Wireless Network Security Inadvisable I know but........

Discussion in 'privacy problems' started by kennyboy, Apr 16, 2010.

Thread Status:
Not open for further replies.
  1. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Showing my ignorance of how public wireless hotspots work, I have the following scenario:-

    Using an unsecured public wireless hotspot, I need to book a flight online using a
    Credit Card. Foolish, maybe, but I really have little choice.

    I have the choice of using either a USB stick with Ubuntu or, Windows 7 with a Sandboxie
    Browser configured to only allow the browser to run in it.

    Question :- Is this completely insane, or is there at least some measure of security with
    either method. Would this in any way protect me from the "wireless aspect" of an unsecured
    network.

    I really wouldn't normally be asking to do this if I could think of another way.

    Any constructive help appreciated.

    Ken
     
  2. CiX

    CiX Registered Member

    Joined:
    Feb 22, 2010
    Posts:
    404
  3. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Sorry, forgot to mention that I could run these option in a vpn (free vpn)but no idea if that would help.
     
  4. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Hi kennyboy

    I've thought about this a little and decided, rightly or wrongly, that for quick internet access outside my home network, mobile broadband is the way to go, as it's more secure (who knows what's happening at the server end of apps like Hotspotshield, CyberGhost etc. ?)

    Perhaps someone will put me straight on that if I'm wrong...

    philby
     
  5. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Seems Free VPN no longer works on the Free Servers.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I don't see why you'd need any security. Nealy all websites will use SSL (https) for credit card transactions.
     
  7. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Maybe, but what I am asking is what does that mean regarding the wireless aspect of the connection. In other words, what information is an intruder to the open wireless network able to gather from my transmission to the ISP.

    Ken
     
  8. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Unencrypted wireless traffic can be sniffed by someone with the right software in proximity. Attaching to an open access point could also make you vulnerable to a man-in-the-middle attack (for example someone running software that acts as an access point that intercepts your connection). You should be secure using SSL using a trusted certificate.
     
  9. wat0114

    wat0114 Guest

    My thoughts, too.
     
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    .
    A VPN would make all the difference. The main problem with open wi-fi is having your transmissions intercepted. A VPN encrypts the traffic across the wireless link. Currently I have a VPN subscription with witopia. It only costs $5.00 a month which is pretty cheap insurance. I would never enter a credit card without it.
     
  11. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    I do lots of wireless transactions like that over lots of unknown and public networks. If you use a browser, you already have a built in capability using https, which encrypts your traffic between your browser and the transaction server using level 3 SSL certification. And validates the certificates if you read the responses. If you have something like WPA, that can encrypt the traffic again between your computer and the router for the network, but since the transaction is already encrypted, so what? From your router to the transaction server it works the same. And a VPN can further encrypt it between your computer and the VPN server, at which time it goes to the transaction server without further encryption beyond that your browser did. So unless you are worried about accepting a bum certificate, you might as well get used to just using https (SSL) between your browser and the transaction server. Look for a little padlock with a 3 in it in browsers like Opera. :) The rest of this stuff is mostly to keep plaintext traffic from being intercepted and compromised.
     
  12. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Very helpful information,and exactly what I was looking for.

    Many thanks to you.

    Ken
     
  13. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    Kennyboy -

    See if your credit card provider will give you "disposable" credit card numbers at their website. Citibank does.

    This is what I do when I travel...

    1) Create a couple of disposable #s

    2) If I want to do a credit card transaction from an unsecured location, I use one of these numbers.

    3) As soon as I can confirm the merchant has processed the transaction, I go back to my citibank website and close out the number so it can't be used again. Even if I forget to close out the number, it is only valid for one month.

    By the way, this approach is also handy with an unknown merchant who I fear might try to post additional charges to my account - works like a charm.
     
  14. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Hi LenC

    Never heard of that, but will certainly ask my CC provider if they offer such a service.
    Many thanks for your input.

    Ken
     
  15. Reimer

    Reimer Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    217
    Use a VPN

    Sites that would use SSL would be safe but I would go one step further and use the VPN just to make sure. Otherwise, you'd have to be really careful and make SURE the site you're on is actually using SSL. Traffic can be redirected by sniffers to a non-SSL page even though you entered the address to an SSL page in your browser.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    .
    It has been demonstrated that even SSL can be attacked:

    http://www.scmagazineus.com/web-browser-flaw-enables-attacks-against-ev-ssl/article/140375/

    I don't know if this specific example is still relevant, but the point is you can't assume anything is perfect. Using a VPN over open WiFi is cheap insurance.
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    .
    Regarding online banking my bank offers the option to enable transaction notification via email. I get emails for all activity including credit card transactions on the same day. That way I find out very quickly if there is any unauthorized activity instead of trying to figure it out at the end of the month.
     
  18. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    A little Google will let you go read about VPN attacks also, ;) There are some interesting (although rather obscure) SSL attacks that ordinarily require you to do something unusual to succeed. But SSL is the cornerstone of internet commerce, so potential problems get a lot of immediate attention. And if you keep your Windows Update and Browser up to date, these are the kind of things that get fixed pretty rapidly. Not paying attention (Phishing, bad certs, site redirection, ...) is probably the biggest online problem. And adding a VPN usually doesn't hurt, although my experience is that they do degrade speed and stability a bit. I don't use one because I don't feel the need, but also I am often on low SNR links, and they can greatly degrade connectivity in those situations.
    The single use CC# is offered several places, but needs to be invalidated very quickly-30 days is much too long; these things are usually used immediately. Interesting in that major problems still come from dishonest employees who steal credit card numbers at reputable companies. Only time I was hit in some years was a dishonest FedEx employee who gave my Amex CC# to some friends to buy CDs and such. I lost nothing, but took a while to straighten it out. If you can get around the online issues, PayPal can also help here.
     
  19. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    If I request a disposable # now, it will have an expiration of 5/31/2011. However, I can cancel the # whenever I want, and I do cancel it as soon as my transaction has been processed.

    Websites like Amazon and Newegg probably have 50 or more of my old credit card #s in their system; they would all be invalid if their system was hacked and someone tried to use them.:cool:
     
  20. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Sounds like a good way to do it. Of course, you are relying on SSL to get the information transferred without compromise. ;) But I would also.
     
  21. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    All very interesting and useful info guys which has given me a lot to work on.

    Many thanks.

    Ken
     
  22. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    As I see it, there are no 100% foolproof methods. I think the risks are far greater when you give your credit card to a waiter in a restaurant or a sales clerk. There is a very efficient network of thieves out there. Last year, I dropped two credit cards out of my wallet in a department store. I realized what had happened two hours later. In that timeframe, $4,000 was charged on the card.
     
Loading...
Thread Status:
Not open for further replies.