Internet banking via 3G / VPN Connection.

NachT

NachT

NachT

Associate
Joined
20 May 2006
Posts
1,068
I'm not sure if this should be in here or the Software place... but here's my question!

Recently I've started traveling a bit, and like to check my bank accounts online. How safe/what are the risks involved in accessing your bank accounts using a 3G connection?

I could pay for the hotels WiFi, but I trust that less than my on 3G connection.

I understand if connected to the hotels network, another user on the network could be 'sniffing packets' going to/from my laptop, and therefore could intercept the information. Can this also happen on a 3G connection?

I also have access to a VPN connection, which is encrypted (VyperVPN). Would it be safer/what are the risks involved in establishing a 3G connection, then using the VPN connection. I understand this would encrypt all the data going to/from my laptop, but then again... there are other users 'on' this VPN, meaning... they could potentially access my system/intercept the data going to/from my laptop? My understanding is a VPN is just like a local home network, on a larger scale? meaning this would be unsafe for accessing your bank accounts as anyone could be on this 'network' with you?

Any information on this would be much appreciated, I searched google a bit and couldn't find anything that explain what I would like to know. Any weblinks/documents relating to this would also be appreciated :p


Thanks guys!
 
Generally speaking providing the banks website is using appropriate encryption then all a sniffer will be able to pick up is the encrypted packets.

I would say there is not a whole lot to worry about.

The type of VPN connection you described is really only good for hiding your location/identity for things like illegal downloads.
 
Ah, that's kool then.

I'll not bother using the VPN. The bank's site does use encryption.

What about stuff like logging into email accounts etc over 3G, is this kind of thing easy to pick up by sniffers etc? This is assuming the login of the email account is not encrypted.
 
If the page is not encrypted for anythign where you have to enter a password I'd be worried.

Basically if your wifi connection is encrypted that just secures the connection between your laptop and your wireless access point. If the webpage is encrypted that secures it end to end between your laptop and the webserver you are connecting to. Even on an unsecure network (where packets are easily visible) all they will pick up is encrypted traffic (assuming your bank or email provider is using a decent encryption method) then there's nothing too worry about.

Id be quite concerned though if there is an email provider who is not encrypting their logon pages.
 
J.B said:
Id be quite concerned though if there is an email provider who is not encrypting their logon pages.
Click to expand...

It's still rediculously common - and most people still use open POP3 and SMTP at home...the results of mirroring an ingress port on our core boxes and doing 'ngrep PASS' is somewhere between amusing and terrifying...


T 1.2.3.4:12136 -> 5.6.7.8:110 [AP]
PASS qwerty4321..

Oh come on!
 
Quite, when I was at university they had a rather shockingly old webmail system. There was a HTTPS version available but by default the link on the intranet just took you the HTTP site. Of course in the library there was WiFi network for all to use...

Needless to say it didnt take very long with a Linux laptop and an Orinoco NIC to capture quite a few UNs and PWs!

This wasnt even the main part of my dissertation, just a proof of concept type experiment but my tutor suggested I forwarded my results to the IT manager, well I got an email back saying that it was against the terms of use to maliciously use the network to compromise peoples privacy (or words to that effect). Useless people!
 
I would still use the VPN personally while travelling even if the page does use SSL as you can never be entirely sure the bank, etc. is handling all data securely and so on.
 
Rroff said:
I would still use the VPN personally while travelling even if the page does use SSL as you can never be entirely sure the bank, etc. is handling all data securely and so on.
Click to expand...


That makes no sense at all. If you are unsure that the bank is handling the data securely then VPN-ing from you machine to your VPN endpoint will do diddly to help with that!
 
Thanks for the info guys.

I'm also using POP3 for my email at home, just as it's been mentioned.. I do use the encryption method on it however.

I prefer POP3 over IMAP simply because of the organization benefits I get. I like to keep a separate copy of email in my .PST files on my hard drive, incase my email account ever got hacked or anything. Also, if I delete anything, or ever want to check an email that was received/sent years ago, can always log into the account online and all the mail will still be there.
 
J.B said:
Technically TLS would be better than SSL but that's better than nothing!
Click to expand...

You probably already know this, but TLS is essentially used in place of SSL these days. e.g it's ok to use the terms SSL & TLS interchangeably. I doubt many people are still using SSLv2/3 for HTTPS connections anyway, unless they are using a stoneage style ancient browsers or OS :p.

On a modern browser and half decent server the HTTPS handshake will automatically use TLS (pretty much the case since 2006ish I think).
 
Westyfield2 said:
On my home computers and iPhone and iPad I've got them email accounts setup as IMAP & SMTP, with SSL enabled. As I've got SSL enabled is that's fine right?
Click to expand...

Yes, it's still not that secure against a man in the middle attack but that's an actively malicious thing to do and hence far less likely...there's so many people using cleartext pop3 still that as long as you're even slightly more secure hackers are likely to leave you alone...
 
tntcoder said:
You probably already know this, but TLS is essentially used in place of SSL these days. e.g it's ok to use the terms SSL & TLS interchangeably. I doubt many people are still using SSLv2/3 for HTTPS connections anyway, unless they are using a stoneage style ancient browsers or OS :p.

On a modern browser and half decent server the HTTPS handshake will automatically use TLS (pretty much the case since 2006ish I think).
Click to expand...

I have a feeling that outlook allows you to specify SSL or TLS, I might be wrong though, just a vague memory of something like that.

But yes, I was just being pedantic really.

Just to talk about what Rroff said, unless you have a VPN connection straight to your banks system I dont think it would really make a massive difference, unless you are refering to people in the next hotel room sniffing the WiFi traffic?
 
J.B said:
Just to talk about what Rroff said, unless you have a VPN connection straight to your banks system I dont think it would really make a massive difference, unless you are refering to people in the next hotel room sniffing the WiFi traffic?
Click to expand...

Yer exactly, I agree. I see no advantage to using a VPN on top of SSL, because it still has to travel from the VPN endpoint to the bank :confused: (and SSLs crypto is already perfectly adequate). Even for wifi sniffing people, SSL is perfectly fine to stop them in their tracks (unless you're a noob who would accept invalid SSL certificates, but if you're going to use a VPN you are probably aware of such attacks).

I'm not too sure how safe 3G is while it's in the air, at bare minimum it would require some very expensive intercept equipment, but the obvious target is from where 3G is routed from the base station across the internet where the banks SSL has your back anyway.
 
Last edited:
Sure it won't make a massive difference but if your out in some slightly dodgy part of the world, it would be better - assuming the VPN end point is somewhere with fairly decent ISP regulation/laws.
 
You must log in or register to reply here.
Back
Top Bottom