Explained: Do I need a VPN? Are VPNs Safe for Online Banking?

Dennis Faas's picture

Infopackets Reader Janie T. writes:

" Dear Dennis,

I wanted to know if I should use a VPN (virtual private network) to connect to my bank website. A service I came across called saferweb.com claims that they will encrypt my connection, but I don't know if they can be trusted or not. What do you think? PS: I love your daily infopackets letters - they are very informative. "

My response:

This is a good question. When visiting saferweb.com I noted the following statements on their site: "Safer Web gives you an extra layer of security against Internet hackers. By hiding your IP, we keep your online activity anonymous and private. Using a VPN keeps your browsing activity private and secure."

Those statements certainly make it sound like it would be triple secure connecting to your bank, but I suggest otherwise. I'll try to answer that question in depth below; in fact, I'll even answer the question "Should I use a VPN?" as well (even if not connecting to a bank), for those who are considering using a VPN service.

So, How does a VPN Work?

A VPN (virtual private network) is software that connects your computer to another computer (a VPN server) somewhere else in the world. The connection between your computer and the VPN server is encrypted. That is what a VPN is, but a pay-for VPN service offered by a third party is slightly different.

Let's look at an example:

Let's say you purchased a VPN service online. Let's also assume that the VPN service has VPN servers located all over world - and there's even one located in China, which you decide to connect to, for lack of better judgment. So, let's assume you decide to launch Internet Explorer and access website abc.com in the browser. When you access website abc.com using your VPN connection, the server in China is asked to carry out that request. From there, the China server then makes a connection* to website abc.com, which it then relays that information back to you using the VPN.

HTTPS + VPN = Fully Secure. HTTP + VPN = Not Fully Secure

So is your encryption secure if you simply plug in a VPN? The answer is no.

Let's look at this question a little more closely.

Regarding the asterisk in the previous section above (see: connection*): If website abc.com does not use secure http (https) to serve its web pages, then your connection to abc.com is in fact not secure; the only thing "secure" is your connection between you and the VPN server in China.

In other words, using a VPN to access a non-secure website (ex: http://example.com) will only anonymize the traffic between you and the VPN server - should you be worried about being spied upon; it does not provide a secure connection from the VPN server outward UNLESS the connection outward uses https to serve up its web pages (ex: https://example.com). The website will only serve up https webpages if it uses a security certificate (SSL) that has been signed by a certificate authority.

How a VPN works: a Notation Example

Using the example above, I'll use notation for brevity. The connection would look like this:

You -> China (secure via VPN) : China -> http://abc.com (not secure because abc.com uses http and not https) = you're only 1/2 way secure in your connection to China, but not from China and onward. If website xyz.com was secure using https, then the connection might look like this: You -> China (secure via VPN) : China -> https://xyz.com (secure because xyz.com uses https) = you are using a 100% secure connection.

So, Should You Use a VPN when Connecting to Your Bank?

Frankly speaking, I don't think it's a good idea. It certainly does not add any extra layer(s) of protection - especially with respect to SaferWeb's claims. In fact, using a VPN to connect to your bank may backfire on you.

Provided that your system is not infected with malware, your operating system is up to date with the latest security patches, and you're using the latest web browser version of Firefox, Chrome, or Internet Explorer, then connecting to your bank should be perfectly secure and nothing else needs to be done. Millions of people do it like that every day.

Using the notation example: if you are connecting to your bank without a VPN, then the connection would look something like this: You -> Bank (secure, because you're using https already). So is there any point of using a VPN to do this?: You -> China (Secure because of VPN) : China -> Bank (Secure because of https)? Probably not.

How can Using a VPN Service Backfire on You?

It's also worth pointing out that if a VPN server was ever compromised, any and all communication between you and the VPN server can be sniffed and potentially decoded. So if you ask the question "is using a VPN [server] secure"? I would say, "only if the server itself is secure," which is likely impossible to prove. Servers are managed by human beings, and human beings are prone to error, so it stands that there is a possibility that the server may not be secure. Also, servers, just like PCs are prone to exploits, and if not patched in a reasonable period of time, can be compromised.

