Wireless Network Security Inadvisable I know but........

Showing my ignorance of how public wireless hotspots work, I have the following scenario:-

Using an unsecured public wireless hotspot, I need to book a flight online using a
Credit Card. Foolish, maybe, but I really have little choice.

I have the choice of using either a USB stick with Ubuntu or, Windows 7 with a Sandboxie
Browser configured to only allow the browser to run in it.

Question :- Is this completely insane, or is there at least some measure of security with
either method. Would this in any way protect me from the "wireless aspect" of an unsecured
network.

I really wouldn't normally be asking to do this if I could think of another way.

Any constructive help appreciated.

Ken

 

Try this: Hotspot Shield

 

Sorry, forgot to mention that I could run these option in a vpn (free vpn)but no idea if that would help.

 

Hi kennyboy

I've thought about this a little and decided, rightly or wrongly, that for quick internet access outside my home network, mobile broadband is the way to go, as it's more secure (who knows what's happening at the server end of apps like Hotspotshield, CyberGhost etc. ?)

Perhaps someone will put me straight on that if I'm wrong...

philby

 

Seems Free VPN no longer works on the Free Servers.

 

I don't see why you'd need any security. Nealy all websites will use SSL (https) for credit card transactions.

 

Maybe, but what I am asking is what does that mean regarding the wireless aspect of the connection. In other words, what information is an intruder to the open wireless network able to gather from my transmission to the ISP.

Ken

 

Unencrypted wireless traffic can be sniffed by someone with the right software in proximity. Attaching to an open access point could also make you vulnerable to a man-in-the-middle attack (for example someone running software that acts as an access point that intercepts your connection). You should be secure using SSL using a trusted certificate.

 

My thoughts, too.

 

.
A VPN would make all the difference. The main problem with open wi-fi is having your transmissions intercepted. A VPN encrypts the traffic across the wireless link. Currently I have a VPN subscription with witopia. It only costs $5.00 a month which is pretty cheap insurance. I would never enter a credit card without it.

 

I do lots of wireless transactions like that over lots of unknown and public networks. If you use a browser, you already have a built in capability using https, which encrypts your traffic between your browser and the transaction server using level 3 SSL certification. And validates the certificates if you read the responses. If you have something like WPA, that can encrypt the traffic again between your computer and the router for the network, but since the transaction is already encrypted, so what? From your router to the transaction server it works the same. And a VPN can further encrypt it between your computer and the VPN server, at which time it goes to the transaction server without further encryption beyond that your browser did. So unless you are worried about accepting a bum certificate, you might as well get used to just using https (SSL) between your browser and the transaction server. Look for a little padlock with a 3 in it in browsers like Opera. The rest of this stuff is mostly to keep plaintext traffic from being intercepted and compromised.

 

Very helpful information,and exactly what I was looking for.

Many thanks to you.

Ken

 

Kennyboy -

See if your credit card provider will give you "disposable" credit card numbers at their website. Citibank does.

This is what I do when I travel...

1) Create a couple of disposable #s

2) If I want to do a credit card transaction from an unsecured location, I use one of these numbers.

3) As soon as I can confirm the merchant has processed the transaction, I go back to my citibank website and close out the number so it can't be used again. Even if I forget to close out the number, it is only valid for one month.

By the way, this approach is also handy with an unknown merchant who I fear might try to post additional charges to my account - works like a charm.

 

Hi LenC

Never heard of that, but will certainly ask my CC provider if they offer such a service.
Many thanks for your input.

Ken

 

Use a VPN

Sites that would use SSL would be safe but I would go one step further and use the VPN just to make sure. Otherwise, you'd have to be really careful and make SURE the site you're on is actually using SSL. Traffic can be redirected by sniffers to a non-SSL page even though you entered the address to an SSL page in your browser.

 

.
It has been demonstrated that even SSL can be attacked:

http://www.scmagazineus.com/web-browser-flaw-enables-attacks-against-ev-ssl/article/140375/

I don't know if this specific example is still relevant, but the point is you can't assume anything is perfect. Using a VPN over open WiFi is cheap insurance.

 

.
Regarding online banking my bank offers the option to enable transaction notification via email. I get emails for all activity including credit card transactions on the same day. That way I find out very quickly if there is any unauthorized activity instead of trying to figure it out at the end of the month.

 

A little Google will let you go read about VPN attacks also, There are some interesting (although rather obscure) SSL attacks that ordinarily require you to do something unusual to succeed. But SSL is the cornerstone of internet commerce, so potential problems get a lot of immediate attention. And if you keep your Windows Update and Browser up to date, these are the kind of things that get fixed pretty rapidly. Not paying attention (Phishing, bad certs, site redirection, ...) is probably the biggest online problem. And adding a VPN usually doesn't hurt, although my experience is that they do degrade speed and stability a bit. I don't use one because I don't feel the need, but also I am often on low SNR links, and they can greatly degrade connectivity in those situations.
The single use CC# is offered several places, but needs to be invalidated very quickly-30 days is much too long; these things are usually used immediately. Interesting in that major problems still come from dishonest employees who steal credit card numbers at reputable companies. Only time I was hit in some years was a dishonest FedEx employee who gave my Amex CC# to some friends to buy CDs and such. I lost nothing, but took a while to straighten it out. If you can get around the online issues, PayPal can also help here.

 

If I request a disposable # now, it will have an expiration of 5/31/2011. However, I can cancel the # whenever I want, and I do cancel it as soon as my transaction has been processed.

Websites like Amazon and Newegg probably have 50 or more of my old credit card #s in their system; they would all be invalid if their system was hacked and someone tried to use them.

 

Sounds like a good way to do it. Of course, you are relying on SSL to get the information transferred without compromise. But I would also.

 

All very interesting and useful info guys which has given me a lot to work on.

Many thanks.

Ken

 

As I see it, there are no 100% foolproof methods. I think the risks are far greater when you give your credit card to a waiter in a restaurant or a sales clerk. There is a very efficient network of thieves out there. Last year, I dropped two credit cards out of my wallet in a department store. I realized what had happened two hours later. In that timeframe, $4,000 was charged on the card.