Is it safe to do online transactions over wifi?

[Jesus Pimp]

Would it be safe to do online transactions from a wifi hotspot like Borders book store?

[Dilbert1234567]

no. not at all.

wireless can not be secure. and especialy in a public setting, do it from home. dont even put your financial info any where but your house.

[Mephisto2]

It all depends.

There are two issues that must be considered here.

- the actual encryption provided by the transport medium
- the encryption provided by the session ("connection") with the transacting agent.

WiFi networks can be very secure if configured properly. I'll go into details below. However, public "hotspots" (like those provided by Borders etc) are, by definition, not secured. They are considered OPEN with no encryption, as the hotspot provider wants to enable as many people as possible to use it. Remember, it's only providing internet access, exactly like a internet cafe. The only difference is that it is using RF (radio frequency) instead of wires to "connect" your PC to the internet.

Many people use VPN software to "tunnel" back into their company's networks (or even homes). VPN software uses a protocol called IPSec to encrypt your traffic and setup a virtual tunnel between your client and the server or router to which you connect. VPNs are very secure, but are usually only used by companies who want to allow their mobile staff to gain access to their home networks whilst on the road.

So, if you are transmitting confidential information, you should never do it "over the open", as would be the case in a WiFi public hotspot. It would be very easy for someone to capture the packets your laptop are sending and decode them. I can hear the alarm bells sounding... :-)

How is this different from any other wired internet cafe? Well, it's not really. But the nature of WiFi means that anyone with a wireless card can "listen" to your traffic, while in a wired environment you would have to actually physically connect a device to the cables to capture the traffic.

So, in essence, public hotspots are not secure. But they're not MEANT to be. Remember, we've only discussed the transport medium here, and not the higher level connection. And this is where it gets interesting.

If you are talking about an online transaction, one assumes it is something like online banking or Amazon or eBay etc. In these circumstances security is provided by higher level protocols like SSL (Secure Sockets Layer). What this means is that your web browser itself (and not the wired or wireless network) has negotiated a secure session with the server.

You will know if an SSL session has been setup because of two things. First, HTTP will be replaced by HTTPS in your web-browser address field. Second, a little "padlock" symbol will appear somewhere in your browser status bar. Note that in some online transactions, the URL address bar is hidden so you may not see the HTTPS. But you most certainly should see the little padlock symbol. It is this symbol that your browser uses to tell you a secure session has been created.

SSL is very secure and you can rest assured that such a session is proof against prying eyes.


So, let's summarize this a bit. Network security can be considered in a layered manner. WiFi is a network and physical layer protocol (just like Ethernet is). It is not secure on its own, but with the latest protocols it can be made so. However, public hotspots do not enable these encryption protocols, as they want as many people to use their service as possible. And who needs encryption for plain old internet traffic?

That's where HIGHER level encryption protocols come into place. This is what SSL does. It's a browser enabled and controlled encryption method that sets up secure session-based channels between your computer and the transacting server at the other end. Once the session is complete, the secure channel is "torn down".

Finally to answer your actual question, would it be safe to do online transactions from WiFi hotspots?

The answer is Yes, if you're talking to a reputable transacting agent (like a bank or Amazon etc).

BUT... doing it at home, or via a wired network is always going to give you that little bit extra reassurance, isn't it? :-) Personally, I'd only do it if I had to (and I have done so on many occassions, when on the road).


HOW TO SECURE A WIFI NETWORK
If anyone wants more detailed instructions, just let me know. But in summary, follow these simple steps

1) Change the default SSID that your Access Point comes configured with.
2) Disable SSID broadcast
3) Enable WPA (WiFi Protected Access) with a key-phrase of at least 20 characters
4) Enable MAC Address filtering
5) Decrease transmission power to a level that covers your room/house only (no point in covering half the neighbourhood, is there?)
6) If your AP is a DHCP server, reduce the number of IP addresses it serves to the number of computers you use.
7) Change the default ADMIN password



Mr Mephisto

[Mephisto2]

Quote:

Originally posted by Dilbert1234567
no. not at all.

wireless can not be secure. and especialy in a public setting, do it from home. dont even put your financial info any where but your house.

That's entirely untrue. Read my post above.

First, wireless CAN BE secure.
Second, online transactions are secured via higher level protocols anyway (and are designed as such).


Mr Mephisto

[tropple]

I always try to err on the side of paranoia.

Do it from home.

[aurigus]

Mr Mephisto: Very well thought out and typed post; pretty much says what I was going to say but much, much better.

I would try to avoid using such information as credit card numbers and log in information in public hotspots. But, in a pinch they would work and very likely you would never have any problems with it.

If someone every audited how much public info is divulged in plain text over the network (wired or wireless) it would probably be a very scary thing. Even for me, and I'm knowledgable about proper security practices.

Just one example, you log into TFP over an insecure WiFi network. The username and login you use for TFP is the same as your email address. In your webmail account; a lot of private information is usually stored -- bank login information, insurance login information; etc.

