Banking/investing online: to use or not to use a VPN?

Hello Mustachians ~
Q: Does a commercial VPN increase, decrease or is neutral to the security of my online banking and brokerage?
I’m a little confused by what I have read online.

Since I’m (a) doing all my banking / investing operatings online and (b) setting most of my worth allocation on internet services, I’m worried that I putting my savings at risk.
Granted, there is no such thing as ZERO risk… hence my question above :slight_smile:

Banking: PostFinance, UBS
Brokerage: IB, Degiro

Any Mustachian well versed into online finance security?

If you’re into expanding your knowledge on internet security then you can check out The Hated One on YouTube. Although I have to warn you, he is very restrictive, like, he’s against FaceID, TouchID and other biometrics. He’s against any proprietary software, Apple, Microsoft etc.

Regarding your particular question, the entirety of your connection contains of

  1. your pc/laptop/smartphone
  2. your wifi router or 4g access point
  3. all other servers on the way, including your internet provider
  4. the destination server

What VPN does is that it introduces another server on the way. So for your router and all the servers on the way (2 & 3), it appears that you’re connecting with the VPN. The destination server thinks that you’re connecting from the VPN address. So what it does, is that it obscures the servers you’re connecting with to anyone on the way, and it obscures your location to the destination server.

The additional advantage is encryption of the connection, but all banking websites and even facebook/gmail etc use HTTPS since a long time, which also has encryption.

Many YouTubers are sponsored by VPN providers, so they will tell you how important it is to use a VPN. But I think if you use a known device and a trusted internet connection, and HTTPS, then I don’t see the need for VPN. Unless you really don’t want anybody on the way to know who you’re connecting with.

I think a far greater risk comes from exploits that reside on your own machine, like a hacked OS, hacked browser, some keyloggers etc.That’s why it’s essential to run a up-to date version of your operating system and not install any crap from unknown sources.

6 Likes

Excellent, thank you. It is indeed difficult to make your way in the maze of information online, and my concern was more one of security of my finances than purely privacy of my data vis-a-vis other websites.

Simply put, no,
VPN you are thinking about is likely a third party service so you’re opening yourself up to have all your data passing through some random server administered by random people. Sure, the data is likely encrypted, but so is your direct connection to your bank/broker etc.

5 Likes

I’d rather trust the average internet service provider, Starbucks or even hotel Wi-Fi network than the average fly-by-night VPN for online banking security.

That said, VPN can be used to obfuscate your device’s location and provide a layer of encryption against state actors. Most state actors aren’t really interested in your online banking though.

2 Likes

Yes, I guess VPN may be practical if you’re about to do something illegal (not necessarily immoral) or something you would be ashamed of:

  • access Google / Facebook / YouTube while in China
  • access Netflix / Spotify / BBC to bypass Geoblocking
  • browsing… adult content?

But if you’re doing something perfectly legal and you have nothing to hide, then I would say VPN introduces another theoretical security hole, instead of mending it.

2 Likes

VPN may not provide extra security, but it can be used to improve your privacy. I personally use a VPN all the time. I do not want my internet provider to know which sites I am visiting, and I do not want those sites to know where I am physically located. When accessing online banking, this becomes important if you are spending some time traveling abroad and do not want the local authorities to know which foreign banks you have accounts with, and conversely, the banks to become curious about why you are connecting from another country.
You do not necessarily need to trust the VPN provider - they will know which websites you are visiting, but still cannot decrypt your online banking connection. And if you want to remain anonymous to the VPN provider, you can do partitioning of trust, running VPN over Tor (or over another VPN), and paying them with crypto.
So far I haven’t had any problems connecting to Swiss financial institutions (and IBKR) using a VPN - the provider I use is not Swiss, but the exit IP is Swiss. I did have a problem with Galaxus blacklisting VPN servers, and had to try several until I found one that worked…

1 Like

simple answer: NO

1 Like

Privacy is important, but you will need to jump over FAR more hoops to truly remain unidentified. There are the cookies, websites you’re logged into, the browser itself. It’s really hard to tell how good companies like Google are at identifying you. If your ISP sees the servers you’re connecting to, provided that they are nothing to be ashamed of, then why do you really care if they know it?

I like the response of George Hotz, a developer of a self-driving Android app, to the question on the concerns about hacking:

He says: hackers are practically made up, there’s no one coming to get you.

Ah yes, Tom Scott, one of my favourites. So there you go: are you a gay pirate assassin? Use VPN! :smiley:

1 Like

Since we’re talking about online banking: I was once working on the firewall of a banking system that’s used by a few swiss banks. If you have TOR as your last step, they will automatically deny you access. I can imagine that most financial institutions have the same policy.

Technical note: It’s super easy to block all TOR users: you can just get all the exit addresses from here

1 Like

To add to this: Raiffeisen has systematically blocked my account when I connected via a VPN. I think that it is is particularly disgraceful from them to do so, but that’s another story.

Concerning VPNs,you should really stay away from “free” VPNs. They need to make money. And all they have is your data.

