• Is it safe to enter credit card info on public WiFi?

    How big is the risk?

    Time and time again you’ve been told that public WiFi hotspots or compromised routers will get your credit card numbers and banking info stolen. However, such risks have been overly hyped.

    We agree that public, open WiFi networks totally cannot be trusted. And that compromised routers can be used to wiretap all your communications. But we’d also say that in most cases your credit card numbers and banking info are pretty safe, even with someone watching all of your communications over the wire.

    Why? The keyword is HTTPS.

    The HTTPS protocol encrypts messages sent between your device and the server and ensures end-to-end transport security. What that means is that people can look at the messages exchanged between your device and the server, but all they see is random bytes. They cannot extract useful information out of the stream of bytes flowing through.

    How do you know that HTTPS is being used? Simply check the green lock on the left of the URL address bar.

    Who’s using HTTPS? Google, Facebook, Instagram, your bank, your credit card company, your company’s payroll, your insurance company, your ISP’s web site, even YouTube and Vimeo! Basically, almost every web site that matters.

    So what’s all the fuss about your personal information being stolen? Well, there’s a small possibility that you might have mistyped your bank’s URL, and the mistyped URL happens to be a website created by some bad guy, and it serves a valid SSL certificate that matched the mistyped domain name. There’s also a possibility that a bad guy redirected you to a plain HTTP URL (a technique called sslstrip).

    You should be pretty safe if you:

    1. Check for the HTTPS green lock icon.
    2. Do not click through when you see a certificate warning.
    3. Make sure you typed in the URL correctly (if you’ve visited the site before, the browser will prepopulate the address bar with the previous address).

    What about your shared folders?

    You might have seen the suggestion that you should remember to turn off Windows Network Discovery and file sharing when you connect a Windows PC to a public WiFi hotspot. But Windows has already figured it out for you. When you connect to a new WiFi network, Windows will ask you if the connection is Public, Home, or Work.

    When you connect to a public WiFi, you should choose Public. And when Pubic is chosen, Windows automatically turns off file sharing.

    What about apps on your smart phone?

    For apps on your smartphone, there’s no green lock to look at so there’s no sure way to tell if an app is using HTTPS/SSL encrypted communication behind scenes. If you are really cautious, you should not connect your smartphone to public WiFi hotspots.

    Even so, we speak with high confidence that security sensitive apps (such as your bank’s) will not use insecure communication protocols when talking back to servers. Therefore, you should be safe using your bank’s app, even on a public WiFi connection. Ask the app developer if you wan to be sure.

    If you use the pcWRT router, there’s a simple way to check out if there are insecure apps on your smartphone. Here’s how:

    1. Connect the phone to the pcWRT router WiFi. Find it on the Status page and give it a name.
    2. Put the phone in a profile with Access Control turned on.
    3. Use the app you want to check out.
    4. Open the Access Control logs, click on the device name.
    5. Switch to Raw mode.
    6. Click on the links under the Port column to reveal the first 15 bytes sent over the connection.

    Does a VPN help?

    Certainly. Connecting to a VPN is the easiest way to make sure you have a secure connection at all times. Remember though, with a VPN connection you are simply shifting your trust to the VPN service provider. Make sure you pick a trustworthy VPN service.

    With the pcWRT router, you can easily set up a VPN server at home and connect to it when you are away from home. In our opinion this is the best solution. Not only you solve the trust problem with a VPN server under you control, it’s also free!

    WireGuard® is the easiest to setup. But you can also use IKEv2 and OpenVPN if you prefer.

    * WireGuard® is a registered trademark of Jason A. Donenfeld.

One Response so far.

Leave a Reply