For years I have used a VPN for my online banking, but this last week US Bank has pretty much disabled the ability to use one. They do not come out and say it. I just get a general error,
Looks like even the banks want to know everything about you, and try to (geo-)fence you in. It really sucks.
This is the paradox that really irritates me. I’ve encountered a number of services that do this and the reason they give for blocking VPN’s, is their security.
And yet the point of a (decent) VPN is my security. If I have options available to me, my thinking is that if the policies of businessX conflict with my security efforts, I’ll find another business.
I get this sort of thing all the time. Lazy security. I can usually find a server somewhere that will work so give it a try. A lot of time it is just that the server shows up as being the wrong country.
That being said, I still can’t get Ticketmaster to work with a VPN ;(
Banks may block VPNs to avoid:
Many banks require access from specific countries or regions to:
Blocking VPNs helps banks:
If a bank requires 2FA like mine than none of these reasons hold up.
2FA=you passed the test.
Seems VPN would be inconsequential (for the banks that require 2FA that is).
Tangential, I confess.
I understand that these are the reasons typically given to justify blocking VPN’s and such.
The mechanisms are hardly robust though. For example, most times, I can cycle my VPN endpoint several times, and it eventually starts to work. In other instances I’ve switched over to a TOR connection, and it works. It’s a pain for me as a legitimate user to have to do that, but if I were an attacker, that’s hardly a deterrent.
Accessing a website from a geolocation that appears legitimate, would be a trivial thing for a real threat.
I guess you’re going back to the counter. I for one won’t bank without a VPN for sure.
Do you use the VPN because you do your online banking on public wifi?
I’d rather do my banking through my ISP than a VPN
VPNs are, at minimum, enabled any time I am on a network that I do not control.
If the Internet is involved, do you ever consider yourself in control? (seriously asking)
Here in Finland I think all banks have apps for mobile phone, so there’s rarely need to use web -version. You can of course use web one if you like. They require this two way authentication; you have to either confirm your login with mobile app, or then you can use code sheet, from which you enter specific code. I think I was able to login my bank with VPN on, but I also understand why it’s prohibited, because there are so many scams and illegal activity considering banks.
For the local network and/or access points there are drastic differences in between those you control and those you do not. Thats why honeypots are a thing, or school networks where the AUR is blocked, and so on.
Just curious what I’m missing. Why is a VPN a security must for y’all when banking? Is it encryption? What does a VPN improve over TLS? Is it the public IP? If so, why?
That’s good point. My bank allows me to transfer funds between accounts pre-authorized (by bank) in the same institution. I can also setup (future, not current) payments to be drafted, for which I get an email receipt of the setup transaction.
I think the bank has over all allowed utility but prevented likely abuse. I don’t actually do my banking over a VPN (because like others here say, it doesn’t tend to work).
My first thought would be; it s an extra added layer of security…
Although it doesn t directly answer your question this thread is an interesting one none-the-less.
https://security.stackexchange.com/questions/140437/why-dont-vpn-services-use-tls
Does anything change if you allow the browser to keep a cookie from the website. In Firefox, I delete cookies on exit, but have some exceptions. If you choose your bank as one of the exceptions are you able to login with the VPN?
When I was testing Mullvad, I had this issue with a few websites, Reddit and Google come to mind.
To be fair, perhaps they geofence as a way to prevent someone who isn’t the actual account holder from attempting to login; e.g. miscreants from overseas locations.
It’s an interesting read indeed, thanks for sharing. But yes, I still don’t get why someone would need a VPN to do banking. It’s not like legit users could to hide their identity from the bank…
While SSL/HTTPS provides a certain level of encryption .. if you cannot implicitly trust the network any number of things could happen.
As already mentioned something like a honeypot could be in place - meaning that even if SSL is working, the actual connection made to ‘endeavouros.com’ does not really point to the correct IP address.
While the whole certs thing would make this a little more difficult it would not make it impossible.
Similarly but different we have other possibilities if the network is in question.
There are other considerations of course, but these are some of the first thoughts about the idea that any extra security is unnecessary so long as one uses https and a modern browser.
