Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Denis54

macrumors regular
Original poster
Mar 24, 2011
100
0
I am a new iPad user.

My PC has an antivirus and a firewall. Is my IPAD as safe as my PC since it does not seem to be protected by any software.
 

applefan289

macrumors 68000
Aug 20, 2010
1,705
8
USA
I am a new iPad user.

My PC has an antivirus and a firewall. Is my IPAD as safe as my PC since it does not seem to be protected by any software.

I would say the iPad is as safe as a Mac because they are both built off of the same core. Think of the iPad as "Mac OS X embedded" software. I don't have antivirus on the Mac, and I'm fine with it.

I know this sounds ironic, but I am more comfortable (security-wise) on a Mac with no antivirus than on a Windows computer with antivirus.

With Windows, I just have a hunch that there's a million little gnomes in there trying to mess with me. I just read a report that since the computers are made in China, there's some corrupt stuff going on where the people there stick phishing stuff in Windows before it gets overseas.

I feel more secure with a Mac.

But anyway, back to your question, I would say an iPad is fine for internet banking.
 

Aspasia

macrumors 65816
I am a new iPad user.

My PC has an antivirus and a firewall. Is my IPAD as safe as my PC since it does not seem to be protected by any software.

On a secure network you should be okay. But forget about it at your local fast food or coffee joint, or any other public WiFi site.

Might be wise to clear your cache, cookies, and history after each banking session. I do, just to keep my paranoia in check. :cool:
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
34,071
15,494
California
On a secure network you should be okay. But forget about it at your local fast food or coffee joint, or any other public WiFi site.

As long as the banking site is using a secure session (https://....), I don't see why using a public wifi would be an issue. The data including login and password is all encrypted before it is sent to the bank.
 
  • Like
Reactions: Donfor39

Disgrace

macrumors member
Dec 1, 2010
32
0
Different hardware makes no difference.

This depends on the security of your internet connection and bank website.
 

doboy

macrumors 68040
Jul 6, 2007
3,764
2,929
I am a new iPad user.

My PC has an antivirus and a firewall. Is my IPAD as safe as my PC since it does not seem to be protected by any software.

I would use an app for your bank (if available) as an added security. However, there was an issue with security of the Citi app while back so app is no means bulletproof, but you would assume that the banks making their own app would do some due diligence on security.
 

darngooddesign

macrumors P6
Jul 4, 2007
17,915
9,416
Atlanta, GA
As long as the banking site is using a secure session (https://....), I don't see why using a public wifi would be an issue. The data including login and password is all encrypted before it is sent to the bank.

Firesheep, IRC, intercepted your credentials as they were being sent to the router, before https had anything to do with it.
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
34,071
15,494
California
Firesheep, IRC, intercepted your credentials as they were being sent to the router, before https had anything to do with it.

As I understand it, Firesheep works only by intercepting a ID cookie from the web site (bank in this case) and would only work if the bank encrypted the login only and not the subsequent traffic. Every bank I have used online encrypts the entire session and Firesheep would not work.
 

mpaquette

macrumors regular
Jul 15, 2010
131
55
Columbia, SC
I believe using iPad to do online banking is as safe as using a PC/Mac. As others have said, I wouldn't do any kind of financial stuff over free public WiFi. I'm sure it's fine 99% of the time, but there's always the greater potential that someone is able to see your network activity.
 
Last edited by a moderator:

GreatDrok

macrumors 6502a
May 1, 2006
561
22
New Zealand
I use my iPad for banking just fine. I don't do that on my Windows 7 PC after discovering a keylogger had got onto the machine and I tracked the source download that had the trojan and it had merrily sailed past MS Security Essentials and run on my machine for a week before an update to the sginatures flagged it.

Anti-virus is never secure because it is reactive. My PC gets used for games and light web browsing. Anything else is done on my iPad.
 

Syk

macrumors 65816
Jun 20, 2010
1,081
553
Using an app would probably be safer than using a PC if you're that concerned about it.

That being said I personally don't use public wifi(hotels,etc) for anything other than surfing news site and the such. When I plan on doing anything that requires my password or I know I'll be doing both. I use MyWi and tether to my phone. I think it's a little more secure.
 

Digidesign

macrumors 6502
Jan 7, 2002
448
52
I'm a little weary of doing internet banking on a jailbroken device, whether it's an iPhone or iPad. Not that the jailbreak itself compromises the security, but I don't completely trust the apps added through external sources in Cydia (the sketchy sources, you guys know what I mean).
 

