Timezone Spoofing when Using a VPN

[suzannegoh]

I’ve long been using a VPN to connect to my financial institutions in the US to try to prevent them from deducing that I am outside of the US.  I’ve made sure not to have DNS leaks, WebRTC leaks etc and thus far it seems as though it’s working.  However one hole that seems to be unplugged is that web sites could read the time of my PC’s clock and figure out that I am in a different timezone than that of my IP address.  For instance, this website is able to read the system time from your PC even while you are connected to a VPN:  
https://whoer.net
 

I’ve searched around a bit and have not found a solution for this that works on Windows short of setting my PC’s clock to be in an American timezone, and I’d prefer not to do that.  There is a Firefox addon called “Random Agent Spoofer” that used to be able to spoof the timezone but that function is no longer in the current version.  So I’m wondering, has anyone here investigated this issue and found a solution that works on Windows?

Edited October 29, 2017 by suzannegoh
dsgfdg dfsdg

[KhunBENQ]

Probably I haven't got your point?

 

But I just set my timezone on Windows to California (UTC-8).

Then (and now) connect to a Los Angeles VPN server and this whoer.net shows my timezone to be in Los Angeles (currently UTC-7 due to daylight saving).

[KhunBENQ]

And even when setting Windows timezone back to IDC (UTC+7) the whoer still shows me to be in LA timezone.

So: is your question hypothetical?

 

(I use PureVPN)

[suzannegoh]

And even when setting Windows timezone back to IDC (UTC+7) the whoer still shows me to be in LA timezone.
So: is your question hypothetical?
 
(I use PureVPN)

So you're saying that with PureVPN that web page shows your System clock to be in the LA timezone even when you system clock is on fact set to Thai time? That's not what I'm getting using PIA as a VPN, that only shows my system clock to be set to the LA Timezone if I change my PC's clock to be in US West timezone. I'll take a screenshot later to show you what I mean.

[suzannegoh]

3 hours ago, KhunBENQ said:

Probably I haven't got your point?

 

But I just set my timezone on Windows to California (UTC-8).

Then (and now) connect to a Los Angeles VPN server and this whoer.net shows my timezone to be in Los Angeles (currently UTC-7 due to daylight saving).

 

3 hours ago, KhunBENQ said:

And even when setting Windows timezone back to IDC (UTC+7) the whoer still shows me to be in LA timezone.

So: is your question hypothetical?

 

(I use PureVPN)

If I leave my system clock set to the Thai Timezone, connect to the PIA VPN server in Los Angeles, and go to https://whoer.net/, it reports the Local Time and my System Time as shown in the jpeg below.  I get the same behavior with StrongVPN. 

My concern is that the discrepancy between the "local time" and the "system time" could allow someone to deduce that I am not where I say that I am.  Of course I could change my system clock to be in the Los Angeles timezone but I'd rather leave it set to Thai time if I can.
 

One thing that I notice is that if I change the timezone on my PC while Firefox is running, Firefox does not see the changed timezone until Firefox is closed and restarted.  That behavior might be possible to exploit in order implement a solution.

 

Edited October 29, 2017 by suzannegoh

[tweedledee2]

  I bought a new laptop last Feb. while back in the states. The first time I connected to the internet and set it up, the internal clock was set to CMT and I never changed it.  I very much doubt that the internal clock is used to track location, when it can so easily be concealed or changed  I have financial accounts at B of A, TRowe Price, Ameriprise, Chase, CitiBank and my local US bank. I have never been denied access to my accounts when out of the US, by providing my user id, password and answering the security questions to prove my identity, all without using a VPN. 

[suzannegoh]

17 minutes ago, tweedledee2 said:

  I bought a new laptop last Feb. while back in the states. The first time I connected to the internet and set it up, the internal clock was set to CMT and I never changed it.  I very much doubt that the internal clock is used to track location, when it can so easily be concealed or changed  I have financial accounts at B of A, TRowe Price, Ameriprise, Chase, CitiBank and my local US bank. I have never been denied access to my accounts when out of the US, by providing my user id, password and answering the security questions to prove my identity, all without using a VPN. 

I've never been denied access on account of a timezone discrepancy but it has been apparent when placing stock buy/sell orders with Fidelity.  With Fidelity, if you place a "Good Til Cancelled" order between midnight and 11AM Thai time it will fail because Fidelity's web page will try to make the order good until 90 days from the date/time on your system clock, which actually would be about 91 days ahead of the date that it is on Fidelity's server.  Fidelity won't allow an order to be open for more than 90 days, so it fails unless you manually set it so that the order expires a day earlier.  I think that's a bug in the coding of Fidelity's web page and that they aren't using it to try to guess anyone's location, but it seems to me that they could if they wanted too. 

