Internet security: which is the lesser of 2 evils?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
coalcracker
Posts: 493
Joined: Sat Feb 04, 2012 12:25 pm

Internet security: which is the lesser of 2 evils?

Post by coalcracker » Wed Aug 24, 2016 9:00 am

On occasion it is much more convenient or even necessary for me to perform financial transactions while I am at work, during business hours. For you IT experts, which of these options would you consider less risky when entering a password for a financial website?

1. Hospital network computer (not wifi) which would require I enter the financial website password manually by keystroke.

2. Personal laptop on guest wifi (i.e. not password protected). However, I use a password manager which would require I enter the main password for that software, but NOT the password for the financial website.

I know neither way is ideal, but I'm going to keep doing it anyway :wink:

Thanks,
cc

furwut
Posts: 1581
Joined: Tue Jun 05, 2012 8:54 pm

Re: Internet security: which is the lesser of 2 evils?

Post by furwut » Wed Aug 24, 2016 9:20 am

Ideally one never should perform sensitive transactions on an unknown/untrusted network. To start you should have 2 factor authentication set up for all your important logins.

Of your 2 scenarios I think I would go with the second - signing on with your personal computer over WiFi. The reason is that using your own computer (which presumably is virus free) bypasses the potential risk that keylogging software has been installed on the hospital's terminal.

I'm not concerned that much with using WiFi. To intercept the transmission one would have to be fairly close and when accessing an HTTPS site the entire transmission is encrypted.

Rolyatroba
Posts: 226
Joined: Mon Apr 22, 2013 1:14 pm

Re: Internet security: which is the lesser of 2 evils?

Post by Rolyatroba » Wed Aug 24, 2016 9:42 am

If you use a personal laptop, you should use a VPN service. This encrypts ALL traffic between your laptop and the VPN server, and assuming your financial transactions are also encrypted (drop that company if not), the traffic will then be encrypted normally between the VPN server and the financial institution. (Note it is sort of "double-encrypted" between laptop and VPN server.)

Another option, without a personal laptop, is to use a remote control technology to use your home computer while you are at work. That traffic is also encrypted.

The only bugaboo would be if your company blocks the Ethernet ports for this to be able to happen. (Sometimes they'll block outbound traffic destined to known VPN services and/or common remote control ports, like 3389).

I don't recommend option 1 at all.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Internet security: which is the lesser of 2 evils?

Post by Mudpuppy » Wed Aug 24, 2016 1:41 pm

coalcracker wrote:1. Hospital network computer (not wifi) which would require I enter the financial website password manually by keystroke.
This may be against the acceptable use policy for your hospital, which is a whole different level of risk. Unless you want to get fired for unauthorized use of hospital resources, I would keep personal browsing to personal devices.
coalcracker wrote:2. Personal laptop on guest wifi (i.e. not password protected). However, I use a password manager which would require I enter the main password for that software, but NOT the password for the financial website.
You do realize the password manager itself is entering the password for the website, right? Your financial password is still being transmitted across the hospital's WiFi network, just it was entered by a program instead of by you at the keyboard. The security of this approach greatly depends upon the security of the financial website, i.e. the level of encryption used by the website.

Kuna_Papa_Wengi
Posts: 40
Joined: Sun Mar 08, 2015 1:55 pm
Location: Rocinante

Re: Internet security: which is the lesser of 2 evils?

Post by Kuna_Papa_Wengi » Wed Aug 24, 2016 1:56 pm

Neither of those two options is secure by itself. You should use your personal laptop and a VPN service such as https://www.privateinternetaccess.com.

User avatar
Rob5TCP
Posts: 3408
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Internet security: which is the lesser of 2 evils?

Post by Rob5TCP » Wed Aug 24, 2016 2:10 pm

I go along with VPN. Wifi is inherently unsafe and it's rare that I've found adequate safeguards on public wifi without VPN

User avatar
Watty
Posts: 18087
Joined: Wed Oct 10, 2007 3:55 pm

Re: Internet security: which is the lesser of 2 evils?

Post by Watty » Wed Aug 24, 2016 2:25 pm

Two other suggestions;

1) See if you can do what you need to do by calling their 800 phone number.

2) It opens a whole other can of worms but consider using a smartphone app.

User avatar
AAA
Posts: 1222
Joined: Sat Jan 12, 2008 8:56 am

Re: Internet security: which is the lesser of 2 evils?