Syk

macrumors 65816
Jun 20, 2010
1,081
553
Nothing wrong with that. Too be honest after iOS 5 comes out I may not jailbreak my device.
 

Benbikeman

macrumors 6502a
May 17, 2011
616
1
London, England
I just read a report that since the computers are made in China, there's some corrupt stuff going on where the people there stick phishing stuff in Windows before it gets overseas.
And I just read a report that aliens from the planet Zaarg are reading our thoughts ...

You do realise that iPads are made in China, right?
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
On a secure network you should be okay. But forget about it at your local fast food or coffee joint, or any other public WiFi site.

Might be wise to clear your cache, cookies, and history after each banking session. I do, just to keep my paranoia in check. :cool:

This is good advice.

To properly clear your cache, cookies, and history from mobile safari, you must also fully reset Safari.

Two methods to do so are as follows:

Force Quitting To force an application to quit, Apple recommends that you bring the app you want to quit to the foreground. Then press and hold the sleep/wake button for several seconds, until the Slide to Power Off control appears. Release the sleep/wake button and hold down the Home button for another 7-10 seconds. Your screen will flash briefly and you will return to the main iOS 4 Springboard home page with its icons. This method works for all operating systems from iPhone OS 3 forward, and is the preferred method listed in the iOS 4 documentation.

Removing the Application from the Recents List There's actually a much simpler approach for quitting apps, and that's to use your recent app list. Double-click the home button to display the recently accessed applications. Press and hold any of the icons shown, then navigate to the application you want to quit and tap the red circled minus button. This sends a signal to the application in question that allows it to quit. The application will be re-added to the recents list the next time you launch it.

As long as the banking site is using a secure session (https://....), I don't see why using a public wifi would be an issue. The data including login and password is all encrypted before it is sent to the bank.

On an iPad there is no way to manually view and verify the digital certificate as far as I know. This leaves the connection liable to sophisticated man-in-the-middle attacks where the encryption is stripped and the connection is redirected to a spoofed website.

The following information from my "Mac Security Suggestions" link is important in relation to online banking.

- Check the digital certificate of websites, such as banks and paypal, by clicking the lock icon to see if the certificate belongs to the right organization. This prevents login credentials from being stolen via sophisticated MITM attacks. ARP poisoning/MITM attacks can be detected using a utility such as Mocha.
- Always manually navigate to the logins of encrypted security sensitive websites and never login to these websites from links in emails, email attachments, instant messages, & etc even if the certificate appears to be legitimate. This prevents login credentials from being stolen via advanced phishing techniques that use cross-site scripting.
- Enable Mac OS X to use the CRL and OCSP to provide protection from invalidated digital certificates. The settings to enable system-wide use of the CRL and OCSP are accessible via Keychain Access. On the "Certificates" pane in the Preferences of Keychain Access, set the following:

Online Certificate Status Protocol (OCSP): Best Attempt
Certificate Revocation List (CRL): Best Attempt
Priority: OCSP

Some users notice issues when CRL is set to "Best Attempt." This does not have to be set as it is only a backup for OCSP.

Much of these tips can't be done on a iPad. But, much of these risks are mitigated via only online banking on a secured wireless network with no unknown users.
 
Last edited:

Syk

macrumors 65816
Jun 20, 2010
1,081
553
This is good advice.



On an iPad there is not way to manually view and verify the digital certificate as far as I know. This leaves the connection liable to sophisticated man-in-the-middle attacks where the encryption is stripped and the connection is redirected to a spoofed website.

The following information from my "Mac Security Suggestions" link is important in relation to online banking.



Some users notice issues when CRL is set to "Best Attempt." This does not have to be set as it is only a backup for OCSP.

Much of these tips can't be done on a iPad. But, much of these risks are mitigated via only online banking on a secured wireless network with no unknown users.

This is pretty much why I create my own hotspot like I posted above. I've seen my cousin do a MIM at a hotel just playing around. He's no techie either but he does know how to download the tools and watch a few videos online that show how it's done
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
This is pretty much why I create my own hotspot like I posted above. I've seen my cousin do a MIM at a hotel just playing around. He's no techie either but he does know how to download the tools and watch a few videos online that show how it's done

If you are using a laptop to online bank on a public network, you are safe if you follow those tips I provided in my post.

Your method also does promote security as well.

Mitm attacks are possible on cellular networks but require special equipment to do so. I would recommend still following those tips I provided even if you are using a cellular network to access the internet.

