# How secure is internet banking on an open wireless network?



## miguelsanchez (Feb 1, 2005)

A hypothetical question: if my internet service was down for a few days and I needed to my internet banking (don't want to rack up late charges on my Visa!), would I be compromising my security by using my neighbour's wireless router or another wireless hotspot to connect to my bank? 

As I understand it, the bank uses 128-bit encryption anyway, so does the WEP/WPA encryption add any more security?

Thanks for reading,

Miguel


----------



## zen.state (Nov 29, 2005)

the banks security is only at their end. if your connection to the site is open wifi then the packets could easily be sniffed.


----------



## Another_Paul (Sep 20, 2005)

I never do banking on open wireless networks and don't even use my email on open networks very often.


----------



## da_jonesy (Jun 26, 2003)

Sure you could "sniff" the packets... but then remember that the traffic is encrypted and then encrypted again.

You have the WEP encryption for the wireless traffic (albeit it is often not as strong as 128 bit encryption) and then the traffic is usually encrypted using SSL over HTTPS.

Trust me it is pretty safe. Safe enough that you shouldn't worry about it unless you are money laundering and have the NSA monitoring you.


----------



## Atroz (Aug 7, 2005)

As others have stated, SSL will safeguard your banking info. However, I'd be more worried about other things. e.g. Ensure that your computer is up to date on patches, and that your firewall is in place before connecting to somebody else's network. Also realize that alot of other communication could be sniffed by your neighbour or somebody else. E.g. often your email server (POP/SMTP) logins are not encrypted. Logging in to services like Gmail (web) is encrypted for the login, but not for the rest of the session, so somebody could be reading your Email. 

I'd certainly say you are safer using your Mac for this than to borrow somebody's Windows PC.


----------



## Orion (Apr 16, 2004)

WEP and WPA will encrypt everything between your computer and the router. This means that someone can tell that something is going between your computer and the router but they can't tell what.

If the encryption is cracked or non-existent then information between your computer and the router can be read. If you are doing banking then the information is encrypted between your computer and the bank's computer.

Examples:
Bank encryption only:
Someone could tell that you are sending information to the bank, but they wouldn't be able to tell what that info is. They would know you are doing it, though.

Bank and WEP(*) or WPA:
Someone would know that you are sending information to the wireless router, but that would be it. They wouldn't know to whom it was going nor the information contained therein.

(*) WEP has been cracked and is not a reliable method of securing a wireless access point, hence the creation of WPA.


----------



## miguelsanchez (Feb 1, 2005)

So if I understand this correctly, if the bank is using SSL, the data being sent wirelessly b/w the comp and the router cannot be deciphered, even without WEP/WPA? Does that mean that banking on any network i.e. public library is secure unless the bank's encryption is compromised?

How could I or someone else know that my router is/was being used by another party? The only thing I can think of is to check the router's logs. Is there anything that can be used to view wireless traffic in real-time?


----------



## zen.state (Nov 29, 2005)

a lot of you don't seem to understand that he is asking about using OPEN wifi and NOT encrypted.


----------



## Atroz (Aug 7, 2005)

miguelsanchez said:


> So if I understand this correctly, if the bank is using SSL, the data being sent wirelessly b/w the comp and the router cannot be deciphered, even without WEP/WPA? Does that mean that banking on any network i.e. public library is secure unless the bank's encryption is compromised?
> 
> How could I or someone else know that my router is/was being used by another party? The only thing I can think of is to check the router's logs. Is there anything that can be used to view wireless traffic in real-time?


SSL encryption protects what your web browser exchanges with the server at the other end. That doesn't mean banking on another network is safe. It's kinda like saying that sending a letter through a bonded carrier is safe. Sure, the transmission is. However, did somebody see you writting the letter? Did somebody stick something else in the envelope with your letter? 

SSL solved the data integrity, confidentiality and the Identification and Authentication issues of Internet commerce nicely. However, the weak point is the computer. Can you trust the computer? Can you trust the web browser on that computer? Can you trust that there's no sniffers, keyloggers, etc installed? 

I would NEVER use a public access PC for my banking unless I knew it went through stringent controls and safeguards. e.g. an ATM at my bank is OK. 

RE: looking for wireless traffic. You can get wireless sniffers that will tell you what is going on. I.e. if somebody is using your wireless router, what's being transmitted, etc. You are better off using a good router and setting it up correctly to keep others out, than to worry about detecting a break-in.


----------



## ender78 (Jan 23, 2005)

miguelsanchez said:


> A hypothetical question: if my internet service was down for a few days and I needed to my internet banking (don't want to rack up late charges on my Visa!), would I be compromising my security by using my neighbour's wireless router or another wireless hotspot to connect to my bank?


The encrypted session between the bank and your browser is secure [were SSL to be cracked, say goodbye to Internet Commerce for a while]. The only risk that you are taking with using your neighbours open wireless connection is that without WPA/WEP, anyone listening can see your already encrypted packets without the additional overhead of decoding/cracking WEP/WPA. As long as you control the machine and are confident that the machine itself is secure, there is no threat to your data when your data is encrypted via SSL.


----------