Post by AAA » Wed Aug 24, 2016 3:33 pm

Our employer told us that limited personal use of their computing facilities was okay. I still avoided doing any financial transactions, checking accounts, etc. The reason - we were also told that employer had the right to monitor our activity. I worried that there could be a keystroke logging program that would result in my passwords being recorded somewhere.

DSInvestor
Posts: 11065
Joined: Sat Oct 04, 2008 11:42 am

Re: Internet security: which is the lesser of 2 evils?

Post by DSInvestor » Wed Aug 24, 2016 3:40 pm

What about using your cell phone while not connected to wifi but connected to LTE/4G network?
Wiki

petiejoe
Posts: 46
Joined: Wed Feb 13, 2013 8:18 pm

Re: Internet security: which is the lesser of 2 evils?

Post by petiejoe » Wed Aug 24, 2016 3:52 pm

Never (ever) enter your passwords on a computer you don't have full control over. If the "Hospital network computer" is share with other employees or patients, assume that everything you do on that computer is in plain text for the bad guys. Keyloggers are trivial to add to a computer with public access like that (and despite the name, they can capture much more than just keystrokes so I wouldn't put _too_ much emphasis on whether you manually type the password or use a password manager).

On a large semi-public network like a hospital I don't see much practical difference between wifi with a password (that's widely known) and wifi with no password. Either way, someone could be listening in on your connection. At that point, you're really relying on the security of the https connection between you and your financial institution. I wouldn't consider that the best security posture, but that at least requires an active hacker _and_ a weak point in your bank security.

Definitely consider setting up a VPN with a company you can trust, but if you really have to choose between those two choices, I'd take my personal computer over wifi instead of a public computer any day of the week.

User avatar
House Blend
Posts: 4653
Joined: Fri May 04, 2007 1:02 pm

Re: Internet security: which is the lesser of 2 evils?

Post by House Blend » Wed Aug 24, 2016 4:03 pm

Watty wrote:1) See if you can do what you need to do by calling their 800 phone number
This.

On rare occasions, I've had to do financial transactions while on the road, with online choices limited to public or semi-public wifi or mobile apps.

In those situations, I use plain old phone calls from my cell phone. I've paid credit card bills and bought shares of Vanguard funds this way (have previously set up voice verification). It's not that hard, even if it takes a bit longer than online.

nominalBob
Posts: 107
Joined: Fri Nov 28, 2014 5:30 pm

Re: Internet security: which is the lesser of 2 evils?

Post by nominalBob » Wed Aug 24, 2016 4:07 pm

petiejoe wrote:... At that point, you're really relying on the security of the https connection between you and your financial institution. I wouldn't consider that the best security posture, but that at least requires an active hacker _and_ a weak point in your bank security.
What about Man in the Middle (https computer to rogue wifi, second https from rogue wifi to financial institution)? People used to worry about that. Did anything change to make this no longer a concern?

DaftInvestor
Posts: 4842
Joined: Wed Feb 19, 2014 10:11 am

Re: Internet security: which is the lesser of 2 evils?

Post by DaftInvestor » Wed Aug 24, 2016 4:12 pm

Kuna_Papa_Wengi wrote:Neither of those two options is secure by itself. You should use your personal laptop and a VPN service such as https://www.privateinternetaccess.com.
You can't really say that neither of those options is secure. They both are secure provided the provider is using https which they all are (putting any unknown or unpatched SSL/TLS vulnerabilities aside - nothing is ever 100% guaranteed) and provided the laptop or hospital terminal haven't been compromised (which is a risk regardless of whether you are encrypting again over a VPN service).

OP: Personally I'd feel more secure using my own laptop reason being it is more under my control. I also personally feel adding a VPN tunnel under the secure connection to your bank is overkill. The majority of hacks happen with data at rest not data in transit and with a VPN service you are adding an addition element that could be compromised into the communication.

gtaylor
Posts: 332
Joined: Tue Feb 17, 2009 3:22 pm

Re: Internet security: which is the lesser of 2 evils?

Post by gtaylor » Wed Aug 24, 2016 5:28 pm

You can't really say that neither of those options is secure. They both are secure provided the provider is using https which they all are (putting any unknown or unpatched SSL/TLS vulnerabilities aside - nothing is ever 100% guaranteed) and provided the laptop or hospital terminal haven't been compromised (which is a risk regardless of whether you are encrypting again over a VPN service).
Don't read too much into https being a strong indicator of privacy. It is not uncommon for organizations to run https proxies which decode and monitor ssl traffic. This is easily done by providing browser/os installs with the proxy's certificates pre-approved. So you'll connect to vanguard.com, but be speaking TLS to the proxy, which speaks TLS to vanguard. The proxy can do various security, regulatory, or nanny things with your traffic.

