VPN vs Online Banking

Discussion in 'privacy technology' started by TomAZ, Jan 3, 2015.

  1. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    I know very little about VPNs, but just wondering if using one messes up your "identity" to the point that it makes logging in to online banking, etc. very difficult (if not impossible)?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Yes, that may be so.

    And so you don't use the VPN service (or Tor or JonDonym) for online banking, etc.

    Or if you're using a VPN for wifi hotspot security, you use a particular one, with a nearby exit IP address. If you want some degree of anonymity for other activity, you use a different VPN.
     
  3. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    I once locked myself out of my bank account by setting it up too secure (I used a password gen to generate the security question answers, and then forgot what the questions were that they went to :argh: )

    If I myself cannot get into it, godspeed to whoever else.
     
  4. Impet

    Impet Registered Member

    Joined:
    May 5, 2013
    Posts:
    894
    But the VPN should be unable to get login data and password if I'm using a https connection!? o_O
     
  5. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Right, but this isn't about that. The bank's site will lock the account because it'll view the VPN connection as suspicious.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Well, banks get nervous when your IP changes. But if you consistently use a VPN with a nearby exit IP, and explain that you're using the VPN for better security, they'll probably get used to it
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    There isn't a whole lot of point of connecting to your bank via VPN anyway, indeed the opposite. It would normally be in your interest for your bank to reject connection attempts from arbitrary/anonymous locations.

    If the point of the question is banking security, then being sure about your client, your credentials, and confirming certificates and addresses is the focus.
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Agreed; the one exception I can think of is if you connect over open wifi. A vpn is essential in that circumstance for financial transactions IMHO. Banks are offering apps for smartphones now. How many people know the risk of using their phones on unsecured wireless?
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Right, there's no security using public wifi.
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    If you are going to bank from a smartphone (not from inside your secured home network) then use multiple factor authentication. I enabled it when I started using my smartphone. First - obviously I need user and password, Second - my password only gets entered when the bank's site accurately displays my secret picture (site key), which pops up after I enter my username. This helps to make certain I am not on a MITM bank hijack. Third - my bank sends a text to my cell with a 6-8 digit secret code that is good only ONCE. Without that code I cannot log in - ever!! This process is repeated any time that I log in.

    Of course it is my responsibility to secure my smartphone, but this method prohibits a hijack of my account with virtual certainty!!

    Finally, and something all might consider: many are super paranoid about running over their data limits on their accounts. I have a few Gig before I start paying. Point being; it might be smart to disconnect from the public wifi and use your provider's connection/data (yes a small amount of data gets used) during banking activities. Generally speaking it is safer than a wifi hotspot unless you are vpn'd.
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    The problem with using Two Factor Authentication (TFA) on a smartphone is you need another device to provide a one time code. That way if the phone is stolen the second device is not available to the thief to validate the login. Receiving a code via SMS or Google Authenticator, etc, on the phone is pointless if the phone has been stolen. You can use a Yubikey to validate LastPass login on a smartphone. I don't know if any bank sites support it though. I use BofA and at the moment they only offer TFA via SMS.
     
    Last edited: Jan 4, 2015
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Seems weird to quote myself. LOL!!

    Since I totally log out each time the perp would still need to know my user and password. I employ an exclusive banking email address on my account, and it is NOWHERE on the smartphone and never is used on THAT smartphone. My smartphone is secured with a pretty long password. I purposely NEVER connect to the needed banking email address while using THIS smartphone. Account reset emails would be sent to an address unknown to the perp and especially to THIS smartphone. I feel this really helps with the concerns you expressed, and I agree to a point.

    Independent of gaining physical control of my smartphone, which would be shut off in minutes if not seconds, I am virtually certain no person could ever log into my banking profile with the steps as indicated in my post above. I really can't see how a bad guy could access my banking even if I handed him my phone and said go for it! Obviously, that would never happen. I keep emergency shut off info handy and by contacting my provider it all goes dead in seconds.
     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Well, you have many precautions in place :thumb: but I'm not sure how they protect against a MITM attack if you were using open wifi without VPN enabled. It wasn't clear, but perhaps you simply don't use your banking app on open wifi? ( I certainly don't).
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    My take is that there are many problems with using a smartphone as part of a 2FA setup. It's complex (easier to attack), big, fragile, has batteries, and is a tempting target for thieves. The schemes for 2FA authentication to the smartphone logon are not at all credible, particularly the biometric ones. I'd be interested in nfc authentication to a Yubikey HMAC or OTP, but the current android schemes are nfc only.

    While I use and like Lastpass with 2FA, I do not use it for banking passwords.

    If Paypal and Visa implemented U2F, there would be something interesting and potentially worthwhile.
     
  15. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Universal 2 Factor? How would that work?
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Fido U2F has a number of models which can include a cheap U2F key (interfacing to Chrome), plus say a pin for 2F authentication. It's resistant to MITM amongst other things, and currently works on Google accounts. Since Paypal and Visa are on the Fido consortium, you can imagine they might be interested in supporting it for real. It would represent a sea-change in 2FA if they did so.
     
  17. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    In post #10 on this thread I stated that I drop off any wifi hotspot and use the data connection of my cell provider --- IF I connect to my bank while outside of my secured home network. I try to do my extended banking at home and usually on a regular computer, but at times a need arises while I am mobile. Truth be known I am almost always on my provider's connection anyway because I get more data than I ever use. I am boring and hang out at the same 5 spots where I am granted full access to secure networks at those locations. In exchange I keep them running will little tweaks for folks.

    Victek,

    Regarding a MITM; they would not be able to send me the needed site key (special picture I designated). After I enter my username I wait until the needed site key is sent to my phone. No site key, then NO password is entered. Only my bank knows and would possess my site key.
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Thanks for clarifying. It sounds like you're good to go.
     
  19. Paranoid Eye

    Paranoid Eye Registered Member

    Joined:
    Dec 15, 2013
    Posts:
    174
    Location:
    io
    It is true using a VPN you do sometimes run the risk of triggering off the websites security department.

    Ebay, Paypal many banking websites or even ones that deal with money transfers can throw fits.

    If you explain the situation they usually just switch it off or sometimes its fine and they just get use to it, bit of trial and error really but imo with ip and dns leaks I prefer to sit behind a vpn 100% of the time.
     
Loading...