Lots of people think that a VPN, short for virtual private network, is enough on its own to keep them safe and anonymous online.
If you add some sort of mostly-untraceable digital cash into the mix – a cryptocurrency such as Bitcoin or Monero, for example – then you’d be forgiven for thinking that you’re as good as invisible.
So, it’s easy to assume that
VPN + cryptocoins == private && secure.
But VPNs and cryptocoins only go so far in keeping cybercrooks and other undesirables out of your online life, and here’s why.
Simply put, a VPN encrypts your network traffic – every data packet, not just your web browsing or email – and transports it to a server somewhere else on the internet.
That server then strips off the encryption and sends your data on its way, as if it had originated from the VPN operator’s network, not from your phone or your laptop.
Let’s be very clear about this: the other end of the VPN is not the terminus of the journey that your packets will take to the servers you want to access – the VPN just makes your traffic seem to have started out from somewhere else.
A VPN hosted at home or in your company network, for example, doesn’t magically add more security than you’d have at home or at work, it just makes sure that there isn’t any less security while you’re out and about on other people’s networks.
In other words, a VPN doesn’t inevitably make you more secure, and if the VPN operator is sloppy, or incompetent, or perhaps even crooked, your privacy and anonymity could very well end up worse than it was before.
After all, your VPN provider sees all of your traffic, exactly as it went into the network card in your laptop or mobile phone – it really is as if they were right there in the coffee shop with you.
MyEtherWallet meets Hola
A security lapse by a VPN operator can therefore be very worrying news indeed, and that’s what popular online cybercurrency wallet service MyEtherWallet (MEW) is warning about right now:
Urgent! If you have Hola chrome extension installed and used MEW within the last 24 hrs, please transfer your funds… twitter.com/i/web/status/1…
MyEtherWallet.com (@myetherwallet) July 10, 2018
(This is a a similar idea to getting a replacement payment card after getting skimmed: if you invalidate your old account numbers, they’re no longer any use to anyone, including cybercrooks.)
Hola is a free VPN that essentially shares out participating users’ browser connections out amongst the community in order to get around geoblocks.
For example, if you’re in Canada, trying to watch a TV show that’s only available in France, your traffic might end up redirected through a fellow user’s computer in Paris.
At the same time, your North American connection might be helping someone in the Germany to get past website geoblocking intended to keep out visitors from the EU.
We don’t have any details of what went wrong, other than that crooks seems to have been watching Hola traffic specifically for MEW-related activity.
So, we don’t yet know whether any cryptocurrency traffic was compromised, but the warning is clear enough.
MEW can’t be sure that crooks didn’t get hold of enough data to plunder your cryptocoin account some time in the future…
…and is therefore advising customers to create new accounts and transfer across their own funds, thus leaving those potentially compromised accounts behind.
What to do?
If you’re a MEW-and-Hola user, the instructions on “what to do” can be found in the tweet we linked to above, but please remember that this is a story that isn’t just for the cryptocoiners amongst us.
Repeat after me:
A VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot.
Also, don’t forget that a VPN that relies on or includes a browser plugin, as in this case, can read all your private data right inside your browser before it gets encrypted.
A network-level VPN driver sees more of your traffic, but anything that’s already been encrypted, such as HTTPS traffic, can’t be unscrambled.
As Hola says on its website:
Hola gives you the freedom to browse the web without censorship and to watch videos with less buffering and faster start time.
Freedom may be a desirable quality, but it does not automatically make you more secure – ask a rhinoceros.
Source: Naked Security