Not sure if this is the right forum or whether I should have posted in malware? Anyway, I am looking for advice regarding doing online banking as I am having a discussion with my boyfriend and we cannot agree. I was under the impression that if I use https my connection is encrypted. Assuming I make sure that I am accessing the site that way (using the correct link) and my laptop is secure (fully updated, not left out of my sight etc etc), then I should be fine to do banking that way, even from a public hotspot. My boyfriend is adamant that this would not be safe but other than some generic talk about someone sniffing, he can't explain it. Can anyone please either tell me what exact threat I am facing if I do banking from a Hotspot as opposed to from home?
If your device is not compromised and you are on right server (check url) and site is using https you should be relatively safe on hotspot also. Also check for green padlock in your address bar.
Some good points are in this one: https://security.stackexchange.com/...ing-https-websites-on-a-public-hotspot-secure This could be useful too: https://www.eff.org/https-everywhere
To extend the question a bit, security comprises many things - and in public places, that also includes people/cameras spying on your keystrokes & screen. Some banks tend to raise alerts if you're logging in from unusual/different places, and that can be a pain. Personally, I only do online banking from a wired connection at home, using a dedicated usb stick with a pendrive linux distribution used only for banking, never for general browsing. I also check the url and certificate. I've memorised the password and do not store it in any password manager. It's a continuing irritation to me that banks have not properly adopted two-factor authentication for login.
See this: https://www.wilderssecurity.com/thr...azilian-bank-for-5-hours.393140/#post-2665396 All HTTPS ensures is that the connection is encrypted; nothing more. Additionally, it is possible man-in-the-middle(MITM) activity can occur. That can be done locally by malware installing a hidden proxy or externally. The most secure way to do personal online banking is by using a security solution that has online payment protection. This feature "hardens" the browser against external attacks, provides anti-keylogging protection, and ideally can detect MITM activity. The only solution I know of that can prevent MITM is Eset.
See this AV lab report: https://avlab.pl/sites/default/files/68files/protection_epayment.pdf . Notably: I assume this means local MITM. Although Eset does do like activity described below when SSL protocol scanning is enabled. Now it does exclude EV cert. web sites from such scanning but may still perform the independent server lookup verification as part of their Online Payment Protection in the secured browser. The only way I know of detecting external MITM activity is by using something like SSLEye described here: http://www.ghacks.net/2015/08/06/ssl-eye-check-if-you-are-the-victim-of-a-man-in-the-middle-attack/ prior to initiating an online banking session. Note that the only really effective external MITM employs "dual fork" interception where the original encrypted SSL transaction is held in suspense by one fork and the second fork used to decrypt and extract banking data such as passwords and account info. To do so requires use of hijacked destination server credentials. Once that data is extracted, the original encrypted SSL transaction is release from suspension and routed to its original destination. Any other method of SSL decryption and re-encryption runs a high likelihood of "busting" the SSL encryption and being detected at the destination server.[/plain]
Yes I remember that one. Seems it hasn't been updated since 2014, dunno why. Wonder it this old version is still valid. Also, I don't understand why mods closed each and every thread regarding SSLEye in Wilders.
I can't run it using Eset. It detects the first server used, the one based in Singapore, as a malicious IP address. When I check out the IP address independently, it comes up clean. So my guess is many AV's are also blocking its use. -EDIT- Also SSLEye is a PRISM "buster" which might be the primary reason.
LOL yeah! I did never follow those threads carefully, so... What's the catch with SSLEye or something?
AFAIK, there is two methods to avoid MITM , encrypted traffic (DNScrypt and co) or check the road (SSleye).
But even encrypted traffic can be MITMed if attacker somehow manages to trick your browser to use malicious software that acts like SSL proxy. Like demonstrated by SSL strip tool https://avicoder.me/2016/02/22/SSLstrip-for-newbies/ "The real beauty of SSL stripping is that your browser won’t display any SSL Certificate errors and the victims have no clue that such an attack is going on." Heck, if using Windows machine and some antivirus software (like Avast) you already in all likehood are running totally transparent, local SSL proxy. Like I demonstrated here some time ago https://www.wilderssecurity.com/threads/what-is-an-ssl-proxy.383649 As for SSLeye, it's a cool idea (idea most likely sparked by https://www.grc.com/fingerprints.htm ) And simple enough for any programmer to implement (rent VPS server, setup a simple perl/php/python etc... script that fetches given https site ssl cert and shows sha fingerprint, then do simple Qt5 GUI app that fetches given https site ssl cert, and finally compare the ssl cert sha fingerprint against the one shown by your own VPS server for the same https site).
Mitigations for this: Microsoft's EMET allows for certificate pinning but only works with IE11 and possibly Edge. I also believe that Chrome now does independent cert. pinning. Additionally if you use a security product that does SSL/TLS protocol scanning, it by definition does independent cert. pinning. Most browsers now support HSTS. The problem is many HTTPS web site servers do not and that includes a number of large banking web sites. So there is nothing you can do about that. Another security option I would add is to block use of "mixed content" if your browser has that option. Mixed content is the display of non-HTTPS site data being generated from the HTTPS web site you are connected to.
To be safe the best thing to do is use a VPN on insecure hotspots. That way all of your online activity is secure, not just those sites that use HTTPS. Many VPN services are very affordable and easy to use. By the way some banks offer two factor authentication (TFA). For instance when I log in to my bank I'm sent a text message with a code to enter along with my username and password. It's worth that extra effort because it's extremely unlikely that a hacker would have my phone along with my login information. Hope this helps