Q. What’s the safest way to do my online banking: over a wired connection, powerline networking or Wi-Fi?
A. The answer doesn’t matter as much as you might think, but asking the question does mean you’re approaching your online security in the right state of mind.
Overall, a wired ethernet link is more secure than either Wi-Fi or powerline networking, in which the electrical wires in your home carry Internet data. To compromise an ethernet network, an attacker needs to get into your house and plug in a laptop, while Wi-Fi signals go beyond your home and powerline networks can leak information to adjacent dwellings.
Both Wi-Fi and powerline setups come with encryption options to scramble data flowing over the network; once you switch them on, an attacker would need to know the password to break in. But Wi-Fi’s obsolete WEP encryption can easily be defeated — and is still presented as a valid option in routers’ setup routines.
Furthermore, if you leave a router on its default administrative password, somebody who connects to your network can also monkey with the router’s settings to redirect your traffic to rogue sites. For much the same reason, you shouldn’t automatically trust third-party wireless hot spots.
Financial sites use encryption of their own to scramble data flowing to and from your computer — as reported by your browser with a lock icon in its toolbar that, when clicked, should display an info sheet including the bank’s name — and that should almost always outweigh the security of your local network.
(A determined attacker could defeat a bank’s login security by persuading a user to connect to a router running malware that subverts this encryption, but this seems to have been a theoretical exercise to date.).
Your local network, however, makes up only one part of the “attack surface” of online banking, and it may not be nearly as profitable as two others: your computer and your mind.
If an attacker can get a keylogger on your computer to record your keystrokes, the strength of your bank’s encryption and the complexity and novelty of your password won’t matter at all — each tap of the keyboard will have already been recorded and transmitted.
That’s why it’s important to keep up with security updates for both your operating system and your browser (if you haven’t disabled Oracle’s vulnerability-prone Java Web plug-in, now would be a fine time to do so).
And if an attacker can fool you into typing your username and password into a phony site by sending you a phishing e-mail, your security-fix fastidiousness won’t matter either.
You can thwart phishing attacks with the extreme measure of using a separate computer for online banking and nothing else (recommended at a panel on identity theft that I moderated earlier this month) or the lesser step of throwing a Linux LiveCD into your regular PC and booting off that for online banking sessions isolated from your usual software. But it’s just a little easier to remember this basic rule: Never log into a bank account by clicking on a link sent in an e-mail.
If you’re not sufficiently depressed about the state of financial security online, Target’s massive credit-card breach — apparently executed by exploiting the retailer’s in-store systems — offers a reminder that many account compromises happen in places we can’t control.
And the best way to watch for them is to monitor your account for unusual transactions — which means you should do more online banking, not less.
TIP: ENABLE YOUR BANK’S TWO-STEP VERIFICATION.
Many major sites, from Facebook to Google to Microsoft to Yahoo, now allow “two-step verification” to protect users’ logins from the loss of a password. That option requires users to vouch for all logins, or only those from strange computers or locations, by typing in a one-time password sent to their phone via text message or to a specialized app like Google Authenticator.
Most financial institutions, however, have yet to tune in to this trend. There’s Bank of America’s SafePass, CitiBank’s identification codes Ally Bank’s Security Code, and not much else. But if your bank offers this option — which may require looking around its site — you should enable it right away. And if it doesn’t, you might want to ask why.
Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at [email protected]. Follow him on Twitter at @robpegoraro.