Two weeks ago I got a message that my online account with WaFd Bank (nee Washington Federal) was locked. I called their "help" desk and was told it was locked because of 20 attempts to get into it from Salt Lake. I do use a VPN which shows as Salt Lake City. Anyway, the agent said that might be the problem, but they weren't sure and said only my branch office could unlock it. I went there and they said it would take up to 72 hours to unlock it. Nope. Anyway, it's still locked and after a second trip to the branch it's still not unlocked, although the geeks in the backroom (whom no one can talk to) blame me for using a VPN and any time I try to use it, the account will be locked. Today, they called and told me it was unlocked. I paused the VPN and tried to log on, but...still locked... so the manager at the branch was astounded and promised to get back on it. I'm sure she will, but I wonder just how incompetent their computer/security people are if they can't give me a straight answer, about what's happened. The reason that I haven't told them to f*** off is that there is a possibility that I avoided a nasty hacking incident. Okay...what would you do and what would you tell them? I do have an account at a credit union, but I don't want to change my Social Security deposit, but I'm just about ready to do that.
Dump the bank. Seriously. Because of how ISPs work, even if you're not logged in with a VPN, you can appear to be coming from outside of your "home" area. It has to do with how your ISP routes your connections and that can change from time to time, usually on the order of months or longer. So, if they basically only expect to see you connecting to their bank from your house, and your ISP changes something, the bank might think you're somewhere else and lock your account again.
Is this a matter of total incompetence? It's hard to believe that I'm the only customer that's using a VPN. If I could log off the VPN that might be an okay work-around, but it sounds like you're saying that even if I'm not using a VPN at all, it still might happen. I'm just wondering if every bank and/or credit union has this problem.
Well, maybe yes, maybe no. It depends upon a number of factors involved and I don't know exactly how the bank is doing it (because there's a number of possible ways and I only understand like one or two of them) so there is some logic to it. From a strict security standpoint, if they are associating your account with something that your ISP gives them that lets them know with 100% certainty that you are connecting from your home computer, the odds of your account logging in from that address after having been hacked are a lot lower. The problem is, of course, that people travel, and ISPs change things. I'm sure you and I both know people who live in one part of the country for a few months, and then move to a different part of the country for a few months. It'd suck to have that bank if you did that, because what if you're on the other side of the country and locked out of your account? And you can't fly home, because you can't get your money to fly home so you can stop in the branch where you opened it. I have a not-wonderful bank, but even I, when I'm out of state, can check it online without it getting flagged as unusual activity. What should have happened when you logged in with the VPN is that it should have triggered some kind of second-factor authentication, like a text sent to your cellphone with a code. You type that code in, and Bob's your uncle!
That's my thought. Why not just tell everyone using a VPN that they have to use two factor authentication or risk getting locked out of their account?
Since it seems like banking is near the top of the list of things you should be using a VPN for, you'd think banks would design their security systems around that.
VPN to SLC gives you what? Access to Mormon Porn? Scrap the VPN. It's not end to end encryption, and your bank already has encryption in place. Even if you live in the college dorm of hacker's U, the only reason to use a VPN is to spoof your location. If you live in China or Iran this is desirable.
As someone who works in IT, I often recommend people use a VPN for many reasons, especially if you tend to use public WiFi. VPNs do use end to end encryption, and protect your IP and browsing history from being seen by your ISP. The better VPNs even let you hop multiple servers, which give you even more security. So you may be thinking of proxies, which don't use encryption. No one here is talking about proxies. We're talking about encrypted virtual private networks. By the way, folks, when you choose a VPN, choose one that has a no logging policy, and has been audited. It's also best if you choose a VPN outside of the Five Eyes countries (US, UK, Canada, Australia, New Zealand).
Bearing in mind that most "no-log" VPNs actually do, and that the few big ones that don't eg NordVPN have embedded IC agents and equipment so they don't need to log; the agency can do it themselves.
I can't claim to be an expert in this, but when we set up a new fileserver at work with remote access capability, having a VPN subscription was required in order to do the remote access part.
