Say you are at the airport or McDonalds where the wifi is public, is it safe to login to your bank account or other websites that requires credentials (like making a credit card purchase) and you don’t want the data to be exposed? I understand that secure sites have a “lock” icon at the URL bar, but I want to make sure if I see the lock icon, the data transmitted is secure even if using public wifi.
Not a computer expert, want to make sure.
Thanks
Yes, it’s perfectly safe as long as the bank uses HTTPS which basically every website does.
The only way someone could get your information is if they set up a sophisticated man in the middle attack and you ignore several warnings in your browser about an invalid SSL cert.
I’m in IT and generally more cautious than most when it comes to security due to my background and knowledge, but I have no qualms about using public WiFi for stuff like this. It’s really not a big deal.
Edit: People keep mentioning MITM attacks being possible…and no, they’re not. Want to see a real-life example of SSL preventing a MITM attack? Next time you’re at a Starbucks, airport, hotel, or some other public WiFi with a captive portal where you have to agree to terms or enter some information to connect, don’t. Skip all of that. Now, open your browser and try going to google.com, bankofamerica.com or basically any other website (since they all use SSL). Your browser is going to throw up a warning and you’re going to have to click a few buttons to ignore it and proceed - where you’ll then be redirected to the portal.
Captive portals are no different than MITM attacks. It’s the exact same mechanism a MITM would use. It’s using a “malicious” DNS record to redirect google.com or yourbank.com to the portal. But since they don’t have a signed SSL certificate for that domain, your browser freaks out. And it would freak out if a malicious DNS record was trying to redirect you to a phishing site.
SSL prevents portals, and therefore, MITM attacks from being successful. The only reason captive portals work is because when you connect to a WiFI network, in the background your device tries to access an insecure HTTP endpoint that they control (for Apple devices, it’s Success, Android and Windows have their own) and if it gets redirected, then your device assumes it’s a portal and pops it up so you can log in
Edit 2: The EFF says public WiFi is safe: https://www.eff.org/deeplinks/2020/01/why-public-wi-fi-lot-safer-you-think
As long as you are on a website with SSL and the certificate is valid (see: Green Lock), then very little information that leaves your browser and that could potentially be sniffed by a third party on the same network or even the network owner is available to be read. It is safe.
Or, rather, you’re much much much less at risk of getting your credentials stolen like that than, say, social engineering or phishing.
This is fine and has been for years. Good explainer from the EFF: Why Public Wi-Fi is a Lot Safer Than You Think.
Yes , so long as you see that lock — the lock means all specific data between you and that website is end-to-end encrypted. Even the initial handshake is protected against “man in the middle” attacks.
People can sniff packets to see a device with your specific address (which is randomized on some phones, like iPhones) is talking to say, bankofamerica.com, but they won’t be able to see any plain data.
I don’t know what all these people are doing saying “no”, but for what it’s worth I’m a software developer who has a decent grasp on cybersecurity issues like key exchanges.
/u/T-Poke has a very solid explanation of why you usually shouldn’t worry about using public wifi from an IT perspective. HTTPS protocols are pretty good, but what they don’t protect against are non-technological points of entry. The only reason I’d be nervous about using public wifi isn’t the wifi part of the equation, it’s the fact that you’re in public. I’ve seen people in coffeeshops leave credit cards on tables, with security questions and account information on screen. If I have a camera and I get video of you typing in your password to Bank of America, not only can I replicate that password, but from the screen I’ll have the account information and the “secure picture” that BoA uses for account protection.
Security isn’t just about your hardware and software. A computer will never be secure if the user isn’t also secure
Online banking at home has most of the same risks as online banking on public wifi. The intetnet is a giant untrusted network, even if your local network has strong security.
Assume the network you’re using is malicious. Verify you’re connected over SSL, verify the website’s URL is correct, learn about phishing, enable 2SV if it’s available, and always keep your browser and computer up to date with the latest security patches. That will keep you safe at home and at the coffee shop.
Network engineer who specializes in wireless here (and my team deploys and manages many such networks at airports and retail, including McDonald’s) :
yes. Your banking sites should all be using HTTPS (web) or TLS (app), which encrypts your connection end to end, from your device to the server. That’s what the lock icon indicates. If it’s green, it also indicates that the encryption certificates have been verified to be owned by the organization whose website you’re connecting to.
