Online banking has grown in huge numbers, and mobile banking is on an even faster rise. But accessing your sensitive financial data via computer can be dangerous. One well known computer virus that steals banking logons and passwords is thought to have infected over 3 million computers in the US alone, siphoning at least $70 million dollars from consumers. So how can you access your bank account safely?
We've enlisted the help of noted hacking researcher Darren Kitchen to find out:
• Is it safe to bank on a public computer, like at a library or in a school?
• Can you safely check your bank balance in a Wi-Fi café on your own laptop?
• How safe is it to check your bank account from your home computer?
• Is it OK to bank on your phone?
I've known Darren Kitchen for years. He hosts a podcast about hacking called Hak5 and has been interviewed by ABC News, the New York Times and Wired Magazine on various hacking topics. In short, he's the real deal, and he sat down with me to answer the following questions and demo what a hacker could do if you log on to the wrong Wi-Fi.
Is it safe to bank on a public computer?
Public computers in libraries, schools, and hotels are completely unsafe for any sensitive web browsing. You have no idea if they are secure or if a criminal has installed a key-logger that tracks every username and password you enter.
Can you safely bank online at a Wi-Fi café on your own computer
Answer: Probably not
Darren and I set up an experiment. With my own laptop, I logged onto the free Wi-Fi in a café while Darren sat across from me. I went to my bank site and entered my username and password. In real time, Darren intercepted the logon info. If that had been my real info he could have immediately logged onto my bank account (NOTE: I gave Darren expressed permission to hack my browsing — I need to say this for legal reasons. ALSO - I am a blond, but what you see in the video is not my real banking info.)
How did he hack my connection?
Darren brought his own router into the coffee shop. He can set it up to provide an open connection that is labeled "Internet" or "free Wi-Fi" or even includes the name of the café, something like "Cuppa Joe Wi-Fi." Simply put, he pretends to be the Internet access provided by the café. The scenario: you turn on your computer and log on to what you think is the Wi-Fi provided by the business. Even more deviously, Darren can create a Wi-Fi signal called Linksys, TMobile, ATT Wireless or GogoInflight. If your computer has ever connected to those legitimate networks in the past, it will be fooled into thinking it already has permission to connect — and does so through Darren's router.
"Once you're on my router, I am the Internet. I'm the man in the middle, so I can see everything," said Darren. "I'm essentially your Internet service provider, and inherently, I can eavesdrop and even change data on the fly. And when I see you're going to a bank, I can serve up my own [site] that looks and feels in every way like the bank's site."
And that's how he got my info. I thought I was going to a legitimate bank, but really it was Darren serving up an easily faked version of the site. It looked exactly the same as the real bank's site.
Bottom-line: if you must do sensitive web browsing over a Wi-Fi network in a public place you should be very sure you know that the Wi-Fi is actually provided by the business and being passed through their router. It should be encrypted so you need a password to log on. And finally, do you trust the business and its employees? There are enough risks that when I ask Darren if he would log on to his bank this way he says "Absolutely not."
How safe is it to check your bank account from home?
Answer: Safe, but be sure your computer is virus free
If you are connecting to the Internet at home over a Wi-Fi router that's encrypted with WPA2 security, you should be safe to log on to your bank.
BUT… big caveat! Are you sure your computer is virus free? Computer viruses are getting more devious about specifically targeting online banking information. The Zeus botnet has resulted in hundreds of millions of dollars funneled out of consumer bank accounts. If you have any doubt about the security of your home computer, it may be time to get serious about disinfecting it and protecting it with an antivirus program if you want to bank online without anxiety.
Is it okay to bank on your phone?
Answer: Yes, but…
Phones using Wi-Fi to connect to the Internet are susceptible to hacks just like the Wi-Fi café hack Darren exhibited. But phones using cellular data networks for their connection are MUCH harder to fool. It's not impossible. As Darren points out, he replicated the café's Wi-Fi with off-the-shelf router equipment. It's much harder to replicate a cell phone tower.
The biggest caveat for checking your bank account on your phone is to consider what would happen if the phone fell into the wrong hands. The financial and identity information on your phone has now become more valuable than the hardware itself, so thieves are getting much more sophisticated about mining bank and personal data from mobile devices. So keep a password screen lock on the phone and have a remote wipe program so you can delete all data if your phone is lost or stolen.
(Special thanks to the folks at the Arbor Café in Oakland and the Sunnyvale Public Library, where we are happy to connect for all non-sensitive computer needs. Cell tower image © Justin Smith / Wikimedia Commons, CC-By-SA-3.0)