Public Library computers
- Mr. Potter
- Posts: 1048
- Joined: Wed Mar 18, 2015 7:50 pm
- Location: Undisclosed Lake, MN
Public Library computers
I have deep concerns about accessing my accounts at say a coffee shop with free wireless WiFi but what about a public library with hard wired data? Anyone had issues?
Last edited by Mr. Potter on Thu Jan 31, 2019 1:14 pm, edited 1 time in total.
Re: Public Library computers
I'd be willing to bet the internet security at Starbucks is better than at your public library.
- Mr. Potter
- Posts: 1048
- Joined: Wed Mar 18, 2015 7:50 pm
- Location: Undisclosed Lake, MN
Re: Public Library computers
I thought wireless was easier to hack
Re: Public Library computers
There are vulnerabilities in both scenarios, I wouldn't recommend doing either. But keep in mind that any online account access you do with Vanguard, Fidelity, BoA, whatever, will itself be encrypted. Even if somebody hacked the wifi and captured all of the data sent through it, or you did all of that over open, unencrypted wifi (like at Starbucks), they'd still only see your encrypted transmissions. They'd have to also crack your browser's encryption. Not absolutely impossible, but a lot harder than just cracking the wifi.
In the other scenario (library), if that computer has been infected with malware (like a keylogger that captures your password), you're far more vulnerable.
In the other scenario (library), if that computer has been infected with malware (like a keylogger that captures your password), you're far more vulnerable.
Last edited by 02nz on Thu Jan 31, 2019 1:23 pm, edited 2 times in total.
Re: Public Library computers
I never access my accounts anywhere but a dedicated laptop at home. In my view, accessing accounts away from home is asking for trouble.
Re: Public Library computers
The risk is low in either case, but you are more vulnerable using a library computer than using a coffee shop WiFi. In the former case, you are actually typing your password into a device that you do not own; you have to trust that security at the library is very good and that the keyboard is actually just a keyboard.
Is the 'avoid coffee shop WiFi' even still relevant advice? Websites now encrypt the entire site, rather than just the login page, browsers are pretty robust against attack, and Windows is doing a better job of not being vulnerable to machines on the same network.
- RickBoglehead
- Posts: 7877
- Joined: Wed Feb 14, 2018 8:10 am
- Location: In a house
Re: Public Library computers
I would never use a public computer to access anything related to my finances.
When I use public WiFi, I use a VPN, which my university provides free to alumni, students, and faculty.
When I use public WiFi, I use a VPN, which my university provides free to alumni, students, and faculty.
Avid user of forums on variety of interests-financial, home brewing, F-150, EV, home repair, etc. Enjoy learning & passing on knowledge. It's PRINCIPAL, not PRINCIPLE. I ADVISE you to seek ADVICE.
Re: Public Library computers
I only use my desktop connected to my router with a wire. I would never use a public device or a mobile device.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Re: Public Library computers
The threat with open WiFi is primarily still man-in-middle attacks from what I understand - you might think you are connecting to "Starbucks" but you missed the fact that it was spelled "Starbuucks" which is a wifi I set up while I'm in your coffee shop. So now you are on my wifi and I have a server that let's most traffic through but mimics popular banks and brokerages if you go to one of them. My server is set up to look just like your banks login page (I will set up one for Chase, Bank-of-America, etc. along with Schwab, Vanguard, Fidelity- all the big ones). Even on the coffee shops own wifi I might be able to get into the path other ways and do this {change the DNS records on the local network provider's DNS server, IP Spoof, etc). As you try to log into your account you are actually logging in with me so I can capture you login info. I will just error out (while collecting your login info) - you think the site is just having issues - I will then go access your account before you realize it.Iridium wrote: ↑Thu Jan 31, 2019 1:49 pmThe risk is low in either case, but you are more vulnerable using a library computer than using a coffee shop WiFi. In the former case, you are actually typing your password into a device that you do not own; you have to trust that security at the library is very good and that the keyboard is actually just a keyboard.
Is the 'avoid coffee shop WiFi' even still relevant advice? Websites now encrypt the entire site, rather than just the login page, browsers are pretty robust against attack, and Windows is doing a better job of not being vulnerable to machines on the same network.
Perhaps less of a threat these days as there are now many other protections in place (if you set up 2FA, alerts, etc.) - but still there.
