A question for the security mavens
 

I enjoy visiting internet cafes from time to time. There are usually other happy people in there with headphones, listening to music and getting work or studying done without being bothered.

If I have the little security symbol at the bottom right of my browser, am I safe in doing online banking, or is that a huge risk to do via public wi-fi?

I sure wouldn't do it.

IMO it's not much different than handing your credit card to the waitress when you're done with your meal/beer.

You run the same risk IMO.

I'd also qualify it by saying I'd only do it if it was absolutely necessary, just like using an offbrand ATM at some liquor store.

Agreed. There are risks involved in everything you will ever do in life. millions of people do business over wi fi every day with no problems, however, there are also people out there looking to take advantage of the people who do. I wouldn't let that stop me though any more then the possibility of being in a traffic accident would stop me from driving a car.

The encryption used by most on-line banking sites assumes that you're communicating over an insecure network.

This means that the security measures assume that the communication is picked up by others. (If you use a fixed internet connection your ISP, it's employees, or other computers on the route may also eavesdrop on the connection).
The encryption scheme used (SSL) should ensure that listening in will not reveal any of the data that is transferred.

In theory you should be just as safe using a fixed internet connection as you were using a WiFi connection.

But (there is always a 'but', isn't there?) security schemes may be broken. If that happens, no internet connection is safe, but a WiFi connection is even less safe because it's easier to listen into anonymously*.

Also, using a WiFi connection allows other computers to connect to yours. That connection would normally be refused, but that is also a measure that might be broken. Potentially your PC could be hacked into allowing others to copy your screen without needing to listen in on the connection**

Hope this makes it a little clearer....

* This is not likely, but a decent post about security should mention this
** This is not very likely, but possible. This is akin to someone looking over your shoulder. You might not notice someone across the street using binoculars to read your screen. (Not likely, but not impossible either).

Good summary, Silvy.

I'd just add that with WiFi hotspots, be wary of "alternate" SSIDs. Be sure you're connecting to the correct, trusted, access point. That initial assumption of trust, when misplaced, opens the door to serious damage.

No way I'd do that.

And here's a problem you may not have thought of... I've been in internet cafes that have security cameras. How easy would it be to replay the keystrokes there.

Some other ways of recording keystrokes include special keyboards and PCs. (Lookup keyghost).

Though you're correct in the existence of keyloggers, Necrosis, I assumed, was talking about using your own laptop in a WiFi hotspot facility. Stil a camera would accomplish the same.

Keyloggers are a security risk everywhere (and probably a common thing after a hacker has had access to your system). Keyloggers record all keystrokes, and with a little guesswork you can easily derive usernames and passwords from them.

However, a keylogger would not do anybody any good with my online banking service. I have to enter a one-time key sequence to gain access. That sequence cannot be re-used. (this is for reading my account status). For modifying my accounts (payments, banktransfers, and such) I need to use a physical 'calculator' to calculate an answer to the key sequence the bank gives me.

This solves several things:
- the system is based on the very secure something you know and something you posess system. The 'calculator' needs your bank card for it's calculations and won't work without a PIN. (hence you know the PIN number, and you posess your bankcard.) This defeats reading over shoulders or stealing your bankcard, a thief needs to do both.
(The 'calculator' itself is universal for all accounts. So stealing the PIN and bankcard is enough to "own" the account.)

- Proxy based (fishing) attack. Since the patching of a few browsers, fishing attacks are more difficult. The bank actually warns me to look at the browser address bar to verify that I'm actually communicating with the bank.

- Reading my log-in sequence will only allow an attacker to view my account status. (note: this would actually help me, as he/she can confim I don't have any money :cool: )

- There is a single attack vector that would work**. But it requires a huge amount of preparation, access to the network and physical or hacked access to the PC to make work. And even then, I've noticed that the bank is not easily fooled.

Trust me, the banks are very security minded (sometimes freakishly so), and, at least around here, will not implement a banking system prone to easy attacks. The thing is, banks rely on one thing: public trust. If public trust diminishes the entire banking system is at risk. Security issues are therefore dealt with swiftly.

Cheers!

** I haven't tried or researched into this attack vector. It might very well not be possible. But since the system has been put in place a couple of years ago, its been on my mind that it probably is possible, but very difficult to pull off, only work on 1 PC at a time, and will not fool a vigilant user.

Thanks, especially to Silvy, for some useful info.

There are a few attack vectors, but they are extremely difficult, the one I am most familiar with is a variation on the man in the middle attack.

First, poison the arp table and control all the traffic. Then pretend to be all parties required for the transaction, including every party that handles the encryption certificates. (The hard part). Record all traffic and take what you want. You don’t actually need access to the internals of the network, just a client. arp poisoning is easy, but the certificates is hard, and well out of reach for nearly everyone.

You are relatively safe, but not completely. I’ve mentioned this before, but I’ll say it again, if you are on a wired connection, with a part of the network is unencrypted wireless, you are not secure, and anyone can view all of your internal traffic, wired and wireless.

this is crazy -- you're probably OK, of course taking normal precautions like avoiding letting people look at what you're doing, making sure you're connecting to the right network. personally, i avoid doing anything serious over wireless connections unless i'm in control of the wireless access point.

if you're asking this question, you probably don't need/want to know about cache poisoning.

I'd be more worried about stuff on your own computer - keyloggers, malware, viruses etc - than i would about an ssl tunnel being broken.