Question regarding wireless internet...

[sho'nuff]

Quote:
Originally Posted by diorshoe
i have used unsecured wireless that is at my apt complex ( i dont know who owns it) with my wireless on my laptop at home . and i did online banking ,ebay, paypal, online purchases, styleforum etc.

is this really unsafe? so far i have not encountered any fraud on my accounts and i check every day.

It's probably not high risk unless you have hackers in your area looking for signals to hack, but I wouldn't make a habit of it either.



Quote:
Originally Posted by Mute
It's probably not high risk unless you have hackers in your area looking for signals to hack, but I wouldn't make a habit of it either.

Even if that's the case, if your bank is using SSL and a decent challenge-response authentication system, I wouldn't worry about it too much.
__________________________
Whenever there is any doubt, there is no doubt.


--------------------------------------------------------------------------------

Quote:
Originally Posted by mbc
Even if that's the case, if your bank is using SSL and a decent challenge-response authentication system, I wouldn't worry about it too much.


The problem is letting a hacker know he's found a live system and parking a keylogger onto your system. SSL and challenge-response authentication can't save you from that kind of intrusion. There are ways to protect yourself against that also, but someone who'd log onto an open wireless system without thought about security precautions is unlikely to be taking steps to stop that either. But like I said, odds are low.






ok, gotcha.
i have been doing alot of banking off the wireless but the sites that take important info off of me all have the yellow lock icon on the bottom.

can a hacker know i am on their network? can they find my IP address and infiltrate? is that what you mean by keylogger ?
thanks

 

[briancl]

Originally Posted by phooi

If you are logging onto an unsecured wifi connection, I would suggest, at a minimum, the following items: (All computers should have these anyway)

1. Software firewall (Zone Alarm Free)
2. Anti-Virus (AVG Free)
3. Spyware (Adaware Free)

It will not stop the hardcore guys but will discourage most wannabes.

These are good, but it is also very important to keep your operating system and applications up to date on security patches.

 

[briancl]

Originally Posted by diorshoe

i have been doing alot of banking off the wireless but the sites that take important info off of me all have the yellow lock icon on the bottom.

can a hacker know i am on their network? can they find my IP address and infiltrate? is that what you mean by keylogger ?
thanks

A hacker can "phish" you by standing up an unsecured network and allow you to connect through it. First, he will give you the real internet, but after he sees which sites you visit, he can setup fake sites that mirror the real thing and steal your credentials. Simpler yet, he can just give you access to the real internet, and monitor your traffic as it passes through the network. He'll only get unproteced, non-SSL encrypted information, but a lot of that can contain sensitive information (emails, AOL IM conversations, forum posts, etc). This is true even if the network you connect through is known, trusted, and verified (such as a neighbor or starbucks), but lacks some kind of strong encryption.

Also, the keylogger being referred to earlier is a small piece of software that logs every key that you type, so for example, your username and password may be safe as they travel across the internet due to SSL (the little lock), but locally, the credentials are compromised if a hacker has planted a keylogger. This requires a hacker somehow gain access to your system. This can be done if you are out of date on your patches and security updates or if someone else gets physical access to your computer.

 

[sho'nuff]

thank you for the info briancl


actually one more question. what if i use vpn. do they still have access what sites i access and try to phish me?

 

[briancl]

Originally Posted by diorshoe

thank you for the info briancl


actually one more question. what if i use vpn. do they still have access what sites i access and try to phish me?

The information in the VPN tunnel might be protected, but again, with the keylogger, the user could steal your VPN credentials. If you use an RSA Token or some other kind of two-factor authentication then that risk is mitigated; however this only protects your data in transit (across the internet). Your data at rest (the information contained on your computer) can still be compromised since the malicious user can attack your system and gain access.

The moral of this story is, do not rely on another person's wireless network to be secure. Assume it is not secure and assume you WILL be hacked and take every possible precaution to prevent it. Ideally, you will cut this out of the equation entirely and use your own wireless network whose security you can control.

 

[Mute]

One thing to keep in mind. If hackers looking to commit fraud were really smart, they'd get a wireless router and purposely leave it unsecured so that their neighbors would mistakenly think they'd stumbled onto easy, free access to a broadband connection. They could then monitor anyone jumping on and take advantage of that. As briancl said, better to avoid using other people's unsecured wireless broadband.

 

[briancl]

Originally Posted by Mute

If hackers looking to commit fraud were really smart, they'd get a wireless router and purposely leave it unsecured so that their neighbors would mistakenly think they'd stumbled onto easy, free access to a broadband connection. They could then monitor anyone jumping on and take advantage of that.

Right. This is phishing and what I explained 2 posts up...

 

[sho'nuff]

but phishing requires them to send me something, i mean, i won't just accidentally stumble onto their false websites, right?

i log onto bank of america to do banking, but then i always type the url out on the top or click it on my favorites.

that won't ever take me to their phishing sites right?
they way they phish is by sending me an email stating something like:
"bank of america needs you to confirm something, please log on here...url.."

are there other ways a relatively smart person like me (not to boast, but just for the point of the discussion) can be fooled by their phishing other than "Please see this email and log onto our url"?

 

[briancl]

Originally Posted by diorshoe

but phishing requires them to send me something, i mean, i won't just accidentally stumble onto their false websites, right?

i log onto bank of america to do banking, but then i always type the url out on the top or click it on my favorites.

that won't ever take me to their phishing sites right?
they way they phish is by sending me an email stating something like:
"bank of america needs you to confirm something, please log on here...url.."

are there other ways a relatively smart person like me (not to boast, but just for the point of the discussion) can be fooled by their phishing other than "Please see this email and log onto our url"?

Phishing is not limited to emails. The term was borrowed from fake IM's 12 years ago on AOL when users were tricked into divulging their passwords to people pretending to be AOL staff. Setting up a fake website is also phishing. The hackers can control your network traffic if you connect to their wireless network, so they can route you to their fake bank of america website. No email is required. Basically, the term just refers to some kind of social engineering, although in this case, the social aspect is limited, but it still exists since they have to get you to trust their fake site, even if they don't have to persuade you to visit it. A savvy user would be able to spot the illegitimate SSL certificate when browsing the fake site, but the average use just clicks "OK" or "Accept" when challenged to review any certificates.

 

[Mute]

Actually, if you use some hacker's broadband signal he can monitor all of your data and do more than just phishing schemes. Besides the keylogging, he can actually take control of your system and use it to commit fraud against others without you even knowing it.