Online internet banking via hotel internet service. How safe is it?

[rockyysdt]

I avoid it completely wherever possible, but I can foresee the need to use internet banking whilst on the move.

How safe is internet banking via an ethernet cable (preferring this to wifi) when staying at hotels in Thailand?

I use a Netbook which is loaded with Microsoft Internet Essentials virus/spyware security.

Many thanks.

R

Edited May 25, 2015 by rockyysdt

[rockyysdt]

It's generally save as long as your Internet bank provider offers encryption. They all should do so.

But if you are in doubt, buy a prepaid mobile internet card with an modem, or use it with your phone. That way you can do your banking over the mobile network, instead of using the hotel's infrastructure.

Thanks for your tip.

I often think mobiles offer the least protection.

The problems coming from the sites you may "go to/have been to", rather than from the Internet service you may be using.

[ubonjoe]

I have done it on a hotel Wi Fi. There was no choice because they did not have anything else. I feel the internet banking I have has so much protection that it is safe.

To change anything requires a OTP to my phone and I get an email for every log in and an SMS for any transfers.

[rockyysdt]

I have done it on a hotel Wi Fi. There was no choice because they did not have anything else. I feel the internet banking I have has so much protection that it is safe.

To change anything requires a OTP to my phone and I get an email for every log in and an SMS for any transfers.

Mine is similar, but have switched to e-mail alerts at this stage as I don't have international roaming for my usual mobile number.

[lj cm]

If you have a smartphone (android); then turn 'Mobile data' and 'WiFi hotspot' on.

Then you can connect from your Netbook to your phone; same as you would do at home to your Router.

[KhunBENQ]

If you use your own netbook and take care that it is free from trojans/keyloggers etc. then there is no special concern to use a hotel WiFi or LAN cable. Its not safer or unsafer than from any other place.

There are banking site that are more safe (state of the art) and other quite lax (outdated/suspicous encryption).

The secured connection will not be cracked by some hotel staff or the like.

For that it would need the fuill attention of a well known three letter organization

(what is possible is still a well hidden secret, even Snowden can't tell you)

Keep that apart from the fact, that unsecured connections over public internet access points (be it WiFi or LAN cable) CAN be logged/read.

At the router of the hotel ANY unsecured (non encrypted) traffic can be logged/read.

To learn about the security rating of your online bank:

https://www.ssllabs.com/ssltest/

Enter the URL (domain name only) that you would use.

(example "hsbc.co.uk" -> poor, grade C)

Edited May 25, 2015 by KhunBENQ

[bendejo]

Security on your handheld device is not as strong as a desktop computer that has been well set up. But I do suggest that the security software (firewall, anti-virus, anti-malware) include products made by companies other than MS. Also, not using the IE browser is a good idea, IMO.

[technologybytes]

I agree that using a mobile hotspot via 3g data is much more secure, it's likely that if you use a smartphone then there is a app for your bank which should be even more secure.

Anybody can stay in the hotel and broadcast an insecure wifi access point with the same name as your hotel and capture data.. but I have never heard of that with 3g.

If your bank uses a security device (the dongle which gives you a secure code) then you are much safer. Be especially careful with Thai banks because they won't refund you if you are a victim of fraud.

Edited May 26, 2015 by technologybytes

[asdecas]

You'll find in any case that fewer and fewer hotels offer cable connexions any more, they almost all rely on wifi these days.

[recycler]

It is very dangerous to use WiFi in hotels, almost all are managed by people who don't know what they do and many are hacked with software that will hack your session and get access to your accounts. Never ever use any password protected service over hotel WiFi, not email, not facebook and certainly not internet banking!!!

If you can use a mobile provider via 3G or EDGE that is safer.

The safest way is to setup a VPN connection to a server you trust or use a TOR browser to get you safely out of the hotel WiFi.

[Minnehaha]

I agree that using a mobile hotspot via 3g data is much more secure, it's likely that if you use a smartphone then there is a app for your bank which should be even more secure.