Lastly (and perhaps most importantly), if you try and connect to your bank using a VPN server located in China, I am guessing that your bank is going to throw up some major red flags (no pun intended), and possibly prevent you from logging in. The way the banks sees it, someone (a computer, or server) from China is trying to access your local bank account. Is that a good thing? Probably not.

Now, if you repeatedly use random VPN servers to anonymize your traffic (which happens to be another feature offered by VPN services), AND you try and connect to your bank on a regular basis, then I'm guessing the bank is going to throw up some more red flags. The way the bank sees it: a computer, or server located somewhere in the world keeps trying to access your bank account - and it keeps happening from different places around the world. Is that a good thing? Definitely not - at least, not the way the bank sees it, because cybercriminals often use VPNs to anonymize their web traffic as well. It would be a safer bet if you just stick to using your local IP address when accessing your local bank.

What about SaferWeb's Comments that "VPNs are Safe"?

As for saferweb's statements regarding VPNs, let's take a look at those now that we have a little bit more knowledge about how VPNs work:

  • They say: Safer Web gives you an extra layer of security against Internet hackers. I say: using our examples above, that is only true if the entire connection is secure and the VPN server is also secure. Also, a hacker can 'hack you from the inside' if your system in infected with malware, so a VPN will not prevent you from being "hacked".
     
  • They say: By hiding your IP, we keep your online activity anonymous and private. I say: yes and no. If you are worried about being spied upon locally by governments, or are otherwise paranoid, then using a VPN is probably a good idea. That said, you should also ensure that your antivirus, antimalware, operating system, and web browser are all up to date and infection free in addition to using a VPN, otherwise you can still be spied on because your information will still propagate outward somewhere onto the Internet whether you use a VPN or not.
     
  • They say: Using a VPN keeps your browsing activity private and secure. I say: yes and no. This is really only true if the connection is 100% secure. Even so, if someone was to compromise a website you were previously connected to, they could still access information about you. A VPN won't protect against that type of an attack.

So, Should You Use a VPN Service?

Whether or not you decide to use a VPN service (such as those offered by SaferWeb, for example) really depends on your circumstances.

If you need a VPN service to simply anonymize your IP address - for example, to gain access to certain services (such as accessing content that would otherwise not be available to you due to geographical restrictions), then yes, a VPN service is going to help you. If you are asking whether or not a VPN service is going to make you more "safe" online, then I would say - read this article, and then compare it to your circumstances, and then make your decision.

As for VPN's themselves - they are the greatest thing since sliced bread, really. I use my own VPN using OpenVPN (a freeware program), which allows me to connect to my remote web server in New York. Since I already own a server, I don't need to pay for a VPN service to access my server; I simply made my server run the 'server service' and I use a 'client' to access the server. At any rate, the traffic to and from the server is completely encrypted and no one can access the server without going through the VPN, first. So in that respect, it is fantastic because it offers unparalleled protection from outsiders / hackers, etc. If anyone needs help setting up something similar in order to access a remote system through another system, you are welcome to contact me for help.

Additional 1-on-1 Support: From Dennis

If you are still not sure about whether or not a VPN is going to help in your circumstance, you are welcome to contact me for help. I can also assess your PC's health - in case you are unsure whether your PC is vulnerable online. Simply contact me for help and I will connect to your system and review and discuss your options with you 1-on-1.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question - or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 4.9 (55 votes)

Comments

ecash's picture

Another point, is that Online banking HAS TO BE SAFE..the bank should monitor your Computer ISP location, EVERY TIME..Monitor ANY changes from ANY device that connects to it..

I dont do, online banking.
I wont enter the data on my machine of ANY source, that TAKES AND GIVES money.
Bills, TAKE money, they wont give OUT..so this isnt much of a problem. I even suggested this to my Credit card company..TAKE my money on 1 account, but have HEAVY protection of GIVING money from the net..(they made a few changes)

Consider that there is NO perfect protection. from Your computer or the Banks. KNOW what you can do IF' something happens. The MORE protection you have in getting TO your account..the MORE you must erase From your computer..you want NO traces of your passwords, Bank accounts on your computer..