I agree the library computer is even worse - who knows what's running on that machine.
- Will do good
- Posts: 1138
- Joined: Fri Feb 24, 2012 7:23 pm
Re: Public Library computers
Hackers can hide keystroke logs in public computers, anything you type will be available to them such as your logins and passwords. Only thing that could save you is maybe 2FA, so please be careful.
- Mr. Potter
- Posts: 1048
- Joined: Wed Mar 18, 2015 7:50 pm
- Location: Undisclosed Lake, MN
Re: Public Library computers
Got it, best to only access accounts from home on my IP address on my computer. Thanks
Re: Public Library computers
Thank you for the reply. I agree that there are a great variety of ways for an attacker to redirect your traffic (even outside of wifi, ARP poisoning would very likely work if an attacker was able to connect to the same network as you). However, if an attacker setup a page that looks like a bank login they still will not be able to obtain a valid certificate for it, so my browser won't display the padlock, and, increasingly, will just error out and refuse to display the page at all (due to HSTS).GoldStar wrote: ↑Thu Jan 31, 2019 2:08 pm The threat with open WiFi is primarily still man-in-middle attacks from what I understand - you might think you are connecting to "Starbucks" but you missed the fact that it was spelled "Starbuucks" which is a wifi I set up while I'm in your coffee shop. So now you are on my wifi and I have a server that let's most traffic through but mimics popular banks and brokerages if you go to one of them. My server is set up to look just like your banks login page (I will set up one for Chase, Bank-of-America, etc. along with Schwab, Vanguard, Fidelity- all the big ones). Even on the coffee shops own wifi I might be able to get into the path other ways and do this {change the DNS records on the local network provider's DNS server, IP Spoof, etc). As you try to log into your account you are actually logging in with me so I can capture you login info. I will just error out (while collecting your login info) - you think the site is just having issues - I will then go access your account before you realize it.
Re: Public Library computers
It's relevant advice in that there is minor incremental risk, but you are correct that the risk is extremely small. I don't bother avoiding coffee shop wifi or anything like that. Browsers have gotten pretty good at warning users of man-in-the-middle situations. I would think the library computer would be exponentially more dangerous because you can't be sure there aren't keyloggers installed.Iridium wrote: ↑Thu Jan 31, 2019 1:49 pmThe risk is low in either case, but you are more vulnerable using a library computer than using a coffee shop WiFi. In the former case, you are actually typing your password into a device that you do not own; you have to trust that security at the library is very good and that the keyboard is actually just a keyboard.
Is the 'avoid coffee shop WiFi' even still relevant advice? Websites now encrypt the entire site, rather than just the login page, browsers are pretty robust against attack, and Windows is doing a better job of not being vulnerable to machines on the same network.
Last edited by KyleAAA on Thu Jan 31, 2019 3:11 pm, edited 2 times in total.
Re: Public Library computers
The Vanguard and Fidelity apps are both good.
I'd just use my phone.
I'd just use my phone.
Re: Public Library computers
Provided you don't have a dated browser or don't simply hit "Advanced" in your browser and have it ignore the error or simply don't notice you got redirected to some other domain name.Iridium wrote: ↑Thu Jan 31, 2019 3:02 pmThank you for the reply. I agree that there are a great variety of ways for an attacker to redirect your traffic (even outside of wifi, ARP poisoning would very likely work if an attacker was able to connect to the same network as you). However, if an attacker setup a page that looks like a bank login they still will not be able to obtain a valid certificate for it, so my browser won't display the padlock, and, increasingly, will just error out and refuse to display the page at all (due to HSTS).GoldStar wrote: ↑Thu Jan 31, 2019 2:08 pm The threat with open WiFi is primarily still man-in-middle attacks from what I understand - you might think you are connecting to "Starbucks" but you missed the fact that it was spelled "Starbuucks" which is a wifi I set up while I'm in your coffee shop. So now you are on my wifi and I have a server that let's most traffic through but mimics popular banks and brokerages if you go to one of them. My server is set up to look just like your banks login page (I will set up one for Chase, Bank-of-America, etc. along with Schwab, Vanguard, Fidelity- all the big ones). Even on the coffee shops own wifi I might be able to get into the path other ways and do this {change the DNS records on the local network provider's DNS server, IP Spoof, etc). As you try to log into your account you are actually logging in with me so I can capture you login info. I will just error out (while collecting your login info) - you think the site is just having issues - I will then go access your account before you realize it.