Anybody can stay in the hotel and broadcast an insecure wifi access point with the same name as your hotel and capture data.. but I have never heard of that with 3g.

If your bank uses a security device (the dongle which gives you a secure code) then you are much safer. Be especially careful with Thai banks because they won't refund you if you are a victim of fraud.

Yes, that's an important point, thank you.

In many (most) western countries, if your credit card is stolen or used without authorization ( same thing) and you report it ASAP, Visa Mastercard and other big ones will hold you accountable for first $50, only.

If your Visa card (Debit or Credit) is issued by a Thai bank it is a completely different game. I know people who have one of those credit/debit cards that can do both. The guy was in the States and the card was hijacked (prob scanned) and used to the tune of $8,000. Bank said it was his problem. He fought it and eventually won, but it was only through personal connections.

I would not use a credit card that is linked to cash account. And I use all the safeguards available, as others have pointed out, including OTP, etc. However, when abroad, it is not convenient to do that and there is no authorization system for credit cards.

Bottom line: Credit card consumers have no recourse here. Debit cards also (obviously) have no recourse. It is up to you to prove the case with your bank and hope you have a good one and they are feeling generous.

[rockyysdt]

If you use your own netbook and take care that it is free from trojans/keyloggers etc. then there is no special concern to use a hotel WiFi or LAN cable. Its not safer or unsafer than from any other place.

There are banking site that are more safe (state of the art) and other quite lax (outdated/suspicous encryption).

The secured connection will not be cracked by some hotel staff or the like.

For that it would need the fuill attention of a well known three letter organization

(what is possible is still a well hidden secret, even Snowden can't tell you)

Keep that apart from the fact, that unsecured connections over public internet access points (be it WiFi or LAN cable) CAN be logged/read.

At the router of the hotel ANY unsecured (non encrypted) traffic can be logged/read.

To learn about the security rating of your online bank:

https://www.ssllabs.com/ssltest/

Enter the URL (domain name only) that you would use.

(example "hsbc.co.uk" -> poor, grade C)

The test revealed that my bank is graded A- due to "The server does not support Forward Secrecy with the reference browsers.".

A test done on Bangkok Bank (bangkok.com) revealed :

"We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It's possible that:

• The web site does not use SSL, but shares an IP address with some other site that does.
• The web site no longer exists, yet the domain name still points to the old IP address, where some other site is now hosted.
• The web site uses a content delivery network (CDN) that does not support SSL.
• The domain name is an alias for a web site whose main name is different, but the alias was not included in the certificate by mistake."

[rockyysdt]

It is very dangerous to use WiFi in hotels, almost all are managed by people who don't know what they do and many are hacked with software that will hack your session and get access to your accounts. Never ever use any password protected service over hotel WiFi, not email, not facebook and certainly not internet banking!!!

If you can use a mobile provider via 3G or EDGE that is safer.

The safest way is to setup a VPN connection to a server you trust or use a TOR browser to get you safely out of the hotel WiFi.

It seems nothing is secure.

I understood TOR browser users would come under special attention by authorities as it would attract criminals and those with something to hide.

How would I set up a VPN?

Carry large sums of cash/gold, credit cards, atm cards, foreign bank accounts, take your pick, either way you can be screwed.

[rockyysdt]

If you use your own netbook and take care that it is free from trojans/keyloggers etc. then there is no special concern to use a hotel WiFi or LAN cable. Its not safer or unsafer than from any other place.

There are banking site that are more safe (state of the art) and other quite lax (outdated/suspicous encryption).

The secured connection will not be cracked by some hotel staff or the like.

For that it would need the fuill attention of a well known three letter organization

(what is possible is still a well hidden secret, even Snowden can't tell you)

Keep that apart from the fact, that unsecured connections over public internet access points (be it WiFi or LAN cable) CAN be logged/read.

At the router of the hotel ANY unsecured (non encrypted) traffic can be logged/read.

To learn about the security rating of your online bank:

https://www.ssllabs.com/ssltest/

Enter the URL (domain name only) that you would use.

