Can we dispel this WiFi myth?

[denverd0n]

No, we can't dispel it, because it is not a myth.

Just because the odds of having something stolen are relatively low, that doesn't make it a myth. Just because it has never happened to you, that doesn't make it a myth.

Securing your wifi connection is not the be-all and end-all of internet security. No one has ever said that it is. But it is, in fact, one more layer of security that makes it that much more difficult for someone who wants to steal your information.

Frankly, calling this a "myth" is a bit like saying that locking the front door to your house--as a means of deterring burglars--is a "myth." Locking your front door does not guarantee that you'll NEVER be burglarized. Everyone understands that. Leaving your door unlocked does not guarantee that you WILL be burglarized. Everyone understands that, too. But locking your door is still a reasonable layer of security to add to your home.

And just like not locking your front door is a bit foolish, so is not securing your wifi connection when you are able to.

[svseachange]

Quote:

Originally Posted by goboatingnow

First what you call secure wifi are wifi that implement encryption, wep , wpa etc result In encrypted wireless traffic. Hence such traffic is actually more secure then cabled networks.

Huh? I am not sure where you go that from my post. I was simply using the word "secure" to differentiate between open WiFi networks and private WiFi networks protected by WPA etc. That's the word used by many cruisers.
If people want encryption they should use https (SSL). It really has nothing to do with WiFi.

Quote:

Originally Posted by goboatingnow

It's not an access control system per say as there is no way to control individual users.

I did not say the private WiFi network users were controlling individual users. The owner of a private WiFi network is limiting the number of users, hence making more service (usually bandwidth) available to the authorized users.

Quote:

Originally Posted by goboatingnow

The assignment of public IPs has nothing to do with wifi encryption. In almost all cases due to the scarcity of public ipV4 address space., you will be behind a NAT ( network address translation) and hence be handled out a private non routable IP address ( like 192.168.x.x )

Again, I was not talking about encryption. My point is public IP addresses are simply less secure than private non routable IP addresses. Even open ("non-secure") WiFi networks usually use NAT.

[svseachange]

Quote:

Originally Posted by denverd0n

No, we can't dispel it, because it is not a myth.

The problem is the risk is blown out of proportion. The risks of using most open WiFi networks are for all intensive purposes, insignificant. The alarmist posts about WiFi cause people to engage in much riskier behavior like using Internet cafe computers.

The easy solution is to always use https (SSL) and ensure your computer had a firewall and antivirus software. That is what we should be talking about.

[Teknav]

When purchasing on-line or going out to dinner, I use a credit card with a low credit line limit; intentionally requested a low limit of $500 USD. Before replenishing it, I check the transactions posted to it; 2-3 times/month. Never had any issues with someone stealing my numbers and trying to charge thousands of dollars. All my on-line transactions must go through a HTTPS website.

Mauritz

[Sea Frog]

Quote:

Originally Posted by captain58sailin

Does using a VPN keep you anymore secure on a unsecured public Wi Fi network?

Absolutely yes. No matter how unsecure is a network, VPN is your very own, private, fully-encrypted channel of data transfer. They can intercept the data but that would not give them anything because they are all encrypted. If you are worrying about security, VPN is a way to go, and then you can connect using ANY network no matter how "unsecure" it is.

Oh and if you think that using SSL (i.e. connecting using https protocol) means you are safe, you should learn about "ssl hijacking"

[captain58sailin]

Okay, thanks for the info. I used to use a VPN, then they went out of business. So I guess I can start searching for another.

[rebel heart]

From my understanding:

- bs in computer science
- ~15 years in the field
- primarily a software guy, not a network guy

Who cares about wifi encryption from a data transfer security prospective? If you're on a network you're on a network. You can secure the wifi connection as much as you like but if I run the router (or an upstream router) I can plug a sniffer in anywhere and start scooping packets to do whatever I like.

Now if the data itself is encrypted, via SSL, VPN, SFTP, or whatever other properly secured encryption transport method than it really doesn't matter what packets you get. At least for now; I've heard people say that stuff from PRISM will eventually get cracked just because it's only a matter of time until computing power catches up with SSL encryption.

Wifi security, and again I'm not a network guy, is to keep:

- Only authorized people using your network.
- Reduce the amount of unauthorized people using your network who might do nefarious things like port scan everyone and look for exploits. But that's primarily the responsibility of all the client machines.