Edited October 29, 2017 by suzannegoh

[suzannegoh]

I'm aware that the system clock being different than it should be isn't proof of anything - the clock could just be set incorrectly.  However it doesn't need to be proof of anything to cause a problem - if it causes Fidelity (for example) to become suspicious it might cause them to look closer at you account and to ask for proof that you live at the address that you have on record with them.

[KhunBENQ]

12 minutes ago, suzannegoh said:

Of course I could change my system clock to be in the Los Angeles timezone but I'd rather leave it set to Thai time if I can.

After checking again: you are correct that this site can detect a "local" and a "system" time.

 

"change my system clock": just to make sure that we talk about the same.

Of course this is only a simple setting of the timezone (no fiddling with the clock).

It is matter of a few seconds to change back and forth.

Just make sure that after changing the timezone you restart the browser.

At least Firefox seems to read these only after opening.

 

But who knows whether it is needed anyway.

 

[mduras01]

All the VPNs are dynamic ips and used by thousands, and banks know this. Try opening a bank account while connected to a VPN. May not work at all. I would recommend getting a personal static/dedicated IP, in addition to setting your clock to US time. I don’t believe PIA has dedicated IP, but Nord does. I believe Pure does too. Costs about $70 per year and is one single Ip that is entirely yours in one single, static location. Kind of like home cable.

 

 

Sent from my iPhone using Thaivisa Connect

 

[suzannegoh]

1 hour ago, mduras01 said:

All the VPNs are dynamic ips and used by thousands, and banks know this. Try opening a bank account while connected to a VPN. May not work at all. I would recommend getting a personal static/dedicated IP, in addition to setting your clock to US time. I don’t believe PIA has dedicated IP, but Nord does. I believe Pure does too. Costs about $70 per year and is one single Ip that is entirely yours in one single, static location. Kind of like home cable.

 

 

Sent from my iPhone using Thaivisa Connect

 

Those are good suggestions; I'll investigate the static IP thing.

[suzannegoh]

2 hours ago, KhunBENQ said:

After checking again: you are correct that this site can detect a "local" and a "system" time.

 

"change my system clock": just to make sure that we talk about the same.

Of course this is only a simple setting of the timezone (no fiddling with the clock).

It is matter of a few seconds to change back and forth.

Just make sure that after changing the timezone you restart the browser.

At least Firefox seems to read these only after opening.

 

But who knows whether it is needed anyway.

 

 

I guess that one way to handle it would be to only start Firefox from a batch file like this:

tzutil /s "Eastern Standard Time"
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
tzutil /s "SE Asia Standard Time"

 

 

[suzannegoh]

 

I guess that one way to handle it would be to only start Firefox from a batch file like this:

 

tzutil /s "Eastern Standard Time"

"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"

tzutil /s "SE Asia Standard Time"

 

 

 

Yet another way to deal with the issue would be to turn off javascript support in your browser, as it's javascript that is making your system clock visible to websites like https://whoer.net and https://www.doileak.com.  However doing that will break a lot of webpages, including Fidelity's.

 

 

[CaptHaddock]

Seems like the optimal solution would be to set your system clock to the target timezone, eg. US Eastern time, and then run a different clock application, not the system clock, to display the time in the timezone of your preference, let's say Bangkok, for example.  The point is that you don't really care what your actual system time is, although you may find it convenient to look at the pc to check the time.

[suzannegoh]

Yet another way to deal with the issue would be to turn off javascript support in your browser, as it's javascript that is making your system clock visible to websites like https://whoer.net and https://www.doileak.com.  However doing that will break a lot of webpages, including Fidelity's. 

 

 

 

 

Seems like the optimal solution would be to set your system clock to the target timezone, eg. US Eastern time, and then run a different clock application, not the system clock, to display the time in the timezone of your preference, let's say Bangkok, for example.  The point is that you don't really care what your actual system time is, although you may find it convenient to look at the pc to check the time.

 

That's a good idea. Do you know of a good clock app that will let you do that?

 

[CaptHaddock]

27 minutes ago, suzannegoh said:

That's a good idea. Do you know of a good clock app that will let you do that?

 

In Linux it's easy.  Don't know an app in Windows.  You'll have to do your own search.