On top of that, and some folks here have implied this, offhand the expectation for security in a hospital network would be really awful. The intersection of good security practice (install all the updates) and FDA medical software regulation (recertify if you fix a typo) is not good, and that's on top of the operational difficulties from having so many people on an unavoidably complex network.

It should better to use a VPN from your private device, but even that has some obstacles. It seems to be something of a wild west or even fly by night industry. All well and good for watching TV in another country, but gadzooks, I wouldn't trust the security provided by most VPN providers all that much. Still, it's probably better than raw use of a hospital or hotel network.

petiejoe
Posts: 46
Joined: Wed Feb 13, 2013 8:18 pm

Re: Internet security: which is the lesser of 2 evils?

Post by petiejoe » Wed Aug 24, 2016 6:00 pm

nominalBob wrote:
petiejoe wrote:... At that point, you're really relying on the security of the https connection between you and your financial institution. I wouldn't consider that the best security posture, but that at least requires an active hacker _and_ a weak point in your bank security.
What about Man in the Middle (https computer to rogue wifi, second https from rogue wifi to financial institution)? People used to worry about that. Did anything change to make this no longer a concern?
The man in the middle wouldn't be able to decrypt a properly configured https site. http://security.stackexchange.com/quest ... oxy-server has a reasonably accessible explanation of the details.

gtaylor points out,
gtaylor wrote:Don't read too much into https being a strong indicator of privacy. It is not uncommon for organizations to run https proxies which decode and monitor ssl traffic. This is easily done by providing browser/os installs with the proxy's certificates pre-approved. So you'll connect to vanguard.com, but be speaking TLS to the proxy, which speaks TLS to vanguard. The proxy can do various security, regulatory, or nanny things with your traffic.
but that is a special case of if you allow someone else to control your computer they can do horrible things to it. If it was an attacker with access to your computer, they're more likely to own your computer directly rather than set you up with an approved CA so that they can later maybe get you on a rogue wifi access point. I think we have to leave it to the individual to decide whether they trust a computer image provided to them by their work. I generally trust my work computer about as much as I trust my personal computer (I have more control over my personal computer so there isn't an IT department deciding what gets to run on it, but I also have more control over my personal computer so there isn't an IT department telling me not to run things on it).

Also, HTTPS doesn't prevent people (employers, ISPs, whoever manages your wifi hotspot) from identifying what websites you're visiting, it just prevents them from reading the communication between you and the server, it's not a promise of privacy. In any case, if you are doing something you don't want your employer to know about, definitely don't do it on a work computer.

nominalBob
Posts: 107
Joined: Fri Nov 28, 2014 5:30 pm

Re: Internet security: which is the lesser of 2 evils?

Post by nominalBob » Wed Aug 24, 2016 8:03 pm

petiejoe wrote: The man in the middle wouldn't be able to decrypt a properly configured https site. http://security.stackexchange.com/quest ... oxy-server has a reasonably accessible explanation of the details.
Thank you.

Rolyatroba
Posts: 226
Joined: Mon Apr 22, 2013 1:14 pm

Re: Internet security: which is the lesser of 2 evils?

Post by Rolyatroba » Wed Aug 24, 2016 8:37 pm

As a former manager of the helpdesk (and worldwide IT infrastructure) for a Fortune 1000 network security company, I think this thread has gone a little too deep on the tech aspects of this question. With that in mind, and considering what others have said here, I'd recommend the below, in descending order of desirability:

1 - A cell phone app, using mobile data (yes, I didn't think of this in my first post)

2 - A remote control solution (like TeamViewer) to your home PC (you can also DIY this with Windows Remote Desktop or VNC)

3 - A laptop with a VPN (tied with #2 but harder to implement, especially DIY)

4 - A cell phone app, using company WiFi* (only if there isn't a good data signal)

5 - A laptop without a VPN*

More prone to "man-in-the-middle" attacks, but the web browser does detect this.

Edit: you can also use VPN on a cell phone, if you use company WiFi; I suppose that would be tied with #3.

killjoy2012
Posts: 1094
Joined: Wed Sep 26, 2012 5:30 pm

Re: Internet security: which is the lesser of 2 evils?