Yeah, I only know a very few that have been found not to log anything at all because they have been raided, and the police went away empty handed. ProtonVPN lost trust when they handed over a private email account to the authorities upon request. ExpressVPN is now owned by Kape, an ad company, who also owns Private Internet Access, too. So they go into the "untrustworthy" pile. I prefer Mullvad myself. They have been audited, they've been raided, and no information has been available either time because of how they setup their whole system. They're not one of the Five Eyes, though they are one of the 14 Eyes countries, but each time the Swedish authorities have approached them, they have nothing to show for it.
I don't understand why more banks don't have two factor authentication. I bank at Wells Fargo (purely because they have the same initials as Wordforge) and a local credit union, and I have never had to provide more than my username and password for each. That being said, maybe don't use a Mormon VPN next time.
It ain't end to end if the VPN termination is in SLC and the bank is in Idaho. Also the weakest point is Mike's computer. Malware there will happily use the VPN to phone home. If you're using non-encrypted public wifi, your browser encryption is still working. Shrug. I'm IT in the payments industry and encryption along with all other forms of security are my bread and butter. Luckily I'm not in charge of the servers that got infected by ransom-ware this spring. We're still cleaning up!
It can't be end to end, unless the destination server, in this case the bank, is on the VPN. We already know they aren't. There is end to end encryption provide by the bank's app or your browser to the bank's decryption process. This is not a VPN, but it's pretty good. If you believe third party VPNs are end to end, you're paying for something you're not getting.
That’s not how this works, no. VPNs encrypt your connection to the VPN endpoint, no further. This is useful against local network threats and snooping by your ISP. Your VPN provider’s ISP can still see (but not decrypt, if it’s already encrypted) all your traffic, but can’t trace it back to you. This is good enough for most threats, but it’s in no way end-to-end encrypted in any way that ordinary TLS (SSL) isn’t. If you trust your home network and ISP, VPNs are useless at home.
The purpose of a VPN is to protect your data from ISPs and third parties, yes, but if your bank doesn't have encryption at the endpoint, then it's being done poorly. In general, most banks use end to end encryption. Most of the VPNs I use and recommend are end to end encryption systems. All of the networks I work with are all encrypted. Data is not something we play around with. So when your E2EE system links up with my E2EE system, the TSL handshake is encrypted (or should be). All of it encrypted. No one, at any point, sees the data who isn't meant to see it. If I, a third party, can see your data at any point between that transfer, then that system has failed. For example, Wordforge does not have encryption when you connect to the website, so I recommend people use a VPN while browsing Wordforge, and only sign into WF with a VPN if you're on a public network.
It's not, but that's okay unless your attacker is the NSA. This is not true. Anyone between your VPN exit point and your bank can see (but, if it's TLS-encrypted, not decrypt) your traffic, unless your VPN is into your bank's network, but even then the VPN handshake is public. Which is fine, as long as your attacker isn't the NSA; both TLS and whatever protocol your VPN is using for an encryption handshake are designed such that even a third party able to watch the wires in both directions during the handshake can't decrypt the data. But a VPN doesn't change that. All it does is change the apparent origin point of your requests (edit: and apparent destination of the responses). Yeah but as long as you have TLS, no one can read your data. What they can see is where that data is going (edit: and where it came from). Okay sure but a) going through a VPN only protects your traffic to the VPN; someone between the VPN and Wordforge can still read it, unencrypted, and b) we're talking about a bank, which definitely, definitely, has TLS set up.
Which is why I think we're talking past each other, or one of us (probably me) is thinking you're talking about something else. So let me take a crack at this again: Two encrypted systems connect, they pass data back and forth through an encrypted tunnel that has been verified via a handshake system where tokens are exchanged and keys verified, and if it all looks good, data passes back and forth between these two encrypted systems via an encrypted connection. Yeah, if someone manages to grab some data it's all gibberish and can't be decrypted if everything is done correctly, but otherwise your data is secure. With a VPN no one knows where it came from or who it came from, and so it's just useless. Also, I am very security conscious and do not trust either our government or my ISP. The government for obvious reasons, but even my ISP gathers my data and tailors ads for me, or sells it to third parties, so I make it as pointless for them to do so as possible. I believe everyone has the right to privacy, and the right to think or do as they wish behind closed doors (as long as it's not hurting anyone, obvs), and no authority has any right to spy on them.
