Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


31 posts

Geek


Topic # 30912 25-Feb-2009 14:07
Send private message

WE travel a few times a year on business overseas, mainly to Asia.

In the hotel rooms they have wired network cable which we can plug our laptop into. I guess these are not very secure networks.

We have Windows Vista, and that supposedly has good security features. Is it safe to use our laptop to access our bank accounts under these circustances? I understand that keyloggers can only operate with someone plugging some device into the CPU?

What about using unsecured wireless networks, here and overseas? Will someone be able to see your login and password?

Create new topic
8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 198004 25-Feb-2009 14:56
Send private message

I believe what you are worried about is called a "man in the middle attack" where on the network between your pc and whatever site/service you are using someone could sniffing the traffic for logins or passwords.

However any decent bank site will use https:// so traffic between your browser and the site is encrypted including the login and password so this will not be a problem.

Example:  https://www.asb.co.nz/ in Internet Explorer 7 you will see a padlock icon after the url, in Firefox 3 you will see the first part of the url highlighted green to indicate it's secure.

Many other sites allow you to login using https:// instead of http:// eg:  https://www.facebook.com/ or https://www.google.com/accounts/ServiceLogin?service=mail

I would advise you to always check the url on login pages to make sure it's using https:// rather than http://

The other major concern is using an email client that by default is configured to send your email account login and password in clear text.  This can easily be changed to use a secure method of authentication.  Check with your ISP for configuration details.

3308 posts

Uber Geek
+1 received by user: 888


  Reply # 198011 25-Feb-2009 15:09
Send private message

slowcoach: WE travel a few times a year on business overseas, mainly to Asia.

In the hotel rooms they have wired network cable which we can plug our laptop into. I guess these are not very secure networks.

We have Windows Vista, and that supposedly has good security features. Is it safe to use our laptop to access our bank accounts under these circustances? I understand that keyloggers can only operate with someone plugging some device into the CPU?

What about using unsecured wireless networks, here and overseas? Will someone be able to see your login and password?

AS mentioned by Ragnor, if the bank you are using has a secure login (Https) this will improve security of data passed between your laptop and the banks server

However,  Keyloggers can be both a physical device, (usually installed on the keyboard connection), or they can simply be a piece of software that records keystrokes,

Wireless networks are generally more of a risk than wired ones, but any envoroment where you are not sure of what is between you and the server you are logging into would be classed as a risk

A good thing to do irrespective of how you login,  is when you get back to NZ, change *any* and *all*  passwords that you used while overseas,

6324 posts

Uber Geek
+1 received by user: 391

Moderator
Trusted
Lifetime subscriber

  Reply # 198036 25-Feb-2009 17:54
Send private message

slowcoach: We have Windows Vista, and that supposedly has good security features. Is it safe to use our laptop to access our bank accounts under these circustances? I understand that keyloggers can only operate with someone plugging some device into the CPU?


Agreed, I'm yet to hear of a keylogger that isn't physically plugged into the laptop you are using, or not installed on it.

I also agree with ragnor and wellygary, as long as the bank uses SSL you should be fine (regardless of using ethernet or wireless).

8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 198116 26-Feb-2009 00:15
Send private message

Just reiterating make sure if you use an email client like Outlook or Windows mail that it's configured to use a secure connection to you ISP's pop, imap and smtp servers.


3224 posts

Uber Geek
+1 received by user: 624

Trusted

  Reply # 198119 26-Feb-2009 01:25
Send private message

Also the biggest thing is protecting the data on your computer. When you connect to a network in vista, it will ask if it is a home, work or public network - choose public.




Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 198127 26-Feb-2009 02:06
Send private message

Ragnor:

However any decent bank site will use https:// so traffic between your browser and the site is encrypted including the login and password so this will not be a problem.


here you are assuming that there is a single uninterrupted https connection between the laptop and the bank.

its quite feasible for a proxy server to be inserted inbetween the laptop and the bank, one which creates an ssl connection to the laptop and a seperate ssl connection to the bank and then proxies traffic between the two connections thus creating the man in the middle attack (MITM).  your username and password could then be quite easily stolen then.

in this case the browser would most likely show an https certificate error and issue a warning as the ssl connection between proxy and laptop would use a certificate that was not issued by a valid CA or would show a mismatched domain.

a way around this would be for the proxy server to redirect your browser to a legit domain/ssl combination - e.g. https://mydodgyproxy.com but still show the actual web content from the bank in your browser.  I.e. keep an eye on the URL and make sure you dont disable notifications that warn you about being automatically redirected

if you do ever encounter an SSL certificate error - don't ever continue entering your account/password details in.  For an example of what you will see when you get a mismatched ssl certificate try browsing to https://asbbank.co.nz/  (the certificate in this case was issued to www.asbbank.co.nz not asbbank.co.nz)

if people can get away with things like atm skimming, phishing, identity theft then why wouldnt they try find a way to do this at hotels (which may not be staffed by particularly IT savvy employees, and who probably outsource the running of their guest internet access plaforms)

if you're really worried about this sort of thing then your best option might be to remote desktop back to a safe computer, terminal server or citrix server and then do your browsing from within one of those sessions.  If you use client certificates for authentication then you can have a lot more confidence that the remote desktop connection is MITM free and you can then be certain that the SSL connection isnt hijacked (unless you dont trust your own ISP either ;)

[/paranoia]




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


75 posts

Master Geek


  Reply # 198170 26-Feb-2009 10:21
Send private message

The major risk is not to your banking details, as most of these as mentioned above use SSL security.

One thing you DO need to do, is make sure you remove that Hotel network from your list of networks to connect to in Windows, and never configure it to connect automatically.  Your laptop walks around all day yelling out to see if any of those networks are present to be connected to.  If a person knows the settings of that public network, they can use an EvilTwin attack to pretend to be the network, and your laptop will connect to it straight away.  Because it is an open public unencrypted network, you are unlikely to notice whether it is a legit AP or not.

And FYI on keyloggers - this can be done remotely vie electro magnetic radiation.  Every time you hit a key, it gives of a slightly different EMR signature which can be remotely monitored and measured.  However, if someone has the resources necessary to perform this attack - you may want to consider just giving them your laptop anyway... ;-)




31 posts

Geek


Reply # 198199 26-Feb-2009 11:53
Send private message

Hi guys

Thanks a lot for all the info!

Now know what to watch for.

Maybe simpler to leave laptop at home (just kidding)Laughing

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.