Additionally, if the WiFi requires a “password” to connect, then the WiFi connection itself is also encrypted (if it pops up a login page after you’ve connected, that’s a “captive portal”, and is not related to the WiFi connection itself, only to internet access).
Don’t waste your time with commercial “VPN” services, those don’t really add any security to the process other than costing you money. They do NOT encrypt the connection end to end, they just change where you get onto the internet from. The “VPN” provider can still see all your traffic, but if your banking application uses encryption and 2FA like it should, they can only see that you’re using a connection to a particular IP address, nothing more. And installing a third party VPN app actually increases your MITM risk.
Technically if you’re using https and the security certificate on the site is up to date you shouldn’t have an issue. That being said, I’d feel better using a VPN—especially if the Wi-Fi network is not protected, since you don’t know who could be sniffing traffic on the network.
yes, you shouls be safe.
even if the owner of the wifi was malicious, all they should see is the name of the bank website, and how long you were connected. https is encrypting everything else.
tho if you are still worried, you can use a VPN, but afaik it isnt necessary
Yes … it’s not the Wi-Fi that’s (potential) issue.
Mostly just continue to always be vigilant - especially if you’re going to be doing online banking. Certs should always be good, browsers should give you no warnings on a legitimate financial site. Be sure you put the URL in correctly - don’t do typos - follow your existing bookmarks or links, don’t trust links in email that you have’t verified/vetted, etc., likewise for popups and ads and the like. Basically always be quite sure you’re dealing with the legitimate site. Most any financial institution offering on-line services will also have safety/security information on their site - look through and familiarize yourself with such. They may even have some relevant tips that are specific to their site. E.g. beware of site/URLs that are intended to look the same (and steal your info/funds) but that aren’t the actual financial institution web site (e.g. slight substitution of different characters might look almost identical - that’s why you don’t follow untrustworthy links).
As others have said, you’re fine, the wifi being public is not a problem as long as your data is encrypted.
Just, y’know, make sure no one can watch your screen, since you’re in a very public place.
If you are thief/scammer/in organized crime, it’s so much easier and more efficient to buy a bunch of stolen information from a data breach from the dark web, than it would be to go to a physical location and sniff out individuals’ information one at a time.
Nothing is risk free, but in terms of likelihood of breach, the scenario i mentioned above is significantly more likely to happen than someone stealing your personal banking information from McDonald’s wifi.
You are more likely to surrender your creds from a phishing attack than you are MITM.
What you may find is that there could be spyware on your device, and then you are well and truly fucked. This is usually detectable by Malwarebytes or similar software.
The order of operations for something like that to occur is pretty long, unless you:
2FA is good. Passphrases are good. Google password manager isn’t the worst. (Lastpass got hacked. But, ofc Google also rules your life…)
If it’s an APT or NSA, you’re already fucked, especially if you move lots of money.
FREE MATT HOOVER and JUSTIN ERVIN!
I always just switch to my data. I don’t know if it’s safer, but I feel like it is.
What’s your mother’s maiden name?
Yes it is as safe as a private network as both “call” the same host network and it’s all end to end encrypted via the banks network services. So any exposure to the information would happen on home networks as much as public networks.
If there is a breach it means the banks services itself were breached.
Only time you are truly at high risk outside of a monumental failure of your banks network security is if you use a public access terminal (computer at a library for example) as there are a multitude of ways to screen share/key log unknowingly to the user.
Not to piggy back on this thread and turn it to a networking topic…mm but good lord this comment section is ripe with people who have zero idea how the internet actually works.
They need to teach Networking in school as a mandatory subject because many of y’all
…Are just oblivious.
I Know I said it earlier but OP you are fine to do your banking on public wifi…none of these morons saying otherwise know what encryption is and if it fails that’s on the bank as the service provider and doesnt matter where or how you connect…which is highly unlikely…otherwise we’d have had 40 years of internet bank heists by now. We have…um zero that I can think of.
I’m another avoid. Yes, SSL should be ok. And yes, VPN has its issues too. But it’s not without risk and online banking (and similar) is worth not taking any risk – unless you need to.
Note that I work for a company that has a VERY high level of secops safety because of the data we handle and we are warned against the risk of this all the time.
Safe is relative. If you’re concerned you could put a VPN on your phone to activate when you want to bank.
Are you reasonably safe? probably. People have raised numerous valid points in other comments that I’m not going to worry about repeating.