(example "hsbc.co.uk" -> poor, grade C)

Hello Khun B.

Thank you for your informative reply.

As it is contradictory, how would you respond to "recyclers" post?

Quote: " It is very dangerous to use WiFi in hotels, almost all are managed by people who don't know what they do and many are hacked with software that will hack your session and get access to your accounts. Never ever use any password protected service over hotel WiFi, not email, not facebook and certainly not internet banking!!!"

[KhunBENQ]

Clearly contradictionary.

You would have to go in technical detail to find out whether a hotel hotspot could hack into your banking connection.

Would be a "man in the middle" attack.

A good secured connection should not be exposed to such threat.

And this one:

are hacked with software that will hack your session and get access to your accounts

Is purely a bad dream. Proof or example how this should work on your PC/device.

Again a different story: using public devices/PCs at internet cafes or the like.

That IS dangerous. Risk of trojans/keyloggers.

Bangkok Bank

Indeed. Just did a recheck and I am surprised how bad it is.
"C" rating.

Could bet it had been better in the past?

(maybe due to new threats found and not fixed)

Siam Commercial (SCB): also "C" rating!

Kasikorn also "C".

Edited May 26, 2015 by KhunBENQ

[KhunBENQ]

I also checked two banks in Germany that obviously been downgraded.

There must have been significant new threats being detected over the last year.

But just remind: this is not something specific for public WiFi / internet.

[hawker9000]

Two suggestions:

KNOW your bank's policies regarding your liability for fraudulent activity on your account AND phone numbers for reporting incidents.

Many banks offer a menu of alerts which can be implemented for informing you of unusual activity and tripping of limit triggers via email and SMS text. Avail yourself of these things; turn them on and set appropriate limits (don't just blindly accept the defaults).

Additionally, many banks will let you set a "special" password or codeword, which is never used to logon or make an ATM or cc transaction, but must be used anytime you want to make any changes to your account by phone. This helps prevent "account hijacking", unauthorized add'l cards, etc.

[nithisa78]

You Can't Cheat an Honest Man

WC Fields

[hawker9000]

You Can't Cheat an Honest Man

WC Fields

Some quaint truth to that ...

... about a hundred years ago.

[Thakkar]

One problem with hotel WiFi's is that hackers often set up their own WiFi networks near hotels that have similar names to the hotel's network. Make sure you don't connect to the wrong network or they will log your keystrokes.

T

[phazey]

As long as;

The site is encrypted with SSL/HTTPS and the certificate is valid (not self signed)

Your laptop/netbook is clean

No one is watching you enter your credentials

Your account is protected with 2FA like a pin dongle

You'll be fine.

[KhunBENQ]

One problem with hotel WiFi's is that hackers often set up their own WiFi networks near hotels that have similar names to the hotel's network. Make sure you don't connect to the wrong network or they will log your keystrokes.

T

No.

Repetition does not make it better!

Again: if the connection is encrypted, no Somchai hobby spy can read anything.

Keystroke logging takes place on the device (PC, laptop or whatever).

If its your device, its "up to you" to keep it clean.

But on public terminals/internet cafes/other peoples devices etc.: be careful, dangerous!

Never enter sensitive data on a device that a "friendly person" borrows you.

[astral]

How security conscious is your bank?

Do they ask for all the password? If so they are not security aware

I have a 4 digit PIN and a 13 character password with my UK bank

I am only ever asked for 3 of the PIN digits, in a random order

and 4 characters from the password

The next time the combination is different, so a keylogger would have to watch

for a long time to get the necessary data to hack my account

[siam2007]

I use STEGANOS VPN on both my laptop and my mobile devices. 500 MB data traffic per month is free and is more than enough to do some transaction that require enhanced security. even in the basic version, you can choose an IP from many countries they have in their list. google for it

[rockyysdt]

I use STEGANOS VPN on both my laptop and my mobile devices. 500 MB data traffic per month is free and is more than enough to do some transaction that require enhanced security. even in the basic version, you can choose an IP from many countries they have in their list. google for it

How does one protect themselves from steganos themselves?