-
- Posts: 8626
- Joined: Wed Apr 08, 2015 11:31 am
- Location: West coast of Florida, near Champa Bay !
Re: Public Library computers
The computers in my local library aren't under the watchful eye of library staff. They are arranged back to back in a horizontal line running in front of the check-in/out counter. So, from the counter one only sees the backs of users, though they can see the heads of people on the back row of the bank of computers.
But, library staff can't see the users hands or screens for those closest to the counter, as they are blocked by the back of the individual. And, though the staff can see the heads of the users in the back row, their screens and hands are also shielded.
They used to have you sign-in when you needed to use one, but that was more of a traffic issue, as there were more people wanting to use the computers than the number of computers available. The sign-in list just controlled who got the next computer that became available.
I would use one of their computers if I were researching something, and wanted to seek out reference books and such. I would never take my laptop/Chromebook into the library for any reason, as it might develop legs and walk away whilst I was looking for stuff in the stacks. Also, I would be afraid of having something slipped into my PC, or picking up a virus.
And, I would never, never, never access any financial account, email account, or any of the accounts I have that require a log-on. Nope! Nope! Nope!
Nor would I do so at any place outside my home, for that matter. Nope! Nope! Nope!
I do read the Boglehead forum outside my home sometimes, like when a game is boring (and believe you me, my alma mater's football team played some yawners this past season), but I don't sign in or post on the forum.
Never had any issues, but I try to practice safe surfing at all times.
Broken Man 1999
But, library staff can't see the users hands or screens for those closest to the counter, as they are blocked by the back of the individual. And, though the staff can see the heads of the users in the back row, their screens and hands are also shielded.
They used to have you sign-in when you needed to use one, but that was more of a traffic issue, as there were more people wanting to use the computers than the number of computers available. The sign-in list just controlled who got the next computer that became available.
I would use one of their computers if I were researching something, and wanted to seek out reference books and such. I would never take my laptop/Chromebook into the library for any reason, as it might develop legs and walk away whilst I was looking for stuff in the stacks. Also, I would be afraid of having something slipped into my PC, or picking up a virus.
And, I would never, never, never access any financial account, email account, or any of the accounts I have that require a log-on. Nope! Nope! Nope!
Nor would I do so at any place outside my home, for that matter. Nope! Nope! Nope!
I do read the Boglehead forum outside my home sometimes, like when a game is boring (and believe you me, my alma mater's football team played some yawners this past season), but I don't sign in or post on the forum.
Never had any issues, but I try to practice safe surfing at all times.
Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go." - Mark Twain
- quantAndHold
- Posts: 10141
- Joined: Thu Sep 17, 2015 10:39 pm
- Location: West Coast
Re: Public Library computers
The Starbucks wifi is generally fine. Banking websites encrypt the data going back and forth. A bad guy might be able to see that you're going to Vanguard's website, but they can't see what you're actually doing or what your password is.
The library computer, though. Ewwww. Any computer that a stranger has physical access to...no. There is much a bad guy can do if they can touch the computer. I use the library computer for historical research or other projects that have to be done at the library. But never financial stuff, or email, or anything that I wouldn't want to be public.
The library computer, though. Ewwww. Any computer that a stranger has physical access to...no. There is much a bad guy can do if they can touch the computer. I use the library computer for historical research or other projects that have to be done at the library. But never financial stuff, or email, or anything that I wouldn't want to be public.
Re: Public Library computers
It has been my understanding that connecting to ones own mobile hot spot is considered a relatively secure connection. Is this not the case?
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Public Library computers
Yes. Just make sure your router uses encryption, especially the current standard, which is called WPA2. Every router sold in last five years at least includes this standard.
Re: Public Library computers
I would never use a library computer for financial stuff. Heck I would not even access my email or social media from it. All I would do are google searches or browze the net.
-
- Posts: 3181
- Joined: Mon Feb 26, 2007 4:33 pm
Re: Public Library computers
I do not even use my own Wifi, neighbors or someone from the street could use it, but turn Wifi communication off at my PC and only use Ethernet hardwired for financial communications.
Re: Public Library computers
This is my MO when I am traveling and need to access a financial account, which I only do rarely. (Please, no one tell me that I am deluding myself.)
