Is stock trading via Wi-Fi hot spots secure ?

Discussion in 'Computer Security' started by abc, Oct 17, 2003.

  1. abc

    abc Guest

    As soon as you established secure connection
    it **seems** it is secure.

    But may be it just seems ?

    Can the owner of hot spot somehow trick your security ?
    Can in principle someone who may intercept
    wireless signal do the harm?

    Thanks
     
    abc, Oct 17, 2003
    #1
    1. Advertisements

  2. abc

    Kevin Guest

    Given the time, resources and ability, anyone can intercept your
    transactions. I don't do any wireless online trading myself, but I have a
    couple of friends who are professionals and they have some very aggressive
    security software that they run. Your transaction is just as vulnerable
    after it arrives at your brokerage. Think about how you use your credit
    card for example. When you give your card to a clerk to process a purchase
    and they take the card out of your immediate presence, your card number can
    be copied in seconds. An enterprising thief at the brokerage can get access
    to the trades and do whatever they want with the information. Be careful.
    Use security software. Make double sure that you are on the secured site
    for trading.
     
    Kevin, Oct 17, 2003
    #2
    1. Advertisements

  3. abc

    Peter L Guest

    Why would someone try to harm you? Are you trading millions? Are you bin
    Laden's financial manager? Think about it.
     
    Peter L, Oct 18, 2003
    #3
  4. abc

    Mark Mathu Guest


    In principle, yes.


    If a person intercepts the signal they can do harm.
    That is a no-brainer.
     
    Mark Mathu, Oct 18, 2003
    #4

  5. "what if"

    what if someone setup a "wireless hotspot" to get people to use it...
    fine.. you're now using their hotspot.... say they block all outbound
    connections, other than http... and folks go ahead and resort to using
    http links rather than VPN or https links to say "trade stocks"... or
    visiting webmail sites, etc. "what if" they "man in the middle" and
    allow https? are you confident you know how to detect such activity? are
    you sure they're not sniffing everything passing through their
    network(s)? I mean, it's theirs, they're allowed to sniff whatever they
    want to sniff.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Oct 18, 2003
    #5
  6. abc

    704set Guest

    I remember in the old days when you would buy gasoline. The kid would run
    your credit card through that thingamajig were he would pull the handle over
    the slip to get an impression. He would come out, hand you the card and the
    2 part copy to sign. What you didn't know is he ran off about 6 slips
    inside the station to use later for himself.
     
    704set, Oct 18, 2003
    #6
  7. abc

    Beoweolf Guest

    If you want a free ride, then you have to accept some risks. I find it
    totally unfathomable that someone so concerned about personal security would
    even think using a "hot-spot" is an option! Most secure sites run HTTPS or
    SSL, you could see if they will accept a VPN connection. Still an
    unregulated wireless node is nothing but a consumer honey pot, no more or
    less that registering for free information or prizes...how do you think they
    can afford the "free" service? Think about it.

    The real issue is in how the user thinks about security and the worth of
    privacy. It is "possible" to contravene almost any public encryption
    technology, matter of fact it's the law (de facto, covert or actual
    law...it's still possible for "authorities to record and eventually decode
    everything passing through the internet).
     
    Beoweolf, Oct 19, 2003
    #7
  8. abc

    Lem Lo Guest

    If you are connecting to an online trading web site, you are probably
    using HTTPS and any data sent/recieved is safe. I do not trust wired
    connections any more than wireless ones.. WEP or no WEP.
     
    Lem Lo, Oct 19, 2003
    #8
  9. You have at least two problems:

    When you connect to a WiFi hotspot you are on the same local network as the
    other users.

    Embedded deeply in the design of the network interfaces and protocols are
    *the assumption* that a local network segment is physically secure, as
    opposed to f.ex. the Internet, and therefore information can both be shared
    freely and trusted.

    This is sort of true with wired nets because they are inside a building
    f.ex., however with WiFi anyone who has the WEP for the network key can
    connect - in a WiFi hotspot there will be no WEP key allowing everybody and
    his dog access - and to top it up *there are tools* to break the feeble WEP
    encryption....once that is broken *there are also effective tools to break
    into the computers on the network*.

    Secondly, the WiFi interface in your PC will be listening for hotspots to
    connect to - A.N. Cracker may have configured *his* PC+WiFi card to be such
    a hotspot....there are of course software for that too!

    Suppose I advertise myself as a Gateway/Router to the internet instead of
    the WiFi hotspot. That means that your data will go through my computer.

    My computer & I know how to look for DNS requests. I also know that people
    often use Ameritrade, so whenever someone asks for "www.ameritrade.com" I
    hijack the DNS lookup and reply with my own special IP address at some
    server which will present you with the proper Ameritrade look & feel -
    'cause I ripped their site - except that when you try to logon I will steal
    your password and fail the logon with an apropriate error.

    So that you will not become suspicious, I will then keep a list of victims,
    so when your Ameritrade login fails and you try again, I will forward the
    proper IP address for Ameritrade this time and you can log on and be happy.

    For a while ;-)

    If I am the owner of WiFi access point this would be trivially easy to
    implement...but the only downside to the cracker in not owning the WiFi
    hotspot is degraded reliablity; he may not get all datagrams.

    The only thing preventing this is that I also need copies of the encryption
    key files stored on your computer - however there are tools for acessing
    disk drives too! Even *if* you have a firewall installed on your PC, which
    most people don't , I think I could probably get them with a little work.


    Of course you may face the same security risks on a telco-provided network
    if you share a wired network segment with other users; f.ex. the networks
    provided in appartment buildings are often configured as local segments. If
    you have an ADSL connection, you usually will have a router at your end with
    the insecure local segment being the wire from the router box to your PC.
    This is probably Ok ;-)

    Hope this helps.
     
    Frithiof Andreas Jensen, Oct 20, 2003
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.