Post by killjoy2012 » Wed Aug 24, 2016 9:47 pm

Rolyatroba wrote:If you use a personal laptop, you should use a VPN service.
Kuna_Papa_Wengi wrote:You should use your personal laptop and a VPN service
So, in other words you trust some anonymous, extremely low cost VPN service provider whose product is primarily used by those people looking to do less than honorable things on the Internet...... more than your employer? And you do realize that PIA is not a US company, who uses low cost off shore IT resources, and whose founder is significantly involved with Bitcoin?

nominalBob wrote: What about Man in the Middle
Say, like a $5/month VPN service provider? Ever wonder how they can afford to operate at such a low monthly cost? Hmmm...

gtaylor wrote: Don't read too much into https being a strong indicator of privacy. It is not uncommon for organizations to run https proxies which decode and monitor ssl traffic. This is easily done by providing browser/os installs with the proxy's certificates pre-approved. So you'll connect to vanguard.com, but be speaking TLS to the proxy, which speaks TLS to vanguard. The proxy can do various security, regulatory, or nanny things with your traffic.
+1 We do.

User avatar
njboater74
Posts: 633
Joined: Mon Apr 25, 2016 8:21 pm

Re: Internet security: which is the lesser of 2 evils?

Post by njboater74 » Wed Aug 24, 2016 9:53 pm

Do you have 2-factor authentication for your password manager? I would think that's the better option. Even if there isn't, the password is encrypted when it's transmitted, so that's less of a concern.

The bigger concern would be a keystroke logger on the hospital network computer. No encryption can protect you there.
When the mob and the press and the whole world tell you to move, your job is to plant yourself like a tree beside the river of truth and tell the whole world - 'No, YOU move'--Captain America, Boglehead

Rolyatroba
Posts: 226
Joined: Mon Apr 22, 2013 1:14 pm

Re: Internet security: which is the lesser of 2 evils?

Post by Rolyatroba » Wed Aug 24, 2016 9:54 pm

killjoy2012 wrote:So, in other words you trust some anonymous, extremely low cost VPN service provider whose product is primarily used by those people looking to do less than honorable things on the Internet...... more than your employer? And you do realize that PIA is not a US company, who uses low cost off shore IT resources, and whose founder is significantly involved with Bitcoin?
No, those are your words actually.

There are trustworthy VPN services, and you can DIY it, as I mentioned.

Northern Flicker
Posts: 5064
Joined: Fri Apr 10, 2015 12:29 am

Re: Internet security: which is the lesser of 2 evils?

Post by Northern Flicker » Wed Aug 24, 2016 10:11 pm

Some employer networks will run their own certificate authority for SSL (eg https connections) which enables them to encrypt and decrypt SSL connections at the corporate firewall. This would mean your password is transmitted unencrypted on the employer network in both directions between your conputer and the corporate firewall. If this is in place, it might also violate corporate policy to initiate outbound VPN connections.

No way I would use an essentially public wifi for financial transactions.

Why not just get an air card for your laptop from a cell phone provider, or get antivirus software for a phone or tablet with a data plan? It only takes a few minutes to run a full scan of a phone or tablet before connecting.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Internet security: which is the lesser of 2 evils?

Post by Mudpuppy » Wed Aug 24, 2016 10:20 pm

I personally wouldn't trust a smartphone enough to use it to access financial accounts. Not to get too academic, but there are too many ways for people to bypass the anti-malware scans used by Apple and Google app stores. While the base smartphone and financial app may be fine, that says nothing about all the other apps installed and what they are doing.

I'm just wondering what's so urgent that it can't wait until the OP is home. But if the OP truly can't wait, a laptop is probably fine enough, even over public WiFi without a VPN service. As long as the OP doesn't go clicking through to allow untrusted certificates to be installed on his laptop and the financial website is using a decent TLS configuration and forces encrypted logins, then the laptop is fine against most casual attackers. It won't keep out determined attackers, but then neither would the VPN.

And the advice to use VPNs while using public WiFi come from the days when website logins were a mix of plaintext (http) and encrypted (https). Anything sent in plaintext over public WiFi can be sniffed by anyone else within radio range. It's the login equivalent of shouting your password to someone across a crowded room, everyone can "hear" it. But I can't think of a single major financial provider that would allow plaintext logins on their websites these days.

But frankly, the safest thing is just to wait until you get home.