See why some people hate this kind of shit? On the one hand we're told to use VPN's and that they're absolutely necessary...a bare minimum for protecting our information...on the other hand, it's don't bother, it's a waste of time...you don't need one. It's like trying to sort out conflicting nutrition advice Anyway, my account is still locked and I still haven't got an explanation from anyone who's in a position to understand it and/or resolve it. There is something that bears repeating: it's quite possible from the second-hand information I'm getting that an attempt to hack my account has been thwarted. That's why I'm being very patient trying to work through this mess. Luckily as a reporter, I learned that there are times when you've got to patiently work your way through a given system and keep pulling on threads until something starts to unravel. Also I'm now dealing with someone at the district level who may be able to break through the Chinese wall that the security types have set up. I fully understand that they don't want to be talking to angry, frustrated customers who barely know how to turn on a computer, but what they've done is set up a system where all the hapless "customer service" agents and branch-level bankers can't talk to them either. They have to email and hope for a response. The agents on the "help(less)" desk are uniformly pleasant, capable people who really want to help, but can't. Not a good situation. Talking to a district-level manager means that I'm talking to someone higher up the food chain who gets the big bucks to deal with this kind of crap. For the moment, my accounts are intact, I can't get the information I need...not as conveniently as I would like, but it's there. For now, I just want some answers.
A VPN isn't necessary unless you want to make a content provider think you're at a location you're not. This is useful to access region restricted media on Netflix and other services. It also keeps local governments from seeing what you access. Encryption is standard on most services. It uses TLS or "pretty good privacy". You don't need a 3rd party VPN to double-encrypt your activity to the VPN's server unless you don't trust your roommates to eavesdrop on your WF activity. WF doesn't use any encryption. Your bank obviously does. Skip the VPN unless you're in Iran looking at porn. Don't confuse third party VPNs with one your employer might make you use to access their networks. VPNs between two parties ARE end to end. I work for N*C*R and work with encrypted networks daily.
It comes down to what we call your threat model. Are you talking about revolutionary ideas with someone in a hostile state or country? Yeah, use a VPN. Are you browsing or watching sensitive adult type material on your home network and would rather your kids not see? Yeah, use a VPN. Are you distrustful of your ISP because they scrape your activity logs and use them to sell to third parties? Yeah, use a VPN. Are you in a public cafe and using their WiFi? Yeah, use a VPN. Are you connecting to unencrypted websites to browse? Yeah, use a VPN. Most modern VPNs are setup to protect your data should you encounter a website with any kind of data leak. For example, the VPN I use actively intercepts trackers and malware, among other things. Some would argue you don't need a VPN when connecting to a bank website over your home network. I disagree, but it honestly comes down to preference. I am a proactive, security minded person, and I don't trust that the corporations who control access to my internet service have my best interests at heart. It's true that you don't need to use a VPN when browsing the regular internet if you don't care what data gets seen by your ISP. If you trust your ISP, then yeah, a VPN won't likely be necessary much of the time if you're working from home. Otherwise, a VPN is a wise choice and, as I said, find one that is trustworthy. I recommend Mullvad, personally. Plus, many VPNs have the added benefit of being able to do an end run around most streaming services trying to engage in geofencing. This is why many people use a VPN. Note: Mullvad doesn't have that ability as far as I can tell. I don't use streaming services, though. In the end, it's all up to you, but I prefer to be safer. Some people might see that as paranoid, but considering the obscene amount of data that gets scraped by ISPs and sold to third parties, of which you cannot consent unless giving up that ISP, I believe it's a wise decision, and I don't believe the $3 to $5 a month for a decent VPN is an onerous decision to make.
It's not his fault the bank is incompetent in implementing website security measures. It often feels onerous when one has to take on protecting themselves because the corporations tasked with protecting their data do the bare minimum at best.