I believe the rules that apply to real life apply online as well. If someone really wants to break into your home; they can check the door every night to see if it's left unlocked. Some night, you will probably leave it unlocked. The same with CC information. If someone wants to get it enough; they can probably get it. But society usually frowns upon that sort of thing; so the chances of it happening are pretty slim.

I actually had my first fraud charge the other week on my check card. No idea how they got the info; I'm pretty protective with this information. I don't think I ever went to the bank that fast after it happened. It was small (9.95) but still scares me that someone had that number.

Just one other piece of advice - Use the one-time-number generators that a lot of credit cards come with these days. My CitiCard account comes with a feature that you can generate a CC number for each purchase. I use this for any shady or small company websites I order from; likewise if I ever ordered froma HotSpot I would use this number generator as well.

[Mephisto2]

Aurigus, I agree with you on security.

"Best practices" state that you shouldn't use WiFi for sending unencrypted information. But we must put things into perspective here.

Using a WiFi network for logging into your bank account, internet banking, Paypal, etc etc IS NO DIFFERENT from doing so at home (from a session encryption point of view).

Sure, someone could conceivably see you head to a particular web-site (just like they could if they sniffed your home network, or monitored your home cable internet access), but once you create an SSL session, with a reputable site that has a server-side certificate with a recognized CA, then *boom*, they can't see diddly shit.

WiFi can be very secure. WPA (with a long enough key-phrase) is currently unbroken. 802.11i (which uses AES as a replacement for the fundamentally flawed WEP) has been ratified and you will begine to see compliant devices very soon. Of course, AES/802.11i/WPA2 (all the same thing) is rather CPU intensive, so you'll see Access Points first, followed by newer and more powerful cards later. Some vendors will likely support AES in software, but that will have a 30% to 40% performance hit on the card.

Anyway, WiFi security is not the issue here. Higher-level, session specific security is. SSL (and especially SSLv3, which most browsers and servers now use) is ENTIRELY SAFE. As long as your browser has an encrypted session, then your data is secure.

Just don't go around sending sensitive information via AIM or Yahoo Chat, or enter details into an unencrypted form on a web-page. :-)

Oh, and remember, internet email is ENTIRELY UNENCRYPTED. It's based upon SMTP and uses clear text. Anyone who sends confidential information via email is not securing their data. You can encrypt via PGP etc, but just be aware.

If anyone wants more info, just ping me or post a question.


Mr Mephisto

[theburner]

I have also heard to change your WEP (20 character encryption code) bi-weekly. Depending on the level of usage, a kiddie with a sniffer could get your code in 3-4 weeks. If you keep changing, he will give up.

BTW, you have to look at your surroundings. My neighborhood has 1 acre lots, and shiatloads of blue hairs. My buddy on the other hand set up his wifi, and had 6 other people broadcasting available networks. Needless to say, he put his up in a very secure fashion.

[aurigus]

WPA is cool, because it changes your key every couple of minutes. That way it is much harder to break than WEP!

[Mephisto2]

Well, to be more accurate, WPA introduces several new features for WiFi security. Perhaps a little background information is in order.

WPA standards WiFi Protected Access. It is a standard introduced by the WiFi Alliance (owners of the WiFi brand-name) and was in response to the inherent weaknesses in the WEP security scheme.

WEP (Wired Equivalent Privacy) is a cipher stream encryption protocol. The 128bit key is made up of a 40bit IV (initialization vector) and a 64bit RC4 key. The IV is transmitted in clear text which, along with the fundamental weaknesses of RC4, are what make WEP sub-optimal for strong security. Because a hacker can easily capture the clear text IV, and because of the nature of how IVs are generated, a hacker can effectively decode your entire 128bit key if they capture enough packets.

The WiFi Alliance developed WPA to combat these weaknesses. WPA introduces several new security enhancements.

TKIP - Temporal Key Integrity Protocol
TKIP rehashes your WEP key for every single packet. This means that a hacker can no longer decode your WEP key by capturing enough packets.

MIC - Message Integrity Check
Without going into too much detail, MIC can be considered a kind of CRC like mechanism. Any changes to the packet (by so-called Man in the Middle Attacks) are detected by the MIC.

Key Management
WPA provides for two types of Key Management. Standard EAP based solutions, where a backend AAA negotiates new WEP keys on a periodic basis, and WPA-PSK (WPA - Pre Shared Key). WPA-PSK is what is used in most home deployments. In these circumstances, both the Access Point and the client have a pre-shared key (or "pass phrase") that is used to generate brand new WEP keys on an agreed periodic basis.

There are some problems with WPA-PSK. Originally, the standard called for pre-shared keys of at least 20 characters long, but manufacturers thought this was too much hassle for most of their customers and the standard was revised to allow for 8 character pre-shared keys or higher. The problem is that 8 character pre-shared keys are not long enough to guarantee security.

If you are setting up a home network with WPA, in PSK mode, you should make sure the pre-shared key you use is at least 20 characters long. Using anything shorter is not recommended. It might be easier to type in, but it's not 100% secure.


Mr Mephisto