Earlier today I was drawn to a conversation happening over on social media about the safety of using your mobile banking Apps on public Wi-Fi. With the introduction of Online banking, customers of a bank or other financial institution can now conduct a range of financial transactions through the financial institution’s website or Apps, this means using the internet to transact, while on mobile data and your private Wi-Fi is alright, are you safe while using public Wi-Fi?
The issue with public Wi-Fi is getting compromised, there are countless ways people with malicious intent may get your details on public Wi-Fi, however, the most relevant in this case would be Sidejacking, also known as session hijacking.
Session Hijacking
A session is a just series of interactions between two servers during the span of a single connection. Let’s say you log in to your Bank account. Your session has started and will end once you log out.
Sessions are used by Apps to store parameters relevant to the user and accommodate users’ requests. The session lives until after the predefined period of inactivity.
A session ID is an alphanumeric string that helps the server identify a user’s active session. Session IDs are commonly stored in cookies. Thus, Session Hijacking is also known as Cookie Side-jacking or Cookie Hijacking, because it relies on the hacker’s knowledge of your session cookie.
The attacker can successfully perform session hijacking once they have stolen your session cookie. Once authenticated, the attacker can take over the session, fooling the server into thinking it is the legitimate user.
After a successful Session Hijacking attempt, the attacker can perform all the actions the victim is authorized to do, if you’re logged into your online banking service, the attacker can use the session to transfer money and make purchases on web stores.
Sidejacking relies on obtaining information via packet sniffing (hackers monitor network traffic in real-time and steal data).
While most Banking apps send a one-time password for every session you log in, this method taps into your live login session. Using this method cybercriminals can’t read your password or pin, however, this is just one way you’re vulnerable, there are other ways such as downloading malware to obtain such data over the unsecured Wi-Fi.
Is it Safe to Access Mobile Banking Apps on Public Wi-Fi?
No, it is not. While the chances are low that you will get compromised, if someone wants to they can. “If you connect to unsecured WiFi, every step you take online can be monitored by malicious third parties, also known as hackers. As a consequence, anyone who manages to intercept an unprotected hotel WiFi connection can snoop on you typing your passwords, login credentials, banking info, and other private information.” Nord VPN states.