I may have to take a trip to my parent’s house soon and I may have to be gone long enough that I would have to do some on-line bill pay through my bank.
There’s no internet connection in the house, nor do I know anyone in the area well enough to borrow a connection. I’m looking for the safest way to connect to my bank using (I expect) a public wi-fi spot such as a McDonald’s or Panera Bread. (I will have my own laptop with me.)
Naturally, I’m not too keen on this. I know a little about Man In The Middle attacks (enough to know they exist, anyway) but not enough to know how to avoid them.
I know I have to look for an https: in the URL, I know I should be wary of public spots, but what would those of you with more security knowledge recommend about the best way for me to get on the web and do financial transactions without the security of my own, hard-wired, router?
Does your bank use a “site key” (an image that you verify as yours)?
BofA does, and this will help to reduce the threat from MITM attacks. I’m not sure it eliminates it - that’s for the security nerds to determine.
The security certificates are there to prevent man in the middle attacks. The security certificate verifies that you are connecting with BofA. For BofA they have a certificate issued by verisign. A man in the middle attack would not be able to present a signed certificate for https://www.bankofamerica.com/ unless they have somehow stolen the certificate from Bank of America.
In IE if you click on the little lock icon by the url you can get information about the certificate. Other browsers will also give you information about the certificates.
No. Time to suggest to the wife that an upgrade is in order.
I shall have to do some research into this. But the next offer seems to negate that need…
I read about this and understand the concept, I think. So if I go to the coffee shop and use my updated FireFox to connect to the known-good URL I have in my bookmarks AND I then get the security certificate, I shouldn’t worry?
I wouldn’t worry about it. Every single on-line transaction I’ve done was over a public wifi system*, and I’ve never had problems. As long as the site has a security certificate you should be fine.
*I’m a cheapskate and get my internet access from commercial hotspots near my apartment
This isn’t entirely correct. Most sites hand out new certificates from time to time, you don’t even notice it happening.
If a certificate gets hacked (i.e. it’s private key becomes known, making it possible to make signatures using that certificate) it gets revoked by the Certification Authority (in this case Verisign). Additionally, certificates are usually given a rather limited lifespan. So to summarize, you get new certificates all the time.
On the other hand, when trying to establish a TLS tunnel to your bank, using a fake certificate (i.e one that the Man In the Middle just gave you), your browser will issue a warning that the certificate is unverified. You can ignore this warning and go on surfing, but it’s at your own peril. If you ask me, no bank errand is worth the risk.
Such security measures don’t protect against Man In The Middle attacks, but they do protect against phishing scam. The picture is something that only you and your bank know about, in presence a pass phrase that you’ve agreed upon, that a random phishing site won’t know about. The security in this is terribly weak, but it does afford some protection for computer illiterate people who don’t think of looking at the browser bar when following links to their bank site.
I’m presuming that the picture is sent after the encrypted tunnel has been established (thus proving that it’s not a defense against MItM attacks)…if not, then BofA seriously need to think things over.
Sure, you and I know the details. But for the sake of general, failsafe advice, that reduces to: on an untrusted network like a cafe wifi, if your browser asks you to accept a new certificate, don’t do it.
Exactly. The chances of someone running a MitM attack at any given public wifi spot are pretty low, but the chances that your bank just happened to pick that day to change their site certificates is pretty low as well. Go to a new location, or call the bank’s customer service line and ask–if they did change their certificate, their reps should have been prepped on it.
My issue is that new certificates are loaded all the time, you simply don’t notice it. The only time you get a notice is when a certificate can’t be verified. In my opinion this is a very important distinction.
Remember also that for a large portion of the world, random attackers sitting on public wifi aren’t the main threat; a government controlling the ISP and using falsified or hacked certificates in order to spy on its own populace is. The main attacks which have been seen on CA infrastructure in recent years (against Comodo and Diginotar) were almost certainly perpetrated by states targeting their own citizens.
For CAs, the ability to revoke certificates and rapidly deploy new ones is essential.
