norm for banks websites, all data will be encrypted before it is sent over the Wifi. So intercepted packets would be of no use to anyone.
In most circumstances I grant you https (SSL) should be safe, and obviously only non secure http would be open to sniffers... But SSL can be broken, by an intercept service. Just one quick article if you haven't heard of it before with a neat set of diagrams:
http://www.zdnet.com/how-the-nsa-and-your-boss-can-intercept-and-break-ssl-7000016573/
(Noticed securityguy posted a similar scenario with more detail)0 -
Dunwunderin wrote: »A mixed response so far.
I forgot to say I use a banking card reader to input my sign on details.
Does this make it more secure?
Yes. And if you have to use the reader to make payments and the stuff you type into the reader includes something about the recipient and something about the amount, then you're in a very good place. But if it's only used to sign on, and you can set up a new recipient without it, that's very bad.
(To be fair, the latter scenario is now dead. Even Lloyds, who don't use any sort of second factor for sign on, now require you to input a code sent to your phone in order to set up a new recipient. If the attacker can't set up a new recipient, that's most threats gone at a stroke).0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.1K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards