I want to know whether VPN services (desktop client) provides any security when doing online financial transactions. Can it prevent hacking?
They can protect user from MITM attacks if online banking is conducted through insecure connection. OTOH bank can block access to their services if you try to connect from "strange" location (VPN server from some other country)...
My bigger concern with banking website access is to ensure that my client isn't compromised (which could lead to keystroke-loggers and other such nasties). So what I do is to use a pendrive Linux distribution on a small usb stick, which is ONLY used for the purposes of accessing the banking website - nowhere else. I then check the SSL certificate that the bank is giving me. I don't use a VPN, partly because I know that the bank keeps track of my IP (I had a query where someone had attempted access from a different location), so it actually helps that the bank knows I'm coming from my normal IP, and for sure, the bank knows where I live...!
deBoetie, I use a VPN to "reverse engineer" the same IP. Meaning, that by using the same VPN server consistently, I can introduce the exact same IP to my bank no matter where I am in the world when I log in. Sounds strange but it works.
That's fine if the bank is good with it - they clearly are - but presumably you're possibly sharing that address with many other people who can be anywhere, and who might not have your best interests at heart? I've found in order to use cashpoints and similar when travelling, I need to update the bank on my whereabouts in any case.
Point made and considered. When I open my laptop from "anywhere in the world" and log into a VPN in Dallas (example only), that IP would be of no value unless someone had the credentials to join that secure server. The entry IP is not the same as the exit IP either, so the originating network connection cannot see the exit IP the bank sees. I select one of the larger commercial servers so I am sharing the IP with a couple of hundred other members. I appreciate your concerns and I feel I am OK. Linux laptop only on this, never would use an Android!
Any reputable VPN can provide the encryption necessary for adequately safe online financial transactions.
Not enough, many VPN leaks to the network, it generates traffic on port 80, 443, and 1194 for OpenVPN. For OpenVPN, you only need port 1194 UDP to Internet. Do you know and can you set your firewall to avoid leaks? ... localhost and port 1194, may be port 443 TCP, suffice, especially not port 80.
From IVPN website regarding leaks, encryption and online financial transactions: https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me 1. Protecting Against Hackers on Public WiFi Hotspots a. Consider someone who uses public WiFi hotspots. They are concerned that hackers (ranging from other users to network administrators) might intercept their communications, and might steal sensitive information about their credit cards, bank and investment accounts, and so on. That is, they want security and privacy. But they’re not trying to hide their online activity, or to be anonymous. b. Any reputable VPN service would suffice for such users." Leaks only affect online anonymity...
If you are using a Virtual Private Network then the connection will be encrypted, and usually banking sites will be HTTPS protected meaning that's another layer of encryption between the communication - HTTPS will be more difficult for a formgrabber and for people sniffing the network, but VPN will also provide another layer of encryption prior to this. That is the reason behind VPN usage to unblock websites, since the connections are encrypted it stops the ISP from being able to enforce the blacklists or even see what you are connecting to. It will be beneficial.
@Lockdown -- Well, that's what I was thinking. But I can see how leaks could lead to compromise, if the hotspot is hostile. I think that guide needs to be revised with more attention to leaks. For that line, maybe say: "Any reputable VPN service that prevents leaks would suffice for such users."
I assumed that you wrote that guide - and it is completely correct. Leaks don't result in unencrypted data. Leaks don't result in MitM attacks. A leak isn't going to reveal a user's login\user and password credentials. Leaks reveal tidbits of data that can result in de-anonymization . With an IP address leak, very, very, very few adversaries are going to waste their time on a drawn-out, persistent network attack of average joe who might have $5,000 in their account, but is much, much more likely to only have $5 in it. They'd be financially more successful getting money out of average Joe with the usual stuff - phishing, watering hole, ransomware, banking trojan, etc. I know that anonymity, privacy and security are not mutually exclusive. However, for online transactions what is of foremost importance is the quality of the encryption algorithm and its implementation - AND - server security. Everybody is hot on the VPN bandwagon on the forums, but I have only seen one person bring up the topic of server security. Compromised financial institution server(s) = your goose is cooked - no matter what security and security related softs one is using on their personal system. I keep saying it - what people should really worry about is not that their personal system protections will fail them, but instead the absolutely dismal security of all the 2nd, 3rd, 4th,... party servers on which their data resides.
@Lockdown -- Generally, I agree. And look at the mess that Cloudflare's created But still, I'm going to review that guide, thinking more about leaks.
I think one just needs a VPN with reliable encryption and secure servers for occasional online financial work - and I am limiting that to using a PC as opposed to a mobile device (more on the mobile devices later). If I, as user, don't need anonymity - and therefore could care less about leaks - but instead I only need reliable MitM prevention - then jumping through hoops to get to a true "anonymous" level is wasted effort. As a criminal that wants money - and not data - I could care less about your IP address. I want your login credentials - so I am either going to get credential stealing or recon malware onto your system - or MitM your network traffic. Anyway, it is just common sense that one would choose the best performing VPN that they can afford for heavy financial work - or you just want to protect what is yours even if it is a small amount. I use IVPN - not because it has no leaks - but instead because of its good encryption, reliability, and the server security is better than average. I'm paying a real premium of about $40 per year for the reliability - and the firewall feature which makes my system network traffic encrypted 24/7. I mean if someone is going to do heavy online financials where there is any kind of risk of loss of thousands of dollars, then a service like IVPN is a "no brainier." If you have thousands of dollars at risk, then an extra $50 for security is a deal. For a simple, occasional login to the bank account - well - they could go with just about any reputable VPN or JonDoNym's 1.5 GB annual package for $14. One area where there is a knowledge black-hole\out is mobile VPNs. I think the implementations are poor - and I won't use one. Well, I won't use Android period - so what I have available for Windows Phone is Express, Nord, etc - and their implementations aren't exactly first-rate. Mobile device VPNs suxx !!!
@Lockdown -- Thanks for your thoughts So yes, if your bank uses HTTPS, the risk from leakage is that the WiFi hotspot (or an adversary that pwned it) could MitM the connection. But if leakage doesn't happen very often, the MitM risk is correspondingly low. And yes, it probably only matters if you have lots of money at risk. And if that's the case, you probably won't be managing that through a WiFi hotspot I also don't trust smartphones, and don't know much about using VPNs with them.
If you are " protected " by the Chinese or North Korean firewall, do not use VPN without blocking port 80 ... even with encrypted traffic
If all it takes is for an adversary to pwn a hotspot to break encrypted traffic, then there is absolutely no use in using a VPN. That's the whole premise of using a VPN in the first place - that if a hotspot is compromised, then the encrypted traffic cannot be decrypted by a MitM attack. Hotspots are almost always poorly configured with direct access. In fact, VPN encryption is supposed to protect against a server-side attack where the adversary tries the most common MitM attacks. If VPNs can't protect against the common MitM schemes, then I think there is no point in using one. There's a multitude of MitM attack types; they're not all the same and I would bet VPNs cannot protect against them all. And of course, if an adversary is inside the server rooting around data then it doesn't really matter what you're using to protect data originating from your system. You'd be surprised at how many people with a lot of loot to loose actually use unsecured wifi to manage funds and make investments. Hell, they throw out their statements in the regular trash - all an adversary needs to do for some truly awesome reconnaissance is rummage through rich peoples' trash.
I assume that every server I connect to is misconfigured in one way or another - on top of being inadequately secured. 1 + 1 = That's probably not an accurate characterization, but the countless reports of this or that being misconfigured on servers - yada, yada, yada... It just doesn't inspire confidence - if not outright paranoia among some. It pretty much sucks out there... but if one wants to accomplish things online then one takes risks - a lot of unknown risks. I mean, if I were amazingly rich - then I would use one of the private, "paper-only" banks and investment houses that are cropping-up instead of any digital transactions. They're throw-backs to the days of pencil-and-paper-only for the client. Investments are made by the house - and there is no linkage between the clients' accounts and any digital transactions\business performed by the house on behalf of the client. I suppose those kinds of really rich people send their butler to grab the satchel full of cash...
There is a strong motivation to use VPN (presuming they do what they claim on the tin) which is that of false-positives from mass surveillance and data mining, either by your own government or someone else's. It is clear that LE are doing widespread data mining and profiling based on ridiculously naive "selectors", and if you're unlucky, your baddie-rating will go over some threshold, and this will lead to adverse consequences for you. Since these things may be completely algorithmic (for example, putting you on a no-fly-list), there is no human judgement or incentive to look after your interests, no standing, no redress, then this is to be avoided. Of course, use of VPN at all is something of a rating-downgrade, but probably worth it. In addition, because the mass-surveillance databases exist and are accessed by many people across different locations and security domains, that means the data will get stolen, and the information makes phishing and other attacks far easier.
