Are PPTP or L2TP Adequate??

I have started using a VPN for financial transactions. I don't do anything illegal I just want to keep my financial dealings secure. I am sure that OpenVPN is more secure than PPTP or L2TP but a couple of the less expensive VPN plans don't offer OpenVPN. I am thinking that PPTP (encrypted) or L2TP should be more than enough to protect me.

If crooks want to try and steal financial information I expect they just focus on HTTPS and not take the extra effort to deal with PPTP or L2TP and HTTPS.

Also, I have never read of anyone having their financial accounts compromised through this method. Am I wrong? Aren't PPTP (encrypted) or L2TP enough?

 

Any financial transaction that uses HTTPS would be secure even on a non-VPN'd connection. You will probably be protected by that method even if you choose PPTP. PPTP is busted though, so I'd use L2TP if those are you're only choices.

PD

 

PaulyDefran, Thank your for the information. I figured as much.
Based on other threads I have read I thought I would have gotten a variety of recommendations, but maybe its early in the week. Thanks again.

 

I don't think any self respecting security/privacy hobbyist would tell you PPTP is ok...for anything. But you have the final say.

https://www.schneier.com/pptp-faq.html

https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol

PD

 

A bit tangential and obvious, but I think it is good to check one's entry mechanism (bookmarks, URLs in password manager, etc) to make sure they only enter financial sites via HTTPS and also exam the network traffic when interacting with them to make sure they have all content and cookies being passed via HTTPS. Implementing your own rules to assure this is probably wise as well. While you are examining things, you could identify and block the third-party analytics and/or advertising requests (which have become disturbingly common within account pages of financial websites).

 

When security is a priority, and encryption is not agreed by both parties, L2TP is a better option. That being said in this scenario an encrypted VPN session is only protecting your packets over your LAN and from your ISP. If I were a crook targeting a user I would focus on:

1.) The financial website/database itself
2.) The user (Spear phishing, social engineering)
3) The user's machine (Malware, Trojans)

I do not know of any serious financial institution that does not do some form of encrypted session for their users, thus attacking via MITM or sniffing attacks is slim to none for an average joe.

Honestly I would say the VPN is not needed for financial transactions if you trust your LAN. I would instead focus on your local security and make sure you use a trusted browser and safe computing device to access the information.