Noooo. Their website is already secured. His efforts are triggering their security by using a 3rd party VPN with an unexpected geographic location. The most risky transaction is when you hand your credit card to the waiter. After that it's the malware that you invited on your computer. A distant 3rd is malware infecting the bank's servers. Someone intercepting your message packets to your bank isn't a risk as they are already encrypted. As alluded to above, you're talking NSA level hacking to get your packets and decipher them. The only reason to pay for a VPN is for the proxy servers they provide so you can spoof your location.
I don't hand my credit card to anyone. I run Linux. The bank server? That one's out of my control. What I'm talking about is the website's configuration to account for VPNs, which they should. Many banks do, many corporate sites do. The ones that don't are making life harder on the rest of us, not the other way around.
This is extremely imprecise to the point of being if not useless, then wrong. Case 1: No VPN, no TLS. Your computer connects to another computer. They handshake in plaintext, and communicate data in plaintext. Your data is readable by any device upstream of you including your ISP, or if you're on WiFi (or a sufficiently old Ethernet network) anyone on your network, and anyone upstream of your destination. The source and destination of the traffic is readable by the same parties. Case 2: No VPN, TLS. Your computer connects to another computer. They handshake in plaintext to establish an encryption key. Then they switch to encrypting all further traffic with that key for the duration of the connection, which is short (in some cases, just the duration of the page load, maybe minutes more for servers trying to keep a connection alive a long time). The handshake is readable by everyone from Case 1, and the source and destination of both the handshake and encrypted traffic are readable by the same. Case 3: VPN, no TLS. Your computer connects to another computer. They handshake in plaintext to establish an encryption key. Then they switch to encrypting all further traffic with that key for the duration of the connection, which is long, until your computer disconnects from it. Afterwards, your computer connects to a third computer via the second computer. They handshake in plaintext and communicate data in plaintext, although from the third computer's perspective, the request handshake is with second computer, not yours. A) That handshake and your data is readable by any device between the VPN and the third computer, including either party's ISPs. B) The original handshake is readable by any device upstream of you including your ISP, or if you're on WiFi anyone on your network. C) The second computer can read everything in both directions, and knows where the traffic is coming from and going to in each direction. Anyone in B) knows that you're connected to the second computer. Anyone in A) knows that the second computer is communicating with the third computer. C) is your VPN provider. Case 4: VPN, TLS. Your computer connects to another computer. They handshake in plaintext to establish an encryption key. Then they switch to encrypting all further traffic with that key for the duration of the connection, which is long, until your computer disconnects from it. Afterwards, you computer requests that the other computer make requests on its behalf. The other computer connects to a third computer via its own ISP. They handshake in plaintext to establish an encryption key. Then they switch to encrypting all further traffic with that key for the duration of the connection, which is short. This handshake is readable by everyone from 3A), but they can then only see the second and 3rd computer communicating, and not read the actual data. 3B) applies unchanged. 3C) is unchanged, except that it can't read the data after the second handshake; call this 4C. Case 5: VPN to other computer's network, TLS. Your computer connects to another computer. They handshake in plaintext to establish an encryption key. Then they switch to encrypting all further traffic with that key for the duration of the connection, which is long, until your computer disconnects from it. Afterwards, your computer connects to the same computer or another computer in the same network via the second computer. They handshake in plaintext to establish an encryption key. Then they switch to encrypting all further traffic with that key for the duration of the connection, which is short. 3A) is gone, because there is no upstream ISP. 3B) still exists. 4C) still exists as well. In none of these cases would I call any computer an "E2EE system" or "encrypted system", and I wouldn't even call any of the connections "an encrypted connection", except insofar as your ISP is concerned, with the VPN. The closest thing to an encrypted connection of all of them is Case 5. No one except the VPN provider. And if an attacker has taps on both sides of the VPN, they have you via timing as well, and potentially the information you're sending, if you don't have TLS in the first place (eg, your username on a forum post). They know you're the type of person who uses VPNs, and they can arrange a data sharing agreement with your VPN provider, or tell the government which VPN server you connect to.
I wasn't imprecise, per se, I just didn't word it the way you liked it. So that's a matter of opinion on your end. Nothing I said was wrong. I'm also talking in a group with people who don't generally discuss the technical details of security, and so using broad language is beneficial to everyone. Regardless, none of this helps @MikeH92467 at the moment.