[hawker9000]

One problem with hotel WiFi's is that hackers often set up their own WiFi networks near hotels that have similar names to the hotel's network. Make sure you don't connect to the wrong network or they will log your keystrokes.

T

No.

Repetition does not make it better!

Again: if the connection is encrypted, no Somchai hobby spy can read anything.

Keystroke logging takes place on the device (PC, laptop or whatever).

If its your device, its "up to you" to keep it clean.

But on public terminals/internet cafes/other peoples devices etc.: be careful, dangerous!

Never enter sensitive data on a device that a "friendly person" borrows you.

I agree that internet cafes, hotel-provided PCs, and other shared PCs should be avoided for personal banking and where the entry of sensitive info & credentials are involved. However, some may find this unavoidable on occasion. If so, then you should be checking up on your accounts afterward on a regular basis, preferably from a secure device, to make sure they haven't been compromised. If you have no such secure device, then perhaps by phone for account balances & recent transactions. If THAT's not possible, then be sure and check on things FIRST THING after you get back home!

Frequent travelers really should have a well-maintained, adequately secured, personal wifi-capable device with VPN services configured on it.

That you have a secure connection to your hotel's access point doesn't mean you're still not vulnerable to a man-in-the-middle attack on the hotel's network (tho' I'd consider that risk relatively low in most cases). A VPN secures your connections all the way from your own device (assuming it's clean) to the VPN server you're using. The problem in a thai hotel is that the available internet bandwidth (not to be confused with wifi signal strength or "bars") may not be sufficient for a workable VPN connection.. This is where being able to "tether" from your cellphone or use of "mifi" device with thai simcard & dataplan come in.

Edited May 31, 2015 by hawker9000

[gk10002000]

I have done it forever here in the USA over the years and in Thailand I routinely use the local internet shops to access my accounts when necessary. I don't bring my own laptop. I assume my bank has the appropriate security. I never had a problem and over the years have connected with my USA banks, credit card companies, some state websites, etc. However, my workplace says to ALWAYS use a VPN when using any wifi anywhere outside of work for anything and prohibit us from using wifi as is. They give us such a thing for out laptops but I have never set it up or used it. You might want to look at getting a VPN.

[hawker9000]

One problem with hotel WiFi's is that hackers often set up their own WiFi networks near hotels that have similar names to the hotel's network. Make sure you don't connect to the wrong network or they will log your keystrokes.

T

No.

Repetition does not make it better!

Again: if the connection is encrypted, no Somchai hobby spy can read anything.

Keystroke logging takes place on the device (PC, laptop or whatever).

If its your device, its "up to you" to keep it clean.

But on public terminals/internet cafes/other peoples devices etc.: be careful, dangerous!

Never enter sensitive data on a device that a "friendly person" borrows you.

I agree that internet cafes, hotel-provided PCs, and other shared PCs should be avoided for personal banking and where the entry of sensitive info & credentials are involved. However, some may find this unavoidable on occasion. If so, then you should be checking up on your accounts afterward on a regular basis, preferably from a secure device, to make sure they haven't been compromised. If you have no such secure device, then perhaps by phone for account balances & recent transactions. If THAT's not possible, then be sure and check on things FIRST THING after you get back home!

Frequent travelers really should have a well-maintained, adequately secured, personal wifi-capable device with VPN services configured on it.

That you have a secure connection to your hotel's access point doesn't mean you're still not vulnerable to a man-in-the-middle attack on the hotel's network (tho' I'd consider that risk relatively low in most cases). A VPN secures your connections all the way from your own device (assuming it's clean) to the VPN server you're using. The problem in a thai hotel is that the available internet bandwidth (not to be confused with wifi signal strength or "bars") may not be sufficient for a workable VPN connection.. This is where being able to "tether" from your cellphone or use of "mifi" device with thai simcard & dataplan come in.

Oh, and one other suggestion for after you get home if you've been using shared PCs overseas: Change your passwords!