Re: Public Library computers
When I am on public wifi and need to access one of my accounts, I turn the wifi OFF and ensure my PAID VPN is ON.
Nord is one of the better rated VPNs at a reasonable price. $100 for 3 years I believe. I try to keep it on at all times.
Nord is one of the better rated VPNs at a reasonable price. $100 for 3 years I believe. I try to keep it on at all times.
Light weight baby!
- teen persuasion
- Posts: 2327
- Joined: Sun Oct 25, 2015 1:43 pm
Re: Public Library computers
We have installed Deep Freeze on the public computers in my library. We scanned them all for viruses and malware before freezing them. Every time they are rebooted, they return to that state (anything downloaded in the interim is wiped). So at least once per day they are rebooted. If a patron wanted to be assured that a past user had not installed something, they could simply reboot before using the computer. They can also reboot after they are done, to remove traces of their history.
This software means that I need to thaw each computer and manually update them while in the thawed state, or all updates would be wiped the next time they are rebooted. So I am regularly checking each computer to see what updates are available: thaw and reboot, search again for updates (because they were wiped on reboot), install updates, reboot, freeze, reboot. It gets tedious, but it's necessary.
This software means that I need to thaw each computer and manually update them while in the thawed state, or all updates would be wiped the next time they are rebooted. So I am regularly checking each computer to see what updates are available: thaw and reboot, search again for updates (because they were wiped on reboot), install updates, reboot, freeze, reboot. It gets tedious, but it's necessary.
- Earl Lemongrab
- Posts: 7270
- Joined: Tue Jun 10, 2014 1:14 am
Re: Public Library computers
How would someone else use your home WiFi? You aren't running it open are you?likegarden wrote: ↑Thu Jan 31, 2019 6:44 pm I do not even use my own Wifi, neighbors or someone from the street could use it, but turn Wifi communication off at my PC and only use Ethernet hardwired for financial communications.
-
- Posts: 3181
- Joined: Mon Feb 26, 2007 4:33 pm
Re: Public Library computers
I read that crooks have figured out how to read Wifi passwords. We noticed that our Wifi is strong enough 2 houses away to be used by others. So I want to keep my financials very safe by using Ethernet only.
Re: Public Library computers
I believe that is not exactly correct. There was a scientific paper describing how the password could be intercepted during the handshake when a computer associates with a router. I have never read an article stating that this method has been used in real life. In addition, many router manufacturers have updated their firmware to eliminate this problem, as have computer and handset manufacturers.likegarden wrote: ↑Sun Feb 10, 2019 6:10 pm I read that crooks have figured out how to read Wifi passwords. We noticed that our Wifi is strong enough 2 houses away to be used by others. So I want to keep my financials very safe by using Ethernet only.
In any case, the https encryption used by all financial institutions is still secure and would protect your username/password, etc.
-
- Posts: 936
- Joined: Tue Jan 17, 2017 7:46 pm
Re: Public Library computers
Good for you! In the old days, when home Internet was unusual, there were "Internet Cafes", particularly not in the U.S., and most I went to rebooted to a known (presumably safe) state after each use. However, I have gone to public libraries all over the U.S. and I've never seen a library computer set up to reboot to a safe state. I'm not sure I would trust a public library computer with my financial password regardless of Deep Freeze, though, since I don't have any way of knowing how versed the staff is in computer security.teen persuasion wrote: ↑Thu Jan 31, 2019 7:34 pm We have installed Deep Freeze on the public computers in my library.
Re: Public Library computers
I really am not concerned about hackers or keystroke loggers if I were to access Vanguard at a public library.
I would be far more concerned about people looking over my shoulder to see my net worth and my individual investments. Since the library is a public space, anybody is free to shoulder surf at will. Wouldn't want that to happen.
I would be far more concerned about people looking over my shoulder to see my net worth and my individual investments. Since the library is a public space, anybody is free to shoulder surf at will. Wouldn't want that to happen.
-
- Posts: 13977
- Joined: Fri Mar 02, 2007 1:39 pm
Re: Public Library computers
If you have to access financial sites away from home either use cellular data from your mobile device or WiFi via a VPN. I would never use a third party device anywhere.