[suzannegoh]

 
That's a good idea. Do you know of a good clock app that will let you do that?
 

In Linux it's easy.  Don't know an app in Windows.  You'll have to do your own search.

OK, thought that you might know. On Linux it is also easy to specify a different time zone for each process as its just a matter of overriding an environment variable.

[NanLaew]

22 hours ago, suzannegoh said:

I'm aware that the system clock being different than it should be isn't proof of anything - the clock could just be set incorrectly.  However it doesn't need to be proof of anything to cause a problem - if it causes Fidelity (for example) to become suspicious it might cause them to look closer at you account and to ask for proof that you live at the address that you have on record with them.

If trading online as a US resident while physically being overseas is simply violating one of Fidelity's rules then no big deal. I am pretty sure that changing the time zone and clock time so as to appear to be in 'real time' in the selected US time zone before connecting by VPN, then that should be all that's needed. If the rule that the OP is seeking to defeat is based on federal law, then maybe caution some is advisable here.

[suzannegoh]

OK, thought that you might know. On Linux it is also easy to specify a different time zone for each process as its just a matter of overriding an environment variable.

If trading online as a US resident while physically being overseas is simply violating one of Fidelity's rules then no big deal. I am pretty sure that changing the time zone and clock time so as to appear to be in 'real time' in the selected US time zone before connecting by VPN, then that should be all that's needed. If the rule that the OP is seeking to defeat is based on federal law, then maybe caution some is advisable here.

As far as I know it's just an issue of the financial institution's policies.

[suzannegoh]

If trading online as a US resident while physically being overseas is simply violating one of Fidelity's rules then no big deal. I am pretty sure that changing the time zone and clock time so as to appear to be in 'real time' in the selected US time zone before connecting by VPN, then that should be all that's needed. If the rule that the OP is seeking to defeat is based on federal law, then maybe caution some is advisable here.

 

The feds aren't being cheated by this - everything still gets reported to the IRS by Fidelity and the IRS knows where I live.

 

 

 

[Langsuan Man]

I trade (sell) both on Fidelity and Schwab from Thailand and have never had a problem, no VPN used, but then again my accounts were opened in the US,  have an actual physical US address and only for debit card purposes do they care where I am physically (notification of overseas travel) 

 

Only financial institution that seems to care is Discover, who notify me every time I log into my account from Thailand that my account has been accessed from overseas, but since I don't use the Discover Card here in Thailand I just ignore the "warning" and pay the bill for recurring US charges via my US Bank Internet bill pay 

[suzannegoh]

I trade (sell) both on Fidelity and Schwab from Thailand and have never had a problem, no VPN used, but then again my accounts were opened in the US,  have an actual physical US address and only for debit card purposes do they care where I am physically (notification of overseas travel)   

Only financial institution that seems to care is Discover, who notify me every time I log into my account from Thailand that my account has been accessed from overseas, but since I don't use the Discover Card here in Thailand I just ignore the "warning" and pay the bill for recurring US charges via my US Bank Internet bill pay 

 

 

For a long time I was using Fidelity from Asia with no VPN, I started using one about 3 or 4 years back when a pop-up started appearing on their login screen saying something about "this website is for domestic users" and asking you to click OK to continue. The website still worked (and I presume still does for international users) but around the same time I started hearing anecdotes about Fidelity restricting non-residents from trading US-registered mutual funds so I started getting religious about using a VPN.

 

Probably if Fidelity did catch on it would only be a minor inconvenience but I'd rather not find out. I've had money with them for 25 years because my employer's 401k plan used them and probably they wouldn't unceremoniously close longstanding accounts. What happened with TD Ameritrade a few years ago is that they started sending letters to clients who were using mail-forwarding services as their "home address" and asked for a real one. So I gave them the address of a relative and I never heard anything more about it.

 

 

 

[CaptHaddock]

22 minutes ago, Langsuan Man said:

I trade (sell) both on Fidelity and Schwab from Thailand and have never had a problem, no VPN used, but then again my accounts were opened in the US,  have an actual physical US address and only for debit card purposes do they care where I am physically (notification of overseas travel) 

 

Only financial institution that seems to care is Discover, who notify me every time I log into my account from Thailand that my account has been accessed from overseas, but since I don't use the Discover Card here in Thailand I just ignore the "warning" and pay the bill for recurring US charges via my US Bank Internet bill pay 

I can confirm from personal experience that if Fidelity finds out that your physical address is not a US residence they will close your account.