User avatar
TimeRunner
Posts: 1583
Joined: Sat Dec 29, 2012 9:23 pm

Re: Internet security: which is the lesser of 2 evils?

Post by TimeRunner » Wed Aug 24, 2016 10:43 pm

Deleted
Last edited by TimeRunner on Tue Dec 11, 2018 6:27 pm, edited 1 time in total.
One cannot enlighten the unconscious.

Afty
Posts: 1125
Joined: Sun Sep 07, 2014 5:31 pm

Re: Internet security: which is the lesser of 2 evils?

Post by Afty » Wed Aug 24, 2016 11:04 pm

coalcracker wrote: 1. Hospital network computer (not wifi) which would require I enter the financial website password manually by keystroke.

2. Personal laptop on guest wifi (i.e. not password protected). However, I use a password manager which would require I enter the main password for that software, but NOT the password for the financial website.
Choice 2 is by far better and in fact reasonably secure. Financial websites are encrypted such that an eavesdropper cannot read the information passed between you and the website. Choice 1 exposes you to the possibility that either (a) the computer is infected with malware that records keystrokes, or (b) the hospital is recording keystrokes or bypassing encryption in order to spy on/keep tabs on employees.

absolutFinance
Posts: 165
Joined: Fri Jan 03, 2014 3:08 pm

Re: Internet security: which is the lesser of 2 evils?

Post by absolutFinance » Wed Aug 24, 2016 11:34 pm

look into whether you can make your phone into a hotspot. it's trivial with an iPhone. most cell plans include some tethered data.

if you make your phone into a secure hotspot and have your laptop join its wifi network, this is probably your most cost effective and secure bet given your situation.

don't use the work computer - forget about company policies and whether their admins can look at what you're doing, there's also no guarantee that their network hasn't been compromised. average time to discovery for network compromises is over 250 days.

don't use public wifi ever. you don't even need to do a man in the middle attack to perform some attacks on network compromising TLS. feel free to research recent vulnerabilities for more info.

lazydavid
Posts: 2644
Joined: Wed Apr 06, 2016 1:37 pm

Re: Internet security: which is the lesser of 2 evils?

Post by lazydavid » Thu Aug 25, 2016 7:59 am

nominalBob wrote:
petiejoe wrote:... At that point, you're really relying on the security of the https connection between you and your financial institution. I wouldn't consider that the best security posture, but that at least requires an active hacker _and_ a weak point in your bank security.
What about Man in the Middle (https computer to rogue wifi, second https from rogue wifi to financial institution)? People used to worry about that. Did anything change to make this no longer a concern?
Your browser would throw a somewhat scary certificate error instead of loading the page, because it wouldn't trust the issuer of the bad guy's cert. Of course, you can manually bypass this (one click in IE, two in Chrome, I think 4 in Firefox) once it shows up, but presumably someone asking about the security of this connection in the first place would not do so.

Now what the bad guys CAN do is use something like sslstrip to make a secure connection to your bank (for example) on your behalf, and then have you connect to the bad guy using plaintext http. In some cases they'll also set the favicon.ico to look like a lock, in hopes that you'll mistake the connection for being secure. Again, if you're paying attention, you'd notice that the connection is not actually secure. Additionally, if your bank has a flag called HSTS (HTTP Strict Transport Security) enabled and your browser has ever been to that site, it will flatly refuse to ever connect to it using http, which protects you from this type of attack. You can check for this by plugging the address into the "Test your Site/Server" on ssllabs.com

Northern Flicker
Posts: 5064
Joined: Fri Apr 10, 2015 12:29 am

Re: Internet security: which is the lesser of 2 evils?

Post by Northern Flicker » Thu Aug 25, 2016 12:20 pm

I personally wouldn't trust a smartphone enough to use it to access financial accounts. Not to get too academic, but there are too many ways for people to bypass the anti-malware scans used by Apple and Google app stores.
Don't install any apps on it other than antivirus software (even install that directly from the AV vendor, which may not be possible with Apple). Update virus database and run a full scan before connecting to financial site (only takes a few minutes). While the platform is less secure than a properly configured windows, linux, or OS/X, laptop, the ability to do a manual full scan in a few minutes on a phone or tablet is one advantage over a laptop. Background scans on laptops are often not completed if the machine isn't up for the entire time window of the scan. Agree a laptop is still preferred, but a properly secured phone or tablet with a data plan is a much better than an open wifi. Configuring the phone or tablet as a wifi hotspot to connect to doesn't eliminate the need to secure the phone/tablet.
Choice 2 is by far better and in fact reasonably secure. Financial websites are encrypted such that an eavesdropper cannot read the information passed between you and the website.
Just having the machine on a public network exposes it to potential attacks from a malicious user of another machine on the same network. The encrypted https session to the financial institution doesn't have to be the point of attack.