If you pay for a VPN you should seriously look into the company you are trusting. Do you trust them more than the hotel you are staying at ?

I personally vote for ProtonVPN (same company as ProtonMail) but I don’t vouch for them.

1 Like

What kind of threat are you trying to protect against?

VPN (excl usage in corporate environment) primarily helps with a) anonymity, b) censorship and geo blocks, c) your ISP’s sniffing and logging

a) You’re obviously not getting anonymity - your bank knows perfectly well who you are from your login/password/OTP. And likely in strict legal sense, i.e. excuses hackers stole your password and are logging over VPN to steal your money won’t work because somewhere in your bank paperwork it probably says your password+OTP is as good as your handwritten signature and you should please guard it with your life

b) Not an issue for you obviously

c) I would rather trust an ISP in Switzerland to not log more than they should (i.e. metadata; and data only with court order) than a VPN in a third-world country with shady laws & law enforcement to do what they say they do.

But even if someone did log more than they should, why is it a problem in your scenario? Banks use SSL, your connection is encrypted all the time, at most they’ll just know when you connected to your bank and a stream of encrypted data that’s nearly impossible to decrypt to outsiders.

Man-in-the-middle attacks where you think you connected to your bank but in reality connected to hackers require compromise of your device (or banks or ssl root authorities fuck up, but that’s less likely). If you install a random VPN’s own software you’re taking on the extra risk that they bundled some malware that hijacks ssl certs, hostnames, logs your keyboard, etc. Winner: no vpn in this case, or least don’t install your vpn vendor’s custom software.

3 Likes

Plus with a VPN you’ll likely to hit risk assessment protection from your bank all the time. If they tend to block/make it harder to use tor and vpns it’s because that’s what most of the bad actors are using, if someone were to hack your account what do you think they would use to connect to your bank? surely not something that makes it easy to trace it back.

If anything for security purpose you should make it easier for your bank to pattern match you (always use same IPs etc.), that way if they are good at their job they’re more likely to catch the fraudulent access.

3 Likes

Thanks a lot Mustachians – a lot of good answers here, I’m learning tons. First of all let me apologize. It may seems that I could easily have googled my questions, and found reliable sources elsewhere, as quoted by @laoo_g (love Tom Scott too!!) and @Bojack… but I did find an equally large and convincing amount of Internet opinions advising that a VPN would indeed help with safety of financial data. Thanks for setting the record straight, I find the responses here a lot more credible than in many other places.

@kilyn: the kind of threat I was trying to protect against is the theft of financial credentials and financial assets (think online banking, brokerage). Example: a hacker steals my credentials, and transfers all of my (hard earned!) money into a bank account in the Cayman Islands. Your answer, along the others, made clear that a VPN would not help in this regard – and could actually be counterproductive.

VPN will do exactly nothing to increase the security here. This part is taken care of already by HTTPS / SSL protocol and works without VPN.

The biggest risk here is that your device might get compromised by malware which would allow hackers to intercept SSL traffic via man-in-the-middle attacks and/or install a keylogger. Don’t install random software of dubious origin on your machine. Ideally, get a separate laptop with nothing extra just for banking.

Another risk is that you might mistype your bank’s web address and land on hackers’ phishing website instead. This would work even without your machine being compromised. To counter this, make it a habit to visit your bank through a browser bookmark. Variation of this risk: you might see and click, perhaps in an email, on a link from email which look very similar to your bank’s domain, but is technically not the same, and again land on a phishing site. You might even not be able to notice the difference, the stuff you can do with unicode is сɼaẓγ

2 Likes

Wouldn’t this all be made impossible with two-factor authentication, which all my brokers and banks have?
Or is there a possibility that I get shown a mirror site real-time (i.e. without me noticing), while they in the background at the same time have logged in to my account are transferring all my money out?

Unless you’re using something like U2F (google calls it security key), two factor doesn’t protect against phishing.

(For the reason you say, they’d just replay what you input)

If you are paranoid you can buy an empty USB stick, find a pc that you are 100% sure it’s not compromised and then install Ubuntu on that usb stick and then use it as OS when you have to do some home banking. This will protect you from attacks to your OS (the most generic).

I’m not sure you should care for attack to your modem at this point.

On a brighter side, Postfinance will insure up to 100k chf for internet scams.

1 Like

Depends how your bank uses OTP. Some of the better ones require OTP to confirm transfers to any new bank accounts, have a QR code that you scan in the app, it shows account and amount, you confirm - these are the best. If bank uses OTP just for login, then it’s susceptible to phishing and ssl hijacking. And yes hackers may mirror or proxy your real bank’s site so you won’t notice the difference

1 Like
By reading and partipating to this forum, you confirm you have read and agree with the disclaimer presented on http://www.mustachianpost.com/
En lisant et participant à ce forum, vous confirmez avoir lu et être d'accord avec l'avis de dégagement de responsabilité présenté sur http://www.mustachianpost.com/fr/