As for iPhones and iPads that have 3G internet, I would not do any online banking over the cellular network just as a precaution. Though, I have not heard of mitm on cellular networks being done outside of research settings.

EDIT: To ease your worries about the security of your iPad, I thought you might appreciate this link.

http://www.infoworld.com/d/mobile-technology/apple-ios-why-its-the-most-secure-os-period-792-0
 
Last edited:

Wick12

macrumors member
Jul 13, 2011
33
6
iOS is very secure and is not being threatened by viruses like other os's it is more secure do to Apples locked down OS. I would never do online banking if I was jail broken though.
 

chris8535

macrumors member
May 10, 2010
51
0
I work for one of the largest banks in the US and with online banking for corps(aka very high security). The iPad, in practice, is by far the safest way to bank. You are not vulnerable to the most common attacks (worms, trojans, keyloggers) and the only concievable way to capture your credientials would be a very complex and highly targeted man-in-the-middle attack which might takes weeks to decrypt. (lets face it, you or your account are not important enough to justify that kind of attack)

As long as it uses https, feel free to bank anywhere, cellular or wifi. The encryption tunnel will be secure.

edit: this all goes out the window if you jailbreak.
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
the only concievable way to capture your credientials would be a very complex and highly targeted man-in-the-middle attack which might takes weeks to decrypt.

As long as it uses https, feel free to bank anywhere, cellular or wifi. The encryption tunnel will be secure.

This is incorrect.

If the attacker has spoofed the bank's website and the user is unable to verify the digital certificate, the connection made will appear encrypted eventhough it is not. Then, the attacker mimics an error on the page after the user attempts to login and exposes their login credentials. No need to decrypt the data.

The work would be spoofing the websites. Once that is done, then just camp out a public wifi network to collect login credentials. On a large public network, login credentials could be collected in profitable volumes over not that long of a duration.
 

fhall1

macrumors 68040
Dec 18, 2007
3,816
1,237
(Central) NY State of mind
This is incorrect.

If the attacker has spoofed the bank's website and the user is unable to verify the digital certificate, the connection made will appear encrypted eventhough it is not. Then, the attacker mimics an error on the page after the user attempts to login and exposes their login credentials. No need to decrypt the data.

The work would be spoofing the websites. Once that is done, then just camp out a public wifi network to collect login credentials. On a large public network, login credentials could be collected in profitable volumes over not that long of a duration.

Yes, but once you spoof the bank's website, there's nothing saying the iPad is insecure or less secure than anything else....you can be on a bulletproof connection and a super locked down machine, but if the website is hacked nothing you do to increase your security posture (except not doing any online banking) will matter.
 

chris8535

macrumors member
May 10, 2010
51
0
Read my posts, I never said iOS was insecure. In fact, I provided a link stating the exact opposite. All I am saying is that iOS users have a more difficult task avoiding certain types of attacks.

Also, spoofing a website is different than hacking a website.

http://www.thoughtcrime.org/software/sslstrip/

You're being pedantic, I said except for a targeted and highly sophisticated man in the middle attack. And you said 'no but' and named a targeted and highly sophisticated man in the middle attack with added spoofing. Aside from that, if you use an official banking app, this would again be rendered impossible.

So once again, use your banks app and you are probably more secure than you'd even be using your computer at home.
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
And you said 'no but' and named a targeted and highly sophisticated man in the middle attack with added spoofing.

My first post in this thread mentions the requirement of spoofing the login page. See the following quote.

This leaves the connection liable to sophisticated man-in-the-middle attacks where the encryption is stripped and the connection is redirected to a spoofed website.

Redirection to a spoofed website may not even be required.

https://www.owasp.org/images/7/7a/SSL_Spoofing.pdf

the only concievable way to capture your credientials would be a very complex and highly targeted man-in-the-middle attack which might takes weeks to decrypt.

As long as it uses https, feel free to bank anywhere, cellular or wifi. The encryption tunnel will be secure.

I was responding to these parts of your post. A post which make no reference to an app issued by the bank.

In circumstances where verification of the digital certificate is under the control of the user such as when the web browser is used for online banking, the encryption tunnel may not be secure.

In relation to an app, the attacker would need a stolen or forged copy of the banks digital certificate to be successful. If conveying the use of an app was your intention, then you are correct given that it is unlikely to occur.

This even depends on how the app validates the digital certificate. If any digital certificate is accepted as long as the url matches, then an attack my still be feasible.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.