An issue specific to a non-password protected wifi is trojan horse networks. E.g. a user sets up a network with the same name just outside the range of the guest network and when the laptop is carried outside the range of the real guest network it autoconnects to the rogue network. Turns out the attacker may not even need to know the name of the guest network because the laptop may regularly ping "guest network, are you there?" when it is out of range, and the trojan horse wifi can respond.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Internet security: which is the lesser of 2 evils?

Post by Mudpuppy » Thu Aug 25, 2016 12:34 pm

jalbert wrote:
I personally wouldn't trust a smartphone enough to use it to access financial accounts. Not to get too academic, but there are too many ways for people to bypass the anti-malware scans used by Apple and Google app stores.
Don't install any apps on it other than antivirus software (even install that directly from the AV vendor, which may not be possible with Apple). Update virus database and run a full scan before connecting to financial site (only takes a few minutes).
I somehow doubt the OP is going to buy a second smartphone (and pay the costs to add it to his/her plan) just to have a base phone with nothing but AV and financial website apps installed.

Northern Flicker
Posts: 5064
Joined: Fri Apr 10, 2015 12:29 am

Re: Internet security: which is the lesser of 2 evils?

Post by Northern Flicker » Thu Aug 25, 2016 1:24 pm

You don't need a 2nd phone, just don't install apps on the 1st phone.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Internet security: which is the lesser of 2 evils?

Post by Mudpuppy » Thu Aug 25, 2016 1:34 pm

jalbert wrote:You don't need a 2nd phone, just don't install apps on the 1st phone.
That is a highly unrealistic expectation for the average smartphone user.

furnace
Posts: 331
Joined: Tue Oct 20, 2015 3:38 pm

Re: Internet security: which is the lesser of 2 evils?

Post by furnace » Thu Aug 25, 2016 1:39 pm

They make these tiny Windows 10 tablets that act just like laptops. Connect to your phone hotspot, and start day trading at work :sharebeer

inbox788
Posts: 6697
Joined: Thu Mar 15, 2012 5:24 pm

Re: Internet security: which is the lesser of 2 evils?

Post by inbox788 » Thu Aug 25, 2016 2:46 pm

coalcracker wrote:1. Hospital network computer (not wifi) which would require I enter the financial website password manually by keystroke.

2. Personal laptop on guest wifi (i.e. not password protected). However, I use a password manager which would require I enter the main password for that software, but NOT the password for the financial website.
Between the 2, I'd stick with the physically networked computer. The computer you're using may be compromised, but hopefully the hospital IT has some defense against that. Also, a physical network is a bit more difficult to attack because the attacker has to physically tap into the network. Guest wifi is just too open for anyone nearby to try access.
Rolyatroba wrote:I think this thread has gone a little too deep on the tech aspects of this question.
Yes. What type of financial activity are you talking about? I would never access brokerages or retirement accounts on an insecure public network. However, I have a checking account I use for bill payments and a credit card account that I use that have different usernames and passwords that I frequently access everywhere. I think the risk is still small, and the liability fairly limited.

Northern Flicker
Posts: 5064
Joined: Fri Apr 10, 2015 12:29 am

Re: Internet security: which is the lesser of 2 evils?

Post by Northern Flicker » Thu Aug 25, 2016 3:05 pm

Mudpuppy wrote:
jalbert wrote:You don't need a 2nd phone, just don't install apps on the 1st phone.
That is a highly unrealistic expectation for the average smartphone user.
Most webdites support mobile browsers well, and if you need a few apps, and have antivirus software, you can scan them yourself. Email on an unsecured phone is probably as big of a problem anyway.

Katietsu
Posts: 2736
Joined: Sun Sep 22, 2013 1:48 am

Re: Internet security: which is the lesser of 2 evils?

Post by Katietsu » Thu Aug 25, 2016 3:51 pm

I agree that one should choose the safest method possible that does not impose unreasonable restrictions. I know we all have our own opinion of unreasonable restrictions.