 

It can be hard to decide how many precautions that we might currently take will in the future prove to be sufficient.  The fact that they have not currently flagged us, for persistently logging in from Thailand, for example, is no assurance that at some point in the future they will not look back over their records of our ip addresses and decide on that basis from whom to demand a current utility bill with a US address, for instance.  That may sound excessively paranoid, but we are creating trails of historical information about ourselves and when requirements change there will be no grandfathering in.

 

 

[Langsuan Man]

Ones physical address and ones residence address are two separate things. So long as I maintain a US residence address as far as anyone is concerned I am on vacation, where is my business, not theirs.

Only thing is that it takes planning, you just can't wing it, and expect to get away with it. Banks and brokerage firms have to worry about US regulators, that is why they monitor your location, they want your business but not at the expense of crossing the feds

Sent from my Nexus 5X using Thailand Forum - Thaivisa mobile app

[suzannegoh]

5 minutes ago, Langsuan Man said:

Ones physical address and ones residence address are two separate things. So long as I maintain a US residence address as far as anyone is concerned I am on vacation, where is my business, not theirs.

Only thing is that it takes planning, you just can't wing it, and expect to get away with it. Banks and brokerage firms have to worry about US regulators, that is why they monitor your location, they want your business but not at the expense of crossing the feds

Sent from my Nexus 5X using Thailand Forum - Thaivisa mobile app
 

It's definitely easier it you set everything up prior to leaving the US.  Generally if you have a US address (even a mail forwarding service), a Google Voice phone number in the same area code as your mailing address, and use a VPN no one have any reason to suspect that you are outside of the US.
 

[suzannegoh]

Some info about what Fidelity is doing in regard to expats, as of 2014:
https://finance.yahoo.com/video/fidelity-bans-u-investors-overseas-152702510.html

[TallGuyJohninBKK]

On 10/29/2017 at 3:54 PM, KhunBENQ said:

Probably I haven't got your point?

 

But I just set my timezone on Windows to California (UTC-8).

Then (and now) connect to a Los Angeles VPN server and this whoer.net shows my timezone to be in Los Angeles (currently UTC-7 due to daylight saving).

 

Hmm.... when I connect direct to the whoer.net site, of course it shows here for both location & time.

 

But when I connect to my U.S. VPN and then re-try the same site, it times out with a "secure connection failed" error.

 

That said, I've done a lot of banking interactions thru the years, and for those I've done, the VPN alone always seemed to be enough. I've never been questioned beyond that.

 

[TallGuyJohninBKK]

10 hours ago, suzannegoh said:

Probably if Fidelity did catch on it would only be a minor inconvenience but I'd rather not find out. I've had money with them for 25 years because my employer's 401k plan used them and probably they wouldn't unceremoniously close longstanding accounts.

 

 

I wouldn't want to be the one betting on that...

[suzannegoh]

I can confirm from personal experience that if Fidelity finds out that your physical address is not a US residence they will close your account.
 
It can be hard to decide how many precautions that we might currently take will in the future prove to be sufficient.  The fact that they have not currently flagged us, for persistently logging in from Thailand, for example, is no assurance that at some point in the future they will not look back over their records of our ip addresses and decide on that basis from whom to demand a current utility bill with a US address, for instance.  That may sound excessively paranoid, but we are creating trails of historical information about ourselves and when requirements change there will be no grandfathering in.
 
 

What options did they give you when they shut your account? Could you have left your money there and just not be able to buy any more shares in mutual funds?

[TallGuyJohninBKK]

On 10/29/2017 at 7:50 PM, mduras01 said:

All the VPNs are dynamic ips and used by thousands, and banks know this. Try opening a bank account while connected to a VPN. May not work at all. I would recommend getting a personal static/dedicated IP, in addition to setting your clock to US time. I don’t believe PIA has dedicated IP, but Nord does. I believe Pure does too. Costs about $70 per year and is one single Ip that is entirely yours in one single, static location. Kind of like home cable.

 

 

I've never had any problems using a dynamic IP account. And in fact, a lot (most?) U.S. ISP accounts are dynamic as well, in that their assigned IP addresses may change when the router or modem is restarted/reset, etc.

 

But what certainly does help is that the IP you're using remains relatively constant in terms of the area it's identified as being from. I don't think it's such a big deal when your IP changes from one San Francisco address to another SF IP address... But it's when the bank's systems recognize you as regularly logging in from San Francisco, and then suddenly you pop up with a Utah IP address, that's where problems can sometimes arise.