Once an industry that revolved around paper (or, in the United States’s case, cotton) currency, banking has now, for the most part, moved online. Today you can cash your paycheck, transfer some money to savings, pay your bills, and reimburse a friend for dinner all from your bank’s app. This is undoubtedly more convenient, but with this increased access come increased security concerns.
Banks, in general, do a good job securing their apps and banking portals. You are much more likely to fall victim to a phishing scam or a malicious link than you are to have your banking account hacked (assuming you use a strong password and two-factor authentication, but more on that later). Still, a trustworthy VPN can add an extra layer of security to your online banking and even make it easier to access your banking app.
How secure is online banking?
The vast majority of websites use hypertext transfer protocol secure (HTTPS). As the name suggests, this is a more secure version of the hypertext transfer protocol used to send data between your browser and a website. HTTPS uses TLS encryption to prevent your internet provider and anyone else on your network from interfering with your connection or seeing what you type or click on a website (although they still can see which website you visit). You can verify your connection is protected by HTTPS by looking for a padlock in your browser’s URL bar.
This means that as long as you are certain you are connected to your bank’s website or app, you can be relatively certain that you can go about your banking business securely.
How can a VPN help secure your banking?
Your VPN can provide additional protection to your online banking that HTTPS cannot. It can also help you access your banking app under certain conditions.
Prevent DNS poisoning on public WiFi
When you connect to a website, you type in that website’s URL, such as https://protonvpn.com. But computers don’t actually use URLs; they use IP addresses, such as 220.127.116.11. The internet uses the domain name system (DNS) to link a URL to the correct IP address. Special DNS servers, operated by your ISP or network administrator, handle these DNS requests.
DNS poisoning or DNS spoofing is when an attacker intercepts your browser’s DNS requests and sends back their own spoofed response. Typically, the attacker will send you to a website that looks exactly like the one they are spoofing, but because it is under their control, they can see any information you enter, including your username and password.
DNS poisoning is possible because DNS requests are not encrypted by TLS by default. Public WiFi hotspots typically do not have the same safeguards as larger ISPs and thus are easier targets for DNS poisoning.
However, if you use Proton VPN, we encrypt all of your internet traffic, including your DNS requests. We also process your encrypted DNS requests on DNS servers that we operate ourselves. This prevents DNS spoofing.
Obscure which bank you use on public WiFi
If you connect to a WiFi hotspot at an airport, restaurant, or stadium, HTTPS will prevent attacks from interfering with your connection or seeing your activity on a website, but it won’t stop them from seeing what website you are on. They could see the bank you use via their website and use this information to craft more believable phishing attacks.
However, if you use Proton VPN, your connection will be encrypted and routed through one of our VPN servers before you connect to your bank’s website. Anyone else on the public hotspot will see the IP address of the VPN server but not which website or app you are using.
Access your banking app while you are traveling
If you try to use your banking app while traveling, you may have your attempt flagged as suspicious or even be denied access. Most banking sites don’t expect login attempts from IP addresses outside your home country.
Proton VPN can help you get around this geoblocking. When you use Proton VPN, the websites you connect to cannot see the IP address of the device you are using. They can only see the IP address of the VPN server you are connected to. If you connect to a VPN server in your home country, that’s where your banking app will think you are.
Note: Some banking apps will also deny you access if your IP address does not originate from the same country where you recently made purchases. We recommend trying to access your banking app on a secure WiFi network without a VPN first. Then, if you are being geoblocked, connect to a VPN server in your home country and try again.
Only use a trustworthy VPN
When you connect to a VPN, it essentially replaces your ISP. It handles your internet connection, meaning it can see which websites you visit. Given its ability to monitor your connection, using an untrustworthy VPN can be worse than using no VPN at all.
Proton VPN is maintained by the same team of scientists who created Proton Mail, the world’s most popular encrypted email service. All Proton VPN apps are open source, meaning you can go and check their code to ensure they do exactly what we claim. We recently had our no-logs policy confirmed by independent experts. Their report verifies we do not log your browsing history, IP address, or any other identifying metadata.
How to make your online banking even more secure
Using a trustworthy VPN will make it safer for you to do your banking online. But there are several other simple steps that you can take to ensure your online banking is as secure as possible.
Use a strong password
Your password is the first line of defense for any of your online accounts. Using a strong, unique password or passphrase will make it harder for attackers to guess or bruteforce your password and get access to your banking account. We recommend a passphrase of four or five words that you do not use anywhere else.
Use a password manager
A password manager generates and stores passwords for all your accounts, allowing you to use more complex passwords than you could if you needed to memorize them. You only need to memorize a single master password that lets you log in to your password manager.
Most password managers also have an autofill feature that selects the correct password for the website you are visiting. If the password manager does not autofill your password into the blanks, this is a good sign that you are on a phishing website.
Enable two-factor authentication
Two-factor authentication (2FA) is an extra layer of protection for your online accounts, typically in the form of a time-based, one-time code provided by an app on your phone. If you enable 2FA, even if an attacker manages to get a hold of your username and password, they still will not be able to access your banking account unless they can also provide the 2FA code. Nearly every banking website should offer 2FA.
Type the website address yourself
This is an old-school trick, but it is still effective. It is very easy to hide malicious URLs in hyperlinks, and even if you inspect the link before you click it, it can be difficult to verify where a shortened URL will lead. If you are led to a phishing website under the control of an attacker, not even TLS or a VPN can protect you. However, you can remove this risk by simply typing in the URL of your bank’s website yourself.