VPN and online banking

JSmith321

cerebus said:

JSmith321 said:

Does online banking allow VPN if VPN uses a different IP addresses each time, especially from abroad. Would the banks not regard this as suspicious and block sign on attempts? 

Have you by any chance asked the bank in question?

I.e. getting the answer from the horses mouth , rather than asking a bunch of random strangers on a random tech forum especially when all banks are different and you have failed to tell us the bank in question 

Most banks outsource their IT so don't know what goes on under the covers in my experience 

PRAISETHESUN

Works fine in my experience, just be careful if there's a mismatch between your VPN location and your physical location.

Had to call my bank once through my app, and forgot my VPN was set to a location the other side of the world. Made for an awkward conversation when they asked where I was calling from and it didn't match what they were seeing on their end.

onomatopoeia99

steviebuk said:

onomatopoeia99 said:

On-the-coast said:

400ixl said:

Never had an issue with any of my banking apps or online apps with using a VPN to access, at home or abroad.

Me neither. 

It’s much safer doing banking from within a VPN

Why is it safer?  Do you understand transport layer security?

But if you're on a "free wifi" you have no idea if they are attempting SSL packet inspection. Most people randomly click yes to stuff so if they push their cert to you for their DPI-SSL, they can now sniff all your TLS traffic. Pretty sure they can't when on a VPN. 

You mean a self-signed certificate for hbsc.com that any browser will warn you about being a security risk in a very prominent way and the default option on the dialog it displays will be  to "Go back to safety", so to get to the site served by the incorrect certificate you have to select "Advanced" and "Proceed Anyway"?

I'm not sure anyone asking about a VPN will proceed to a site with a certificate problem through multiple security warning dialogs, so I'm still struggling to see the "improved safety".

Vitor

VPN's are IMHO oversold as protection that's required by Joe User. Using a café Wi-Fi that controlled by a hacker, there's a possible risk of DNS manipulation to your browser's request for the IP address of bank.co.uk.

The IP address of hacker's facsimile of the bank site is returned and it captures your login password; however 2FA should defeat hackers using that password.

If you want to defend against DNS manipulation by encrypting the requests, setting up DNS over HTTPS to Google, Cloudflare, Quad9 and other big DNS services is long term less hassle than a VPN and is free.

facade

onomatopoeia99 said:

steviebuk said:

onomatopoeia99 said:

On-the-coast said:

400ixl said:

Never had an issue with any of my banking apps or online apps with using a VPN to access, at home or abroad.

Me neither. 

It’s much safer doing banking from within a VPN

Why is it safer?  Do you understand transport layer security?

But if you're on a "free wifi" you have no idea if they are attempting SSL packet inspection. Most people randomly click yes to stuff so if they push their cert to you for their DPI-SSL, they can now sniff all your TLS traffic. Pretty sure they can't when on a VPN. 

You mean a self-signed certificate for hbsc.com that any browser will warn you about being a security risk in a very prominent way and the default option on the dialog it displays will be  to "Go back to safety", so to get to the site served by the incorrect certificate you have to select "Advanced" and "Proceed Anyway"?

I'm not sure anyone asking about a VPN will proceed to a site with a certificate problem through multiple security warning dialogs, so I'm still struggling to see the "improved safety".

That is very recent, it appeared for me at the weekend.

Crikey I was sweating when I clicked on "go on then, I'll risk it, what have I got to lose- except my digital identity and all my money?" but I desperately wanted to get into banking to check if I had sent a BACS to the right account- and even after that stress you can't check a BACS anyway, it only says the name you made up yourself for the payee not the account number, the same as the app on the phone.

I thought it can't be too bad as I have to type a OTP each time to get in.

Bad show HSBC.

You can't do anything on the app without multiple pop-ups warning about phishing, crypto scams etc, and above all TRUST NO-ONE, and then they pull a trick like that

bob2302

Vitor said:

VPN's are IMHO oversold as protection that's required by Joe User. Using a café Wi-Fi that controlled by a hacker, there's a possible risk of DNS manipulation to your browser's request for the IP address of bank.co.uk.

The IP address of hacker's facsimile of the bank site is returned and it captures your login password; however 2FA should defeat hackers using that password.

If you want to defend against DNS manipulation by encrypting the requests, setting up DNS over HTTPS to Google, Cloudflare, Quad9 and other big DNS services is long term less hassle than a VPN and is free.

Even if you don't do that, your browser will warn you about the bogus site's certificate.  

bob2302

onomatopoeia99 said:

steviebuk said:

But if you're on a "free wifi" you have no idea if they are attempting SSL packet inspection. Most people randomly click yes to stuff so if they push their cert to you for their DPI-SSL, they can now sniff all your TLS traffic. Pretty sure they can't when on a VPN. 

You mean a self-signed certificate for hbsc.com that any browser will warn you about being a security risk in a very prominent way and ...

No, it's a reference to a technique used in corporate networks to inspect encrypted traffic by installing extra certificates on managed hardware. The scam would involve the victim downloading a file and installing it in their browser, while ignoring warnings. Anyone gullible enough for this could equally easily be persuaded to install malware anyway. 

There is a more serious point about this, that you shouldn't do anything important on an employer's hardware, because a rogue admin might be eavesdropping.