I've never used anti-virus or malware tools on any of my personal computers despite international travel and back in the day my desktops having public IP's. I keep things up to date, don't download stupid things, don't leave ports open, and all has been well for over a decade.

Regarding SSL man-in-the-middle attacks, your browser will spot the difference. If you're dumb enough to keep entering your banking account info when the green SSL bar flashes red, that's your own business. Most browsers will give you a warning and try to get you to exit the page as well, alerting you that your connection is no longer secure.

[ShaktiGurl]

Quote:

Originally Posted by captain58sailin

Okay, thanks for the info. I used to use a VPN, then they went out of business. So I guess I can start searching for another.

I use Cisco VPN to login to my company network. No idea of cost since I don't pay it.

[rebel heart]

Quote:

Originally Posted by captain58sailin

Okay, thanks for the info. I used to use a VPN, then they went out of business. So I guess I can start searching for another.

OpenVPN - Open Source VPN

I've used them with good results. A more common problem I've found internationally, especially in South America or Asia, is that a lot of web servers (particularly banks) block traffic from known geographic areas. With openvpn you can change your traffic origination to San Jose, CA from wherever you happen to be in the world.

[denverd0n]

Quote:

Originally Posted by shanedennis

The problem is the risk is blown out of proportion.

Yes, sometimes the risk is blown out of proportion. So you think that pretending there is no risk at all is the correct response? Great.

[fstbttms]

Quote:

Originally Posted by Fuss

Does anyone have a first hand example of their bank details being stolen over an unsecured wifi connection and then funds being withdrawn from their account????

Yes. I used a debit card at my local brewpub last year. Apparently somebody was nearby, monitoring/stealing the wifi transactions the pub used to run the card. My card was debited for a duplicate sale, as were many others over a day or two. Fortunately, they discovered the problem quickly and shut down their wifi. My bank reimbursed me for the theft.

[rebel heart]

Quote:

Originally Posted by fstbttms

Yes. I used a debit card at my local brewpub last year. Apparently somebody was nearby, monitoring/stealing the wifi transactions the pub used to run the card. My card was debited for a duplicate sale, as were many others over a day or two. Fortunately, they discovered the problem quickly and shut down their wifi. My bank reimbursed me for the theft.

You had an SSL connection to your bank, someone intercepted the packets, broke a 128 bit encryption algorithm, and then with the million dollars of hardware they used they double charged you at the same pub?

or

You were man-in-the-middle attacked where your browser would have clearly shown that you were shifted from SSL to regular http unencrypted traffic.

Sounds a lot more likely that someone ran the point of sale gear incorrectly and then blamed it on mysterious hackers. "Hackers" are the equivalent of the CIA in that whenever something can't be explained, it must be the work of hackers.

[tom1263]

I never go with my laptop directly to the internet, only via router. He's my personal AP, he uses UMTS or any free Wi-Fi connection. See WISP-AP.

Advantage: All devices are always behind a smal firewall and not directly connected with the Internet.

[fstbttms]

Quote:

Originally Posted by rebel heart

You had an SSL connection to your bank, someone intercepted the packets, broke a 128 bit encryption algorithm, and then with the million dollars of hardware they used they double charged you at the same pub?

or

You were man-in-the-middle attacked where your browser would have clearly shown that you were shifted from SSL to regular http unencrypted traffic.

Sounds a lot more likely that someone ran the point of sale gear incorrectly and then blamed it on mysterious hackers. "Hackers" are the equivalent of the CIA in that whenever something can't be explained, it must be the work of hackers.

Well, while I have no idea what you just said, the story I related is what was told to me by the restaurant and what was reported in the media. As I said, it was an ongoing issue for several days, affected many patrons and was enough of a story that the local TV news came out and reported it.

[Lake-Effect]

Quote:

Originally Posted by Teknav

When purchasing on-line or going out to dinner, I use a credit card with a low credit line limit; intentionally requested a low limit of $500 USD. Before replenishing it, I check the transactions posted to it; 2-3 times/month. Never had any issues with someone stealing my numbers and trying to charge thousands of dollars. All my on-line transactions must go through a HTTPS website.

This.

Follow the above precautions and you will absolutely minimise your exposure to online (or offline) card fraud.

I believe that one potential threat from being able to intercept packets over wifi is that the interloper could theoretically spoof the user's ids (MAC address etc) and take over a session, but it's so complex to do in practice that no-one but the NSA would do it.