My question, however, is this: What is the consequence if the unlikely outcome occurs and someone does acquire your password? It is my understanding that the FDIC insurance that protects you against a bank closing also protects you against unauthorized computer withdrawals. A hassle certainly but not a net loss. And if you are still working and dealing with a retirement account, it is impossible to get money out without numerous forms and signatures. I thought most brokerages also guaranteed against losses due to cyber security issues.

Is relying on these protections valid? Again, I do not plan to log in to a bank account from a hotel business center computer. But I do not plan on giving up the convenience of using my banking app on LTE without a solid risk.

snert31
Posts: 6
Joined: Wed Jun 11, 2014 8:07 am

Re: Internet security: which is the lesser of 2 evils?

Post by snert31 » Thu Aug 25, 2016 4:51 pm

As an IT security professional, I would be comfortable using a personal laptop with VPN over the hospital wireless guest network, if you have two-factor authentication configured for your financial account. Hospitals are typically subject to compliance frameworks such as HIPAA & SOX, so odds are good they have many security products installed with high levels of logging configured.

As other posters have pointed out, a common security device is an SSL proxy, which in the case of the hospital owned computer will not necessarily generate a browser alert when they are decrypting your bank login information for inspection prior to passing the traffic over the internet. Scenario 1 is the worst, because the hospital controls both the computer and the network, and others have access to the computer as well. If you have accessed a financial account in this scenario, I recommend you change your password as soon as possible, because odds are high it's in the hospital security logs, and could fall into the wrong hands at any time.

Your second scenario, while safer, is still inadequate in my opinion. The hospital again controls the wireless network, with the potential for SSL proxy and logging. And since it's a guest network, it's shared with others who could act maliciously against your connection. Adding a VPN connection on the laptop and two factor authentication at the financial institution both reduce risk in this scenario. They protect against malicious activity at the network level, and two-factor auth minimizes risk from a malicious or compromised VPN provider.

I don't use phones for financial transactions. As others have mentioned, too many cases of malware making it into the app stores, and few people run any security software on their phone. Most would never know if their phone was compromised.

killjoy2012
Posts: 1094
Joined: Wed Sep 26, 2012 5:30 pm

Re: Internet security: which is the lesser of 2 evils?

Post by killjoy2012 » Thu Aug 25, 2016 6:02 pm

This thread is going to keep spiraling. There is no perfect answer. All have risk.

Why do you trust a VPN provider more than your own company's network?
Why do you trust your home ISP?
Why do you trust your home ISP more than your company's ISP and their IT department? Especially if using a personal device.
Why in the world would you trust remote control tools like Teamviewer? I certainly wouldn't. They've already had a breach this year, though they deny it. Their solution also acts as a man in the middle, which means they can remotely control your PC w/o your knowledge, even though they claim they wouldn't.


OP: If you don't trust your company, or if the PC you'd use for Option 1 is a shared device, then Option 2 is better than Option 1. Most companies with the $ and appetite to perform SSL interception & DLP are also smart enough legally to know what to avoid monitoring/capturing. But you never know. I'd favor a personally owned device using their guest wireless or cellular hot spot + 2FA on the bank account, but that isn't always practical on a daily basis, and I'd have no concerns with, say, putting my 401k orders into Fidelity.com before the 4pm EST cutoff using my dedicated work PC and work's Internet proxy.

snert31
Posts: 6
Joined: Wed Jun 11, 2014 8:07 am

Re: Internet security: which is the lesser of 2 evils?

Post by snert31 » Fri Aug 26, 2016 9:21 am

This thread is going to keep spiraling. There is no perfect answer. All have risk.

Why do you trust a VPN provider more than your own company's network?
Why do you trust your home ISP?
Why do you trust your home ISP more than your company's ISP and their IT department? Especially if using a personal device.
Why in the world would you trust remote control tools like Teamviewer? I certainly wouldn't. They've already had a breach this year, though they deny it. Their solution also acts as a man in the middle, which means they can remotely control your PC w/o your knowledge, even though they claim they wouldn't.


OP: If you don't trust your company, or if the PC you'd use for Option 1 is a shared device, then Option 2 is better than Option 1. Most companies with the $ and appetite to perform SSL interception & DLP are also smart enough legally to know what to avoid monitoring/capturing. But you never know. I'd favor a personally owned device using their guest wireless or cellular hot spot + 2FA on the bank account, but that isn't always practical on a daily basis, and I'd have no concerns with, say, putting my 401k orders into Fidelity.com before the 4pm EST cutoff using my dedicated work PC and work's Internet proxy.
This is a mis-characterization of the problem: it's not about trust, it's about ability. Your company, their ISP, your ISP, etc. can't protect your data because most of them can't protect themselves. Let's be clear: the hackers are winning the battle at this point in time. They're better monetized, more narrowly focused, and face minimal prosecution. All organizations get hacked.

