This is an excerpt from Dollar Scholar, the Money newsletter where news editor Julia Glum teaches you the modern money lessons you NEED to know. Don't miss the next issue! Sign up at money.com/subscribe and join our community of 160,000+ Scholars.
When you live in New York City, you learn to do pretty much everything out in the open.
If you’re, say, heading to a costume party in Queens, dozens of strangers on the sidewalk will see you dressed as a hotdog. (True story.) Having a bad day? You’re inevitably going to start crying on a park bench... in full view of concerned-looking tourists. And God forbid you attempt to covertly read smut on the subway.
Since moving here, I’ve adopted a who-cares stance on decorum. But after writing recently about how important it is to keep my bank account number secret lest fraudsters steal my identity, I started wondering if I need to clamp down on other financial habits when I’m out and about.
Specifically, I’m worried I’m exposing myself by using whatever free wireless network I’m on (at the bar, at the cafe, on the train, etc.) to check my bank app on my iPhone.
Is it safe to log into my bank on public Wi-Fi?
Eileen Tan, chief information security officer at Varo Bank, gave me a straight answer: “Don’t use the public network unless you trust it,” she says.
Firing up my banking app under a random Wi-Fi network puts me at risk of what’s called a “man in the middle” attack. Scammers can set up Wi-Fi sniffers, which intercept data being transferred over a network, or fake hotspots.
There’s nothing stopping someone from sitting outside my local Starbucks, for example, and creating a network that’s called “Starbucks Wi-Fi.” If I connect to that instead of the legit Starbucks network, a stranger could see my user ID, my password, my bank account, my email address and more, Tan says.
In fact, Dave Hatter, cybersecurity consultant at Intrust IT, says he would “never, ever do any sort of banking transaction on a public network or on free Wi-Fi.”
He, too, says devices like sniffers are too easy for bad actors to get. All someone has to do is pay $100, watch a couple of YouTube videos on how to mimic a network and take advantage of unsuspecting customers like me. It’s a popular method for fraud because it’s both low-effort and high-reward.
My home (password-protected) Wi-Fi network is more secure because it’s more difficult for scammers to exploit. But probably the safest method is to turn off my iPhone’s Wi-Fi and use my phone’s data network for my online banking needs. It's not impossible to hack into a cellular network, but it's a lot harder than spoofing a public Wi-Fi- network, so the risk is much lower.
However, Hatter, a self-described "tinfoil-hat guy," says he doesn’t use any banking apps. Period.
Hatter points to a 2019 study where security experts looked at 14 Android and iPhone bank apps with over 500,000 downloads each. The researchers found that attackers could access user data on 13 of the apps; in 76% of cases, the hackers could get in without physically accessing a person’s phone. Other studies have shown banking apps using years-old code with known vulnerabilities.
“When using an app, you don't really have any idea what's going on behind the scenes,” Hatter adds. “You have to trust it’s configured correctly.”
If I’m determined to use public Wi-Fi and/or a banking app, both Hatter and Tan recommend I use a VPN, or virtual private network. VPNs encrypt the data I’m sending over a network, meaning my information is more secure.
The bottom line
I should not check my bank account while connected to a public wifi network because it’s not secure. Whoops.
Protection is all about having a layered approach. Hatter says if he needs to check his bank account online, he’ll use not only his cellular network but also a VPN. Ideally, he prefers to access his bank through the web browser on his laptop, where he can see in the URL bar that the connection is secure.
These sorts of barriers make hacking a bank account harder. And the harder it is, the more likely it is that a fraudster will give up on trying to steal my money.
“There’s not some magic bullet that's going to make you invulnerable, but you can make yourself a very, very difficult target,” Hatter says.