A question for the security mavens - Tilted Forum Project Discussion Community

Necrosis · 12-01-2006, 08:28 PM

I enjoy visiting internet cafes from time to time. There are usually other happy people in there with headphones, listening to music and getting work or studying done without being bothered.

If I have the little security symbol at the bottom right of my browser, am I safe in doing online banking, or is that a huge risk to do via public wi-fi?

kofspades · 12-01-2006, 08:40 PM

I sure wouldn't do it.

Cynthetiq · 12-01-2006, 09:11 PM

IMO it's not much different than handing your credit card to the waitress when you're done with your meal/beer.

You run the same risk IMO.

I'd also qualify it by saying I'd only do it if it was absolutely necessary, just like using an offbrand ATM at some liquor store.

zed wolf · 12-02-2006, 03:54 AM

Quote:

Originally Posted by Cynthetiq

IMO it's not much different than handing your credit card to the waitress when you're done with your meal/beer.

You run the same risk IMO.

I'd also qualify it by saying I'd only do it if it was absolutely necessary, just like using an offbrand ATM at some liquor store.

Agreed. There are risks involved in everything you will ever do in life. millions of people do business over wi fi every day with no problems, however, there are also people out there looking to take advantage of the people who do. I wouldn't let that stop me though any more then the possibility of being in a traffic accident would stop me from driving a car.

Silvy · 12-02-2006, 06:40 AM

The encryption used by most on-line banking sites assumes that you're communicating over an insecure network.

This means that the security measures assume that the communication is picked up by others. (If you use a fixed internet connection your ISP, it's employees, or other computers on the route may also eavesdrop on the connection).
The encryption scheme used (SSL) should ensure that listening in will not reveal any of the data that is transferred.

In theory you should be just as safe using a fixed internet connection as you were using a WiFi connection.

But (there is always a 'but', isn't there?) security schemes may be broken. If that happens, no internet connection is safe, but a WiFi connection is even less safe because it's easier to listen into anonymously*.

Also, using a WiFi connection allows other computers to connect to yours. That connection would normally be refused, but that is also a measure that might be broken. Potentially your PC could be hacked into allowing others to copy your screen without needing to listen in on the connection**

Hope this makes it a little clearer....

* This is not likely, but a decent post about security should mention this
** This is not very likely, but possible. This is akin to someone looking over your shoulder. You might not notice someone across the street using binoculars to read your screen. (Not likely, but not impossible either).

cyrnel · 12-02-2006, 07:23 AM

Good summary, Silvy.

I'd just add that with WiFi hotspots, be wary of "alternate" SSIDs. Be sure you're connecting to the correct, trusted, access point. That initial assumption of trust, when misplaced, opens the door to serious damage.

Nimetic · 12-02-2006, 06:30 PM

No way I'd do that.

And here's a problem you may not have thought of... I've been in internet cafes that have security cameras. How easy would it be to replay the keystrokes there.

Some other ways of recording keystrokes include special keyboards and PCs. (Lookup keyghost).

Silvy · 12-03-2006, 03:19 AM

Quote:

Originally Posted by Nimetic

And here's a problem you may not have thought of... I've been in internet cafes that have security cameras. How easy would it be to replay the keystrokes there.

Though you're correct in the existence of keyloggers, Necrosis, I assumed, was talking about using your own laptop in a WiFi hotspot facility. Stil a camera would accomplish the same.

Keyloggers are a security risk everywhere (and probably a common thing after a hacker has had access to your system). Keyloggers record all keystrokes, and with a little guesswork you can easily derive usernames and passwords from them.

However, a keylogger would not do anybody any good with my online banking service. I have to enter a one-time key sequence to gain access. That sequence cannot be re-used. (this is for reading my account status). For modifying my accounts (payments, banktransfers, and such) I need to use a physical 'calculator' to calculate an answer to the key sequence the bank gives me.

This solves several things:
- the system is based on the very secure something you know and something you posess system. The 'calculator' needs your bank card for it's calculations and won't work without a PIN. (hence you know the PIN number, and you posess your bankcard.) This defeats reading over shoulders or stealing your bankcard, a thief needs to do both.
(The 'calculator' itself is universal for all accounts. So stealing the PIN and bankcard is enough to "own" the account.)

- Proxy based (fishing) attack. Since the patching of a few browsers, fishing attacks are more difficult. The bank actually warns me to look at the browser address bar to verify that I'm actually communicating with the bank.

- Reading my log-in sequence will only allow an attacker to view my account status. (note: this would actually help me, as he/she can confim I don't have any money

)

- There is a single attack vector that would work**. But it requires a huge amount of preparation, access to the network and physical or hacked access to the PC to make work. And even then, I've noticed that the bank is not easily fooled.

Trust me, the banks are very security minded (sometimes freakishly so), and, at least around here, will not implement a banking system prone to easy attacks. The thing is, banks rely on one thing: public trust. If public trust diminishes the entire banking system is at risk. Security issues are therefore dealt with swiftly.

Cheers!

** I haven't tried or researched into this attack vector. It might very well not be possible. But since the system has been put in place a couple of years ago, its been on my mind that it probably is possible, but very difficult to pull off, only work on 1 PC at a time, and will not fool a vigilant user.

Necrosis · 12-03-2006, 11:33 AM

Thanks, especially to Silvy, for some useful info.

Dilbert1234567 · 12-03-2006, 01:12 PM

There are a few attack vectors, but they are extremely difficult, the one I am most familiar with is a variation on the man in the middle attack.

First, poison the arp table and control all the traffic. Then pretend to be all parties required for the transaction, including every party that handles the encryption certificates. (The hard part). Record all traffic and take what you want. You don’t actually need access to the internals of the network, just a client. arp poisoning is easy, but the certificates is hard, and well out of reach for nearly everyone.

You are relatively safe, but not completely. I’ve mentioned this before, but I’ll say it again, if you are on a wired connection, with a part of the network is unencrypted wireless, you are not secure, and anyone can view all of your internal traffic, wired and wireless.

macmanmike6100 · 12-07-2006, 09:24 AM

this is crazy -- you're probably OK, of course taking normal precautions like avoiding letting people look at what you're doing, making sure you're connecting to the right network. personally, i avoid doing anything serious over wireless connections unless i'm in control of the wireless access point.

if you're asking this question, you probably don't need/want to know about cache poisoning.

NotAnAlias · 12-08-2006, 12:56 PM

I'd be more worried about stuff on your own computer - keyloggers, malware, viruses etc - than i would about an ssl tunnel being broken.

12-01-2006, 08:28 PM	#1 (permalink)
Necrosis Tilted	A question for the security mavens I enjoy visiting internet cafes from time to time. There are usually other happy people in there with headphones, listening to music and getting work or studying done without being bothered. If I have the little security symbol at the bottom right of my browser, am I safe in doing online banking, or is that a huge risk to do via public wi-fi?

12-01-2006, 08:40 PM	#2 (permalink)
kofspades Crazy	I sure wouldn't do it. __________________ Even if you stop the clock, it gives the right time twice a day. Once we get out of the eighties, the nineties are going to make the sixties look like the fifties.

12-01-2006, 09:11 PM	#3 (permalink)
Cynthetiq Tilted Cat Head Administrator Location: Manhattan, NY	IMO it's not much different than handing your credit card to the waitress when you're done with your meal/beer. You run the same risk IMO. I'd also qualify it by saying I'd only do it if it was absolutely necessary, just like using an offbrand ATM at some liquor store. __________________ I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not. What's the best nation in the world? DO-NATION! Last edited by Cynthetiq; 12-01-2006 at 09:14 PM..

12-02-2006, 06:40 AM	#5 (permalink)
Silvy paranoid Location: The Netherlands	The encryption used by most on-line banking sites assumes that you're communicating over an insecure network. This means that the security measures assume that the communication is picked up by others. (If you use a fixed internet connection your ISP, it's employees, or other computers on the route may also eavesdrop on the connection). The encryption scheme used (SSL) should ensure that listening in will not reveal any of the data that is transferred. In theory you should be just as safe using a fixed internet connection as you were using a WiFi connection. But (there is always a 'but', isn't there?) security schemes may be broken. If that happens, no internet connection is safe, but a WiFi connection is even less safe because it's easier to listen into anonymously. Also, using a WiFi connection allows other computers to connect to yours. That connection would normally be refused, but that is also a measure that might be broken. Potentially your PC could be hacked into allowing others to copy your screen without needing to listen in on the connection* Hope this makes it a little clearer.... * This is not likely, but a decent post about security should mention this ** This is not very likely, but possible. This is akin to someone looking over your shoulder. You might not notice someone across the street using binoculars to read your screen. (Not likely, but not impossible either). __________________ "Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints)

12-02-2006, 07:23 AM	#6 (permalink)
cyrnel Adequate Location: In my angry-dome.	Good summary, Silvy. I'd just add that with WiFi hotspots, be wary of "alternate" SSIDs. Be sure you're connecting to the correct, trusted, access point. That initial assumption of trust, when misplaced, opens the door to serious damage. __________________ There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

12-02-2006, 06:30 PM	#7 (permalink)
Nimetic Junkie Location: Melbourne, Australia	No way I'd do that. And here's a problem you may not have thought of... I've been in internet cafes that have security cameras. How easy would it be to replay the keystrokes there. Some other ways of recording keystrokes include special keyboards and PCs. (Lookup keyghost).

12-03-2006, 11:33 AM	#9 (permalink)
Necrosis Tilted	Thanks, especially to Silvy, for some useful info.

12-03-2006, 01:12 PM	#10 (permalink)
Dilbert1234567 Devils Cabana Boy Location: Central Coast CA	There are a few attack vectors, but they are extremely difficult, the one I am most familiar with is a variation on the man in the middle attack. First, poison the arp table and control all the traffic. Then pretend to be all parties required for the transaction, including every party that handles the encryption certificates. (The hard part). Record all traffic and take what you want. You don’t actually need access to the internals of the network, just a client. arp poisoning is easy, but the certificates is hard, and well out of reach for nearly everyone. You are relatively safe, but not completely. I’ve mentioned this before, but I’ll say it again, if you are on a wired connection, with a part of the network is unencrypted wireless, you are not secure, and anyone can view all of your internal traffic, wired and wireless. __________________ Donate Blood! "Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

12-07-2006, 09:24 AM	#11 (permalink)
macmanmike6100 High Honorary Junkie Location: Tri-state.	this is crazy -- you're probably OK, of course taking normal precautions like avoiding letting people look at what you're doing, making sure you're connecting to the right network. personally, i avoid doing anything serious over wireless connections unless i'm in control of the wireless access point. if you're asking this question, you probably don't need/want to know about cache poisoning.

12-08-2006, 12:56 PM	#12 (permalink)
NotAnAlias Tilted Location: Auckland, New Zealand	I'd be more worried about stuff on your own computer - keyloggers, malware, viruses etc - than i would about an ssl tunnel being broken.