11

Is it safe to log into my bank website over a public wifi (like a coffee shop)?

I realize that the connection between the browser and bank servers should be encrypted, however I'm wondering if there are any other "gotchas"?

thel3l
  • 3,384
  • 11
  • 24
Chris Dutrow
  • 211
  • 1
  • 2
  • 5
  • threats over public wifi here http://security.stackexchange.com/questions/34764/is-there-any-security-threat-with-open-wifi-connection – BlueBerry - Vignesh4303 Apr 25 '13 at 13:54
  • It's not safe to even have a web enabled bank account. If your account has more than $50,000 in it, it is only a question of time before it gets hacked, regardless of whether you use public Wifi or not. If you have less than $10,000 in the account, noone will bother hacking it. – Tyler Durden Jun 11 '14 at 00:50
  • 5
    @TylerDurden (citation needed) – Michael Sep 14 '16 at 17:47

3 Answers3

16

If your bank Web site uses HTTPS, and you dutifully check that the server name in the URL is indeed the expected name, and you don't disregard warnings about unverified or expired certificates, then yes, it is safe.

If these conditions are not met, then no, it is not safe -- but it would not be safe from anywhere else either. Public WiFi is not special in that matter.

What may make public WiFi especially unsafe is that public WiFi occurs in public areas. Public areas are full of strangers. When you enter your bank password, you don't want weird people to spy on your keyboard or tablet screen. That kind of physical security is quite harder to achieve in a park or a restaurant, than in the privacy of your home.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    Public WiFi is also often unencrypted which allows other connected devices to read packets in transit. I would consider this a significantly higher risk than using a wired connection at home. (Still a risk, but I would argue a much smaller risk.) – Nathan Osman Jul 06 '15 at 20:05
  • This will be obvious to many, but If you type "wellsfargo.com" instead of "https://wellsfargo.com", you are vulnerable. – Kevin Wheeler Dec 12 '15 at 15:53
  • 4
    Heh, looks like the formatter ate the `https://` there – Juan Carlos Coto Apr 14 '16 at 04:56
  • 2
    What about apps for your phone or tablet that access your bank? Presumably they hard-code things like the top-level URL making them immune to thinks like sslstrip? – Michael Sep 14 '16 at 17:50
  • 1
    @TomLeek but what in case Fake/Spoof DNS, HTTPS will not work in this case AFAIK? – CAMOBAP Sep 19 '16 at 11:42
4

Connecting to your bank over any WiFi that you do not absolutely trust is a mistake (in case you have a lot of money, of course). While in theory checking the URL and warnings does provide a level of assurance that you're not being MITM-ed (traffic is not intercepted), there are tools that work most of the time by utilising, for example, homonymic domain names.

Example: http://www.thoughtcrime.org/software/sslstrip/

There are also tools that will fake any BSSID (wifi station ID) that your wireless device is looking for, and then do their interception.

Example: http://wifipineapple.com/

P.S. In theory, theory and practice are the same. In practice, they are different.

Vitaly Osipov
  • 863
  • 6
  • 14
  • 7
    From what I understand, sslstrip will redirect a user to either an unencrypted page, or a spoofed encrypted page; and sometimes use a favicon to make it LOOK like the "lock icon" is there. If a user is careful to check the URL, and checks that the icon is in the correct place, doesn't HTTPS still provide protection? Especially the extended validation certificate used by many banks? – Ben Jun 13 '16 at 13:38
2

The bad news

The bad news is that nothing internet-y is 100% safe. There is always some degree of risk, even if you are using your own home network. The risk is higher, of course, on a network that someone else maintains, where members of the public can sign on and possibly attack the local network. For example, they could poison the DNS cache and send all of your online banking traffic to a criminal team in Romania.

The risk is especially bad if you are using a rented computer. There is no telling where that computer has been or what kind of viruses are on it. It could be logging all of your keystrokes and sending your session cookies to who knows. That's the bad news.

The good news

In the United States, the bank takes on almost all of the risk of loss. This is a requirement for them to be FDIC ensured. Unless you are banking with a disreputable bank, your liability for fraud is limited to $50. That being said, it can be something of a pain in the neck to recover the lost funds, but you can legally do it, eventually.

Things are constantly changing

The authentication environment is evolving and will evolve more in the next few years. Today, state of the art is a password with a second factor, either challenge questions or out of band. In a few years, you will see things like password-less logins (believe it or not), behavioral authentication, soft tokens, intelligent geolocation, out-of-wallet authentication, and other risk-driven measures. Banks will talk to each other about what is going on on their systems, look for devices popping up in multiple accounts (known as "account velocity"), detect malicious patterns, and shut them down in their tracks. So the environment is going to get safer and safer. Then again, hackers will get more and more sophisticated as the stakes go up.

What you can do

Here are some basic things you should do to protect yourself:

  1. Never access your banking site by clicking a link. Type it or use a bookmark that you yourself created. Links can be deceptive and point you to a criminal network instead of your bank.

  2. Access your banking site from your home network at least once before going out in the wild. This will register the banking site with the HSTS list held by your browser, and make it much harder for hackers to spoof your bank's site.

  3. Always use your own device. You'd be insane to use a shared computer, as it could have keyloggers or other malware.

  4. Never browser other sites while signed into your banking web site. Don't surf your email either. When you access unknown content, it could try sending requests to your banking site, and if you are signed in, they might actually go through.

  5. Always check the address bar to ensure that the connection is https and secure and that the correct domain name appears. If your bank uses an EV certificate, the entire URL should show up on a green background.

  6. Never ignore browser security warnings when accessing a banking site.

  7. Check your bank statements regularly and look for suspicious transactions. While your liability is limited to $50, you must report the loss within 90 days or you lose your rights.

If you do all of the above, it is reasonably safe to access banking web sites on a public network.

John Wu
  • 9,101
  • 1
  • 28
  • 39