- quantAndHold
- Posts: 10141
- Joined: Thu Sep 17, 2015 10:39 pm
- Location: West Coast
Re: Public Library computers
It doesn’t take much for someone to plug a key logger into a USB port on the back of the machine, then come by later to pick it up. No amount of freezing and rebooting is going to help if a bad guy has physical access to the computer.michaelingp wrote: ↑Sun Feb 10, 2019 8:02 pmGood for you! In the old days, when home Internet was unusual, there were "Internet Cafes", particularly not in the U.S., and most I went to rebooted to a known (presumably safe) state after each use. However, I have gone to public libraries all over the U.S. and I've never seen a library computer set up to reboot to a safe state. I'm not sure I would trust a public library computer with my financial password regardless of Deep Freeze, though, since I don't have any way of knowing how versed the staff is in computer security.teen persuasion wrote: ↑Thu Jan 31, 2019 7:34 pm We have installed Deep Freeze on the public computers in my library.
- librarianaire
- Posts: 35
- Joined: Mon Dec 04, 2017 4:15 pm
- Location: New Jersey
Re: Public Library computers
As a librarian, I recommend making an appointment to speak to the person who maintains the computers. Library workers take pride in their work and they’re generally happy to answer questions, especially if you make an appointment and direct your questions to someone who is trained to answer them.
If the person who maintains the computers provides good answers and inspire sufficient confidence, use the computers. If not, no one will mind if you prefer to access your information in other ways.
If the person who maintains the computers provides good answers and inspire sufficient confidence, use the computers. If not, no one will mind if you prefer to access your information in other ways.
“Our own experience provides the basic material for our imagination, whose range is therefore limited.” Thomas Nagel, What is it like to be a bat?
-
- Posts: 516
- Joined: Thu Jun 15, 2017 2:03 am
Re: Public Library computers
Biggest risk is the germs on that keyboard and mouse. Really.
-
- Posts: 6561
- Joined: Tue Jul 26, 2011 1:35 pm
Re: Public Library computers
Keyloggers are the biggest concern, so the library would be less secure.
I assume anything with a login is using SSL encryption ( https:// ) so presumably the traffic on the
wifi is encrypted both by your browser before being broadcast on the wifi.
That said, I only use my home wifi with its own WPA2 password for any financial transactions.
I use MultiFactor authentication for many sites, not yet all, but am leaning that way.
I assume anything with a login is using SSL encryption ( https:// ) so presumably the traffic on the
wifi is encrypted both by your browser before being broadcast on the wifi.
That said, I only use my home wifi with its own WPA2 password for any financial transactions.
I use MultiFactor authentication for many sites, not yet all, but am leaning that way.
Re: Public Library computers
I wouldn’t ever access my private accounts from a public computer (library) or a public network (Starbucks). Heck, I don’t even access them at work where computer security is taken very serious (feds).
If a computer network is using a hub instead of a switch, you can still capture network data just like WiFi. I have experimented with this in my free time at home.
If a computer network is using a hub instead of a switch, you can still capture network data just like WiFi. I have experimented with this in my free time at home.
- teen persuasion
- Posts: 2327
- Joined: Sun Oct 25, 2015 1:43 pm
Re: Public Library computers
True, users should always be cautious when using public computers, and seek the safest access they can find. Some have little choice or options. We are trying to keep things as safe as possible.michaelingp wrote: ↑Sun Feb 10, 2019 8:02 pmGood for you! In the old days, when home Internet was unusual, there were "Internet Cafes", particularly not in the U.S., and most I went to rebooted to a known (presumably safe) state after each use. However, I have gone to public libraries all over the U.S. and I've never seen a library computer set up to reboot to a safe state. I'm not sure I would trust a public library computer with my financial password regardless of Deep Freeze, though, since I don't have any way of knowing how versed the staff is in computer security.teen persuasion wrote: ↑Thu Jan 31, 2019 7:34 pm We have installed Deep Freeze on the public computers in my library.
We opted to install Deep Freeze to limit the issues with viruses/malware being introduced to the public computers. Library computer users tend to be less sophisticated in their browsing safety, so I spend less time cleaning up after curious patrons find virus attack pop ups. Reboot, things are back to baseline, and we have a little chat about safer browsing and where they were attempting to go. Not judgemental, just trying to help them find the info they were after safely, and to see where they were getting into trouble. They learn (hopefully) how to avoid scammy sites and not to click on misdirection buttons. I learn what our patrons use the library computers for, and where they need assistance, and what pitfalls are out there for the less tech savvy.
