Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Is it safe to use an IPAD for internet banking?
- Thread starter Denis54
- Start date
- Sort by reaction score
I would say the iPad is as safe as a Mac because they are both built off of the same core. Think of the iPad as "Mac OS X embedded" software. I don't have antivirus on the Mac, and I'm fine with it.
I know this sounds ironic, but I am more comfortable (security-wise) on a Mac with no antivirus than on a Windows computer with antivirus.
With Windows, I just have a hunch that there's a million little gnomes in there trying to mess with me. I just read a report that since the computers are made in China, there's some corrupt stuff going on where the people there stick phishing stuff in Windows before it gets overseas.
I feel more secure with a Mac.
But anyway, back to your question, I would say an iPad is fine for internet banking.
On a secure network you should be okay. But forget about it at your local fast food or coffee joint, or any other public WiFi site.
Might be wise to clear your cache, cookies, and history after each banking session. I do, just to keep my paranoia in check.
As long as the banking site is using a secure session (https://....), I don't see why using a public wifi would be an issue. The data including login and password is all encrypted before it is sent to the bank.
I would use an app for your bank (if available) as an added security. However, there was an issue with security of the Citi app while back so app is no means bulletproof, but you would assume that the banks making their own app would do some due diligence on security.
Firesheep, IRC, intercepted your credentials as they were being sent to the router, before https had anything to do with it.
As I understand it, Firesheep works only by intercepting a ID cookie from the web site (bank in this case) and would only work if the bank encrypted the login only and not the subsequent traffic. Every bank I have used online encrypts the entire session and Firesheep would not work.
I believe using iPad to do online banking is as safe as using a PC/Mac. As others have said, I wouldn't do any kind of financial stuff over free public WiFi. I'm sure it's fine 99% of the time, but there's always the greater potential that someone is able to see your network activity.
Last edited by a moderator:
I use my iPad for banking just fine. I don't do that on my Windows 7 PC after discovering a keylogger had got onto the machine and I tracked the source download that had the trojan and it had merrily sailed past MS Security Essentials and run on my machine for a week before an update to the sginatures flagged it.
Anti-virus is never secure because it is reactive. My PC gets used for games and light web browsing. Anything else is done on my iPad.
Anti-virus is never secure because it is reactive. My PC gets used for games and light web browsing. Anything else is done on my iPad.
Using an app would probably be safer than using a PC if you're that concerned about it.
That being said I personally don't use public wifi(hotels,etc) for anything other than surfing news site and the such. When I plan on doing anything that requires my password or I know I'll be doing both. I use MyWi and tether to my phone. I think it's a little more secure.
That being said I personally don't use public wifi(hotels,etc) for anything other than surfing news site and the such. When I plan on doing anything that requires my password or I know I'll be doing both. I use MyWi and tether to my phone. I think it's a little more secure.
I'm a little weary of doing internet banking on a jailbroken device, whether it's an iPhone or iPad. Not that the jailbreak itself compromises the security, but I don't completely trust the apps added through external sources in Cydia (the sketchy sources, you guys know what I mean).
And I just read a report that aliens from the planet Zaarg are reading our thoughts ...
You do realise that iPads are made in China, right?
On a secure network you should be okay. But forget about it at your local fast food or coffee joint, or any other public WiFi site.
Might be wise to clear your cache, cookies, and history after each banking session. I do, just to keep my paranoia in check.
This is good advice.
To properly clear your cache, cookies, and history from mobile safari, you must also fully reset Safari.
Two methods to do so are as follows:
On an iPad there is no way to manually view and verify the digital certificate as far as I know. This leaves the connection liable to sophisticated man-in-the-middle attacks where the encryption is stripped and the connection is redirected to a spoofed website.
The following information from my "Mac Security Suggestions" link is important in relation to online banking.
Some users notice issues when CRL is set to "Best Attempt." This does not have to be set as it is only a backup for OCSP.
Much of these tips can't be done on a iPad. But, much of these risks are mitigated via only online banking on a secured wireless network with no unknown users.
Last edited:
This is pretty much why I create my own hotspot like I posted above. I've seen my cousin do a MIM at a hotel just playing around. He's no techie either but he does know how to download the tools and watch a few videos online that show how it's done
If you are using a laptop to online bank on a public network, you are safe if you follow those tips I provided in my post.
Your method also does promote security as well.
Mitm attacks are possible on cellular networks but require special equipment to do so. I would recommend still following those tips I provided even if you are using a cellular network to access the internet.
As for iPhones and iPads that have 3G internet, I would not do any online banking over the cellular network just as a precaution. Though, I have not heard of mitm on cellular networks being done outside of research settings.
EDIT: To ease your worries about the security of your iPad, I thought you might appreciate this link.
http://www.infoworld.com/d/mobile-technology/apple-ios-why-its-the-most-secure-os-period-792-0
Last edited:
I work for one of the largest banks in the US and with online banking for corps(aka very high security). The iPad, in practice, is by far the safest way to bank. You are not vulnerable to the most common attacks (worms, trojans, keyloggers) and the only concievable way to capture your credientials would be a very complex and highly targeted man-in-the-middle attack which might takes weeks to decrypt. (lets face it, you or your account are not important enough to justify that kind of attack)
As long as it uses https, feel free to bank anywhere, cellular or wifi. The encryption tunnel will be secure.
edit: this all goes out the window if you jailbreak.
As long as it uses https, feel free to bank anywhere, cellular or wifi. The encryption tunnel will be secure.
edit: this all goes out the window if you jailbreak.
This is incorrect.
If the attacker has spoofed the bank's website and the user is unable to verify the digital certificate, the connection made will appear encrypted eventhough it is not. Then, the attacker mimics an error on the page after the user attempts to login and exposes their login credentials. No need to decrypt the data.
The work would be spoofing the websites. Once that is done, then just camp out a public wifi network to collect login credentials. On a large public network, login credentials could be collected in profitable volumes over not that long of a duration.
Yes, but once you spoof the bank's website, there's nothing saying the iPad is insecure or less secure than anything else....you can be on a bulletproof connection and a super locked down machine, but if the website is hacked nothing you do to increase your security posture (except not doing any online banking) will matter.
Read my posts, I never said iOS was insecure. In fact, I provided a link stating the exact opposite. All I am saying is that iOS users have a more difficult task avoiding certain types of attacks.
Also, spoofing a website is different than hacking a website.
http://www.thoughtcrime.org/software/sslstrip/
You're being pedantic, I said except for a targeted and highly sophisticated man in the middle attack. And you said 'no but' and named a targeted and highly sophisticated man in the middle attack with added spoofing. Aside from that, if you use an official banking app, this would again be rendered impossible.
So once again, use your banks app and you are probably more secure than you'd even be using your computer at home.
My first post in this thread mentions the requirement of spoofing the login page. See the following quote.
Redirection to a spoofed website may not even be required.
https://www.owasp.org/images/7/7a/SSL_Spoofing.pdf
I was responding to these parts of your post. A post which make no reference to an app issued by the bank.
In circumstances where verification of the digital certificate is under the control of the user such as when the web browser is used for online banking, the encryption tunnel may not be secure.
In relation to an app, the attacker would need a stolen or forged copy of the banks digital certificate to be successful. If conveying the use of an app was your intention, then you are correct given that it is unlikely to occur.
This even depends on how the app validates the digital certificate. If any digital certificate is accepted as long as the url matches, then an attack my still be feasible.
Last edited: