Is it safe to login to financial apps like QuickBooks Online, Xero or online banking using the Wi-Fi from Starbucks, the airport, library or other public methods?
At a recent bookkeepers and accountants networking meeting we had a discussion about the security of using public Wi-Fi while working on a laptop, tablet or cell phone. One colleague at the meeting posited that having a secure network is important when you are accessing un-secure sites, but if you are using public Wi-Fi to access a secure SSL website, one which begins with "https:" and has a lock icon in the URL bar, then the network security is superfluous as the site itself is secure.
This viewpoint sounded like the exact opposite of what I have heard from security experts speaking at conferences, such as Randy Johnston of Network Management Group, so I reached out to Randy to solicit his input. He told me he does not believe it is safe to use public WiFi, even when accessing an https website.
He also told me about something called Pineapple MiFi (available for $199), a portable plug-in device which bad actors use as an intermediary access point. If you're connect to a free Wi-Fi, all traffic will then relay through the Pineapple and the nefarious owner can now capture and filter data, UIDs, and passwords.
I found this description of the product online: “The leading rogue access point and WiFi pentest toolkit for close access operations. Passive and active attacks analyze vulnerable and misconfigured devices.” Randy noted that there is also software which can be used to intercept and commandeer a laptop.
To make his point, my colleague directed me to this link on the U.S. FTC (Federal Trade Commission) website: Tips for Using Public Wi-Fi networks. The FTC site has an excellent video using easy-to-understand language about encryption, public networks and secure websites. This is where my colleague learned that you are safe if you are on an https: website because those websites encrypt your information before it is sent. However, the article also warns, “If you use an unsecured network to login to an unencrypted website, strangers using that network can hijack your account.”
So what’s right the answer? Free Wi-Fi hotspots often aren’t secure. The FTC suggests the following:
Encryption is the key to keeping your information secure online. How can you be sure your info is encrypted?
- Don’t assume that a public network uses encryption (in fact, most don’t). If the network asks you to provide a WPA or WPA2 password, you know it uses encryption.
- The second way to protect your information is to send it through a secure website. A secure site will encrypt your information, even if the network doesn’t. If the web address starts with https:// then your information is encrypted before it is sent. The S stands for Secure. Look for https:// on every page you visit, not just the login page. If you use an unsecured network to login to an unencrypted website, strangers using that network can hijack your account.
So consider this: perhaps you are working in Starbucks, using the free Wi-Fi, but only accessing https: sites to do your work, like QBO or online banking. Assuming no one in Starbucks has a Pineapple MiFi, you could indeed be safe. But if at the end of your session, you logout of everything and then decide to check your Facebook account, which is not an https: site, you have used an unsecured network to login to an unsecured website, thus opening the door to hijackers.
Here the FTC’s recommended steps to take to protect yourself when using a public Wi-Fi hotspot:
• Only login or enter personal information on secure sites that use encryption.
• Don’t use the same UID/PW on multiple sites.
• Never email financial information, including credit card, Social Security, and credit card numbers, even if the network and website are secure.
• Don’t stay permanently signed into an account; always logout when you are done.
Randy Johnston recommends:
- When out in public, use an external device, such as a Verizon Jetpack, to connect to the internet. This device requires purchase of the device itself, and a monthly plan.
- Even better, use the cellular sim card slot in your laptap, instead of an external device. Here’s an article I found online discussing which laptops offer sim card slots.
- Use the feature in your cell phone to create and use your own cell phone hotspot. Normally this involves using a key/password. Randy warns if you’re using the key in a one-off situation, you will likely have a secure session. However, if you regularly go to the same Starbucks using the same key every time, you would be wise to periodically change the key so no one hacks it.
I think both myself and my colleague were correct. Users need to take precautions when using Wi-Fi in public spaces, both by protecting how they connect to the internet and by paying attention to what kinds of websites they access (secure vs. unsecure).
Randy says there is good news: the new WPA standard will make it harder for bad actors. Standards approved in August, to be finalized in December 2019, for WIFI 6 and WPA3 should make public access safe and secure. Unfortunately, it will take another few years (2022?) for the wireless access points to be upgraded since it will require a hardware replacement and software upgrade. Read more about it here.
Jody Linick is an AIPB Certified Bookkeeper, a QuickBooks® Certified Pro Advisor, and a member of the Intuit Trainer/Writer network. Her company, FitBooks Pro (formerly called Linick Consulting), specializes in remote bookkeeping services for professional services firms using QuickBooks Online. You can find her series of Blog posts here.