Is VPN Safe For Online Banking?

Protecting privacy outside of home, a VPN can be used for banking especially when connecting from public Wi-Fi hotspots, as the connections to the VPN are encrypted. Making it difficult for malicious users on the same Wi-Fi to see what’s being done.

Is VPN safe for online banking? Online banking is safe with a VPN only if the VPN is from a reputable VPN provider. It is recommended to use a VPN when connecting over public Wi-Fi. Watch out for some VPNs especially free VPNs and VPN plugins, as these could include malware and spyware designed to steal passwords and personal information from the login pages used for online banking.

Finding out which types of VPNs can be dangerous for online banking and which types of VPNs can provide safe banking is the first step. Using a safe VPN for online banking will save you from having your passwords and other sensitive information stolen.

I use a VPN when doing online banking when I’m away from my home especially when I’m using public Wi-Fi in coffee shops, where I like to work. I take a number of precautions to make sure I am safe online and use the following tips to make sure my online banking experience doesn’t end up being compromised.

1. Use a reputable VPN

It’s imperative to use a reputable VPN (check my latest list of reputable VPNs here), as said in the previous point, giving hackers the opportunity to steal your data isn’t a good idea, so only trustworthy VPNs should be considered.

Reputable VPN service providers will follow the rules and not do anything untoward like installing malicious software, as they have their reputations to protect and anything that could damage their reputation will result in a serious loss of income.

These VPNs will also include other protections to keep your private information in check, especially your real IP address from being leaked to any of the websites you visit, protecting your privacy.

2. Don’t use a VPN plugin

The first question I always ask about VPN plugins and extensions for web browsers, is are they safe? My concerns are down to some of these plugins and extensions being able to read information from web pages in the same web browser as the plugin or extension is installed.

Any information entered into the web page forms could easily be picked up by these plugins and this is particularly troubling for those bank websites where only the user name and password need to be entered for access without any form of time generated value from a token device.

If the plugin can capture the user name and password for these types of banking websites they can easily log on, as the two factor protection of time codes generated by token devices won’t be needed and these would be incredibly difficult if not impossible to guess anyway.

These VPN plugins could also steal other personally identifiable pieces of information such as medical information, social security details, details from online shopping to bill payments, allowing the owners of the VPN plugin to build up data profiles of people using their plugins which they will then sell on the dark web.

3. Don’t use FREE VPNs

Installing FREE VPN software on to a computer rings a few alarm bells as the free VPN software will need privileged access rights generally to be installed and make network configuration changes to allow traffic to be routed across the VPN channels.

This presents an opportunity to the free VPN software developers to add additional software like, Key loggers (hidden software to log all the key strokes made on the keyboard by the person on their computer) and Screen capture tools (hidden software to periodically take screenshots of the persons computer’s desktop), sending both the key strokes and screen captures to a hackers computer.

Allowing the hacker to see not only what the user is doing from the screen captures but what they are typing at the same time. Making it possible for the hacker to credentials like passwords but also visual information like their banking details as well as their other online habits.

The credentials like passwords will be used to get access to websites that don’t use two factor protection and the details in the screens captured could be sold on the dark web as useful financial information.

4. Be careful using public Wi-Fi Hotspots with a VPN

Hackers can set up public Wi-Fi Hotspots with the single intention of stealing user credentials of anyone using their fake Wi-Fi hotspot. They know they can’t get access to any secure website connections made from a person’s web browser to their bank’s website as these connections will be encrypted and double encrypted if the bank customer is connecting using a VPN but these hackers can however use the Wi-Fi hotspot to spread malware.

So, when the person connects to the Wi-Fi hotspot and a connection page is displayed, they could be redirected to malware spreading website upon clicking the link to connect to the Wi-Fi hotspot or even to fake websites that look like the person’s banks website but when login credentials are entered into the login pages they are stolen by the hacker.

It’s important to make sure any Wi-Fi hotspot being connected to isn’t malicious, ideally use the ones you know to be legitimate (you can search for these in your area).

In my area, Wi-Fi hotspots from BT, The Cloud to O2 Wi-Fi are fine to use but if I saw a Wi-Fi hotspot with a strange name or a name that’s similar to a known Wi-Fi Hotspot, such as ‘_Starbucks_Coffee_1’ then I would be concerned.

Personally, I don’t do any internet banking from anywhere else other than my home’s Wi-Fi, as I know this is going to be safe and I don’t really need to use a VPN anyway as I know my Wi-Fi is safe and the web connection to my bank is secured with strong encryption.

5. Don’t use VPN Proxies

Many of the free VPN proxies inject adverts into the web pages returned from the websites visited, as they act as a man in the middle, so connecting to a banking site will allow them to add their web code into the web code being sent from the bank.

Whilst this could be something innocuous like web advertising, it could also be something malicious, more so if it was possible to add skimming scripts which would take the information entered into the website forms by skimming (copying these values from the website) login details and then sending the copied values to the hackers computer.

Worse still they could change the login page to send login information to another website instead of the banks website, so any user names, passwords and token codes could be automatically captured and sent in real-time to another location.

Then injected into the banks real website, but at this location the hacker has control over the computer which has just been logged on with the users credentials and they can quickly try to take advantage.

6. Make sure all connections are HTTPS

Even whilst connected with a VPN, it’s very important to make sure the bank’s login page is taking any credentials entered securely (HTTPS instead of HTTP) as otherwise these credentials will travel in the clear from the bank customers web browsers to the bank’s website, potentially providing opportunity for these credentials to be sniffed by hackers.

Many banks and other important websites use secure encrypted communication channels from their customer’s web browser all the way to the bank’s website.

Sometimes human error can create a security issue where for example the banks secure connection fails, and an insecure connection is presented instead as the website does not support redirection of insecure connections to secure connections (HTTP to HTTPS redirection or HSTS support).

Watch out for Bank Fraud alerts using VPN

Banks use sophisticated systems to try to detect fraudulent activities and this includes trying to ascertain whether the IP address of the person trying to connect to the bank is from an unusual jurisdiction.

If the bank customer normally logs into their online banking from their home in let’s say New Jersey in the US but they are now trying to log in using an IP address in China then the banks fraud systems could flag this up as unusual behaviour and try to block the connection.

Now with some VPNs, their default settings are to set to try and find the fastest VPN connection and this might not necessarily mean the VPN connection that’s closest to you, instead this could be a connection in a different country.

As the VPN connection nearest to you is congested so the VPN algorithm will try to find the next nearest that isn’t congested and may end up having to look much further away. I remember on a few occasions my automatic VPN connection was connecting me through the middle east, as all the other VPNs close to me where congested.

It’s important to note the connection to your VPN service provider will travel across their encrypted VPN tunnel but the connection out of the other end, will not travel along a VPN encrypted tunnel and will carry on with whatever protections are in place on the connection if a VPN wasn’t used.

This would generally mean a secure connection using HTTPS/SSL to encrypt the web traffic, which would mean even when your connection leaves the VPN service wherever it may be, it’s still encrypted to a high standard so there’s no need to worry about using VPN components provided by your VPN service provider in other countries.

Conclusion

Using a good reputable VPN for banking when outside of home (unless sharing Wi-Fi connections) shouldn’t be any cause for concern, as good bank internet connections should be encrypted anyway and two factor authentication systems will make it difficult for anyone who steals usernames and passwords to get access.