And for another poster pointing out biological viruses as a threat - yeah, I wipe down the keyboard and mouse of every computer in the building weekly, including the OPAC, as part of my update schedule.
Re: Public Library computers
I would never use a computer I didn’t completely control for any transaction where I was logging in to an account that had access to my personal information. It’s not an issue with the network, it’s an issue with the unknown software running on the machine that I don’t have time to mess with.
The easy answer to all of this is to use a VPN any time you are on a network you don’t control on a computer that you completely control (own and manage).
There are always opportunities for data to be stolen, even on a VPN you only encrypt the traffic to the VPN server and then it goes off to the ether. At home you are trusting the data until it hits your service providers server, at which point it also goes off into the ether.
Get VPN service from a reputable provider and call it good.
If you are worried about getting your personal computer hacked while on an uncontrolled network, there are lightweight boot-to-browser distros like JustBrowsing. Load a memory stick, boot from the stick (requires you know how to get in bios and change booting preference, easy) and go about your web-based work in Firefox. This could be an option for library computers as well assuming the bios is not password protected and you can change the boot order. Then there is no concern about unknown software.
The easy answer to all of this is to use a VPN any time you are on a network you don’t control on a computer that you completely control (own and manage).
There are always opportunities for data to be stolen, even on a VPN you only encrypt the traffic to the VPN server and then it goes off to the ether. At home you are trusting the data until it hits your service providers server, at which point it also goes off into the ether.
Get VPN service from a reputable provider and call it good.
If you are worried about getting your personal computer hacked while on an uncontrolled network, there are lightweight boot-to-browser distros like JustBrowsing. Load a memory stick, boot from the stick (requires you know how to get in bios and change booting preference, easy) and go about your web-based work in Firefox. This could be an option for library computers as well assuming the bios is not password protected and you can change the boot order. Then there is no concern about unknown software.
- tennisplyr
- Posts: 3703
- Joined: Tue Jan 28, 2014 12:53 pm
- Location: Sarasota, FL
Re: Public Library computers
I never access personal financial accounts from outside of my home.
“Those who move forward with a happy spirit will find that things always work out.” -Retired 13 years 😀
-
- Posts: 936
- Joined: Tue Jan 17, 2017 7:46 pm
Re: Public Library computers
Not even on your phone? I think we learned a while back that iPhones can be very secure, given what the FBI had to pay to crack one.tennisplyr wrote: ↑Mon Feb 11, 2019 7:40 am I never access personal financial accounts from outside of my home.
Re: Public Library computers
Deep freeze does nothing for hardware keyloggers, which are one of the easiest attacks against a public machine. Find out what keyboard model they use, buy one, add a logger, swap with one of the ones in the library. Swap back a few days or weeks later.teen persuasion wrote: ↑Thu Jan 31, 2019 7:34 pm We have installed Deep Freeze on the public computers in my library. We scanned them all for viruses and malware before freezing them. Every time they are rebooted, they return to that state (anything downloaded in the interim is wiped). So at least once per day they are rebooted. If a patron wanted to be assured that a past user had not installed something, they could simply reboot before using the computer. They can also reboot after they are done, to remove traces of their history.
This software means that I need to thaw each computer and manually update them while in the thawed state, or all updates would be wiped the next time they are rebooted. So I am regularly checking each computer to see what updates are available: thaw and reboot, search again for updates (because they were wiped on reboot), install updates, reboot, freeze, reboot. It gets tedious, but it's necessary.
Public machines are best never used, or if used, for totally non-authenticated uses only (e.g. browsing news, library card catalog searches)
Re: Public Library computers
If it's a switch, you can still capture data if you have configuration access to the switch and can enable a tap port. Or for that matter a simple MAC flooding attack will, from a security POV, turn a switch into a hub.6Pack wrote: ↑Mon Feb 11, 2019 7:13 am I wouldn’t ever access my private accounts from a public computer (library) or a public network (Starbucks). Heck, I don’t even access them at work where computer security is taken very serious (feds).
If a computer network is using a hub instead of a switch, you can still capture network data just like WiFi. I have experimented with this in my free time at home.