The defenders are considered an overhead cost and most organizations hire barely enough to cover requirements due to the expense and difficulty finding qualified candidates. These few defenders are responsible for a broad expanse of IT that in many (probably most) cases is poorly configured and essentially indefensible in certain areas. And access to one area inevitably leads to access in other areas, because everything is connected.

Further, while most companies do allow limited personal use of their computing resources in their acceptable use policies, most won't even try to protect your personal data if you choose to use them for that purpose. In fact, most fully divest themselves of that responsibility by having their legal teams craft acceptable use policies that expressly state the employees have no expectation of privacy when using corporate resources, and that all usage will be monitored. No reasonably priced commercial technology exists that will parse out "things that shouldn't be monitored", so an already overburdened IT security defender would have to be designated to do that manually and continually. It simply doesn't happen.

The best defense currently available is to leverage data encryption to make it harder to get usable access to your data, and try to ensure no one entity has enough of your data to be a single point of compromise. In my example above, disparate organizations would have to collaborate to compromise your financial data. That's the best protection you can achieve today.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Internet security: which is the lesser of 2 evils?

Post by Epsilon Delta » Fri Aug 26, 2016 10:33 am

In the context of personal use I cannot understand this concept of "trusted network".

Is a wired hospital network, which can only be accessed by a thousand employees and anybody who happens to be in a room with a jack, that much more secure than the hospitals public wi-fi, which can be accessed by pretty much everybody?

Similarly the advice to use a VPN. If it is theoretically possible to secure the connection to the VPN over any network, it is theoretically possible to secure a connection directly to the financial web site over the same network.

The only sane way to address this is to secure the end-points (your PC and the Financial Institutions computer) and use security protocols so you don't care if all and sundry have access to the encrypted traffic.

dizzle
Posts: 26
Joined: Mon Jun 15, 2015 12:52 am

Re: Internet security: which is the lesser of 2 evils?

Post by dizzle » Sun Aug 28, 2016 9:10 pm

Some suggestions inline below:
coalcracker wrote:On occasion it is much more convenient or even necessary for me to perform financial transactions while I am at work, during business hours. For you IT experts, which of these options would you consider less risky when entering a password for a financial website?

1. Hospital network computer (not wifi) which would require I enter the financial website password manually by keystroke.
D: Assuming this is a workstation you work on every day and is not shared. Say like the ones found in a hospital bedside room. Then this option is pretty safe. Hospitals networks are subject to some of the most strict compliance regulations out there. Even more than most financial companies. They are going to have several layers of security in place. Ranging from the local PC itself. All the way through the entire network. Yes IT can technically read anything that passes the network. However in many cases they don't have the time or need to see that Jim is making a login to his bank. They are more worried about the fact he might be streaming YouTube for 4x hours a day. Or that his PC is making suspicious connections to a network in Russia. If you follow strong password policies you will be OK. Yes there is always a risk but most of the time the user is the easiest target.

2. Personal laptop on guest wifi (i.e. not password protected). However, I use a password manager which would require I enter the main password for that software, but NOT the password for the financial website.
D: Can be super insecure, WiFi is some of the easiest technology to target and attack. Plenty of ways to trick a user into visiting a malicious network. Then sniff out and intercept traffic and send you to your bank page without most people even knowing. Many times you can be tricked into clicking a link that will just sit on your PC and wait...and wait..till its time to phone home and start to target your data. This is why most companies do not allow personal devices on a corporate network without some strict policies to ensure they are "clean". Nothing is ever full proof IT security, except unplugging the PC!

IT can sometimes be seen as evil. At the end of the day we have a job to keep everyone safe :)


I know neither way is ideal, but I'm going to keep doing it anyway :wink:

Thanks,
cc

Angelus359
Posts: 845
Joined: Tue Mar 04, 2014 12:56 am

Re: Internet security: which is the lesser of 2 evils?

Post by Angelus359 » Mon Aug 29, 2016 9:20 am

So long as the page is fully encrypted over https, wifi is no less safe than the public internet.
IT-DevOps System Administrator

Post Reply