SMART companies, tend to create a Virtual environment, and secure VPN, when you connect..and it SHOULD erase all input of transactions..
I would Love a Bank that would give me a PROTECTED program to use, to interact with them..fully encrypted and Private..

LouisianaJoe's picture

I am a software developer. I use a VPN to access the database on my customer's server. In this case the customer has the VPN Server that I use to connect to the database using the program that I wrote and database tools for maintaining the sql server.

There are no connections going from my PC outside the VPN server.

VPN Servers are also used to provide access to Terminal Services on a remote server.

Dennis Faas's picture

This is the same type of setup I have when I connect to my server in New York. This type of VPN setup does not relay the Internet (similar to the China server I used in the article), where the IP address becomes anonymous. Instead, it is meant as a secure tunnel to and from my New York server only.

andrew_4498's picture

I am an elderly computer-illiterate, who uses a commercial VPN service.

I like to access geographically restricted TV programmes. The operation of this service is patchy, occasionally I get switched off by the TV company, who in mid-programme recognizes that I am "abroad". On these occasions I also get a cookie that identifies me being abroad, therefore to reconnect I have to reboot completely (it takes a long-long time on Windows 10, log in again, and hope for the best). The use of the VPN slows down Internet, my usual 50+ Mb/sec can slow to 1.5 Mb/sec, that makes it impossible to watch a programme "live" and necessitates download for later viewing.

Windows 10 (W10) is a sad affair. It has a lot of useful and/or wonderful features that I do not need/want. Its instability spoils it, I rue the day when I fell for the publicity. I pay for my gullibility with continual failures of this, and failures of that, too long to list. Thank your lucky stars, if you have not changed over to this damned shower. Microsoft has a lot to account for.

Dennis Faas's picture

If you want to speed up the connection, consider trials with other VPN service providers. Some VPN service providers simply don't have the network infrastructure or servers in place in the right area in order to support high speed internet connections to relay the data - as in the case you describe, while others do. It also depends on where you are connecting to; they may not have high speed infrastructure so it won't matter which provider you use.

MRCS's picture

What about man-in-the-middle attacks? I guess that would depend on where the point of injection is.

Cynthia404_10045's picture

Nice post!

pctyson's picture

Am I understanding VPN connections wrong? Doesn't the data have to be unencrypted on their end (or at least unencrypted for their servers and then reencrypted), then sent on to the recipient in order for it to work? I do understand ( I think) that https is basically double encrypted in this sense and would be next to impossible to extrapolate anything useful from the data.
However to put it another way, is this like physically sitting at the VPN providers computers instead of your own in order to reach sites? If so, are you not relying on the VPN service provider to do the right thing and not view your data nor do anything nefarious with the data? I understand that when connecting to your own computer remotely it is different because your own computer IS the trusted server.

Dennis Faas's picture

Let's see if I can explain it a different way.

When you use a VPN Service, you are connected to a server somewhere in the world in order to relay data. In this case, let's say you're connected to a VPN server in China. This connection automatically uses HTTPS. Therefore, the connection to their server is secure. Example:

You -> VPN Server (China) = HTTPS = Secure, but this represents only part of the connection because it is not connected to any website or service at this point.

HOWEVER -

Once you start using the VPN to connect to a website or service, and if that website or service is NOT SECURE then the whole thing fails. Example:

You -> VPN Server (China, HTTPS) -> Some site that isn't Secure (HTTP) = You are NOT SECURE because the last link in the chain is weak.

Therefore, you are only 100% SECURE if 100% of the connection is secure. Example:

You -> VPN Server (China, HTTPS) -> Some site that is secure (HTTPS) = YOU ARE 100% SECURE because everything is encrypted 100% of the time.

The whole point of this is that VPN Services are not a bulletproof way to keep you "secure" online 100% of the time. So if you're paying for a VPN service subscription in hopes that it is magically keeping you "secure 100% of the time" and "safe from hackers", then you are literally throwing money out the window.