But unless you're getting MitM'd, a reasonably secured wired or wireless network with a reasonably secure host is "probably fine".
(Note: If your home network is running equipment that does not receive regular - e.g. at least quarterly - firmware updates, your home network should be assumed insecure, wireless OR wired)
Re: Public Library computers
Just to put this all into perspective, who on this board has (or knows someone who has) had their financial information stolen via either:
If you have access to your own device, logging in with that to a secure site--over wifi or wire, public or private--is good practice. But really, there are bigger security hygiene practices that one should be worried about.
- A physical keylogger installed into a keyboard; or
- A hacker successfully bypassing a secure (SSL/TSL), cert. authenticated line to steal data over-the-air?
If you have access to your own device, logging in with that to a secure site--over wifi or wire, public or private--is good practice. But really, there are bigger security hygiene practices that one should be worried about.
Re: Public Library computers
This. The likelihood of getting hacked because you're connected to some random wifi is not zero but it's pretty darn close to it. The likelihood of someone nowhere near you cracking your password via data breach or spoofing your cell number is much much higher.bryanm wrote: ↑Mon Feb 11, 2019 10:51 am Just to put this all into perspective, who on this board has (or knows someone who has) had their financial information stolen via either:I'm willing to bet the numbers low or zero. Who on this board has (or knows someone who has) had their financial information stolen via a data breach at a financial institution? After Equifax, I'm willing to bet it's everyone.
- A physical keylogger installed into a keyboard; or
- A hacker successfully bypassing a secure (SSL/TSL), cert. authenticated line to steal data over-the-air?
If you have access to your own device, logging in with that to a secure site--over wifi or wire, public or private--is good practice. But really, there are bigger security hygiene practices that one should be worried about.
-
- Posts: 2528
- Joined: Mon Aug 14, 2017 12:31 pm
Re: Public Library computers
I’m reluctant to use it. One time I was in UK, free WiFi with no specific room ID, I booked another hotel using my credit card, that credit was stolen and used elsewhere, but my credit card company blocked the charge and I closed the credit card. Since then, I always closed the credit card that I used overseas. No more fraud after that.
Re: Public Library computers
I've had passwords compromised by a physical keylogger (not financial passwords though), and have demonstrated MitM attacks where you find *most* people will just click through for debatable intermediate certificates. I've also seen post-mortems that involved certs from compromised CAs (your browser trusts a LOT of CAs) used for a MitM attack.vitaflo wrote: ↑Mon Feb 11, 2019 10:59 amThis. The likelihood of getting hacked because you're connected to some random wifi is not zero but it's pretty darn close to it. The likelihood of someone nowhere near you cracking your password via data breach or spoofing your cell number is much much higher.bryanm wrote: ↑Mon Feb 11, 2019 10:51 am Just to put this all into perspective, who on this board has (or knows someone who has) had their financial information stolen via either:I'm willing to bet the numbers low or zero. Who on this board has (or knows someone who has) had their financial information stolen via a data breach at a financial institution? After Equifax, I'm willing to bet it's everyone.
- A physical keylogger installed into a keyboard; or
- A hacker successfully bypassing a secure (SSL/TSL), cert. authenticated line to steal data over-the-air?
If you have access to your own device, logging in with that to a secure site--over wifi or wire, public or private--is good practice. But really, there are bigger security hygiene practices that one should be worried about.
A proper 2-factor setup helps a great deal here. If you get my password you still don't get my token / yuibkey. (SMS 2-fac is sort of 1.5-fac)
Re: Public Library computers
Loggers found in certain conference rooms in Las Vegas in late summer do not count...badger42 wrote: ↑Mon Feb 11, 2019 11:20 am I've had passwords compromised by a physical keylogger (not financial passwords though), and have demonstrated MitM attacks where you find *most* people will just click through for debatable intermediate certificates. I've also seen post-mortems that involved certs from compromised CAs (your browser trusts a LOT of CAs) used for a MitM attack.
A proper 2-factor setup helps a great deal here. If you get my password you still don't get my token / yuibkey. (SMS 2-fac is sort of 1.5-fac)
Your points on 2FA and click through bad certs is exactly the kind of security hygiene people should in fact be thinking about. (And using a password manager so as to never reuse a password across sites.) With those three things, I would guess that 98% concerns go away. It goes over 99 if you avoid using a phone # for 2FA.