A few days ago I was sitting at a local coffee shop and watched a young lady come in with her laptop. She sat down at the table, connected her laptop to the free wireless network, and proceeded to log into her online bank account. I remember thinking at the time, “That is a dangerous practice.”
I then received an email from Steve Aronson, an agent in Massachusetts, highlighting the same issue. He suggested I write about how to protect your information when using free public Wi-Fi.
Wireless access to the Internet has become a necessity for many people so they can stay connected. Whether you’re on vacation at a resort, waiting in an airport or sitting in a coffee shop, it’s likely you will be able to connect to the Internet through a wireless network provided by the property owner. Sometimes these will be offered for a small fee and sometimes they will be free.
But be careful: sometimes free Wi-Fi can be a scam perpetrated by criminals hoping to steal your personal information. You could end up being the target of a “man in the middle” attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen and end up with a spyware-infested computer. The attack could even leave your laptop open to hackers every time you turn it on, by allowing anyone to connect to it without your knowledge.
How the attack works
You go to an airport or other hot spot and fire up your PC, hoping to find a free hot spot. You see one that calls itself “Free Wi-Fi” or a similar name. You connect. Bingo — you’ve been had!
The problem is that it’s not really a hot spot. Instead, it’s an ad hoc, peer-to-peer network, possibly set up as a trap by someone with a laptop nearby. You can use the Internet, because the attacker has set up his PC to let you browse the Internet via his connection. But because you’re using his connection, all your traffic goes through his PC, so he can see everything you do online, including all the usernames and passwords you enter for financial and other websites.
In addition, because you’ve directly connected to the attack PC on a peer-to-peer basis, if you’ve set up your PC to allow file sharing, the attacker can have complete run of your PC, stealing files and data and planting malware on it.
You can’t actually see any of this happening, so you’d be none the wiser. The hacker steals what he wants to or plants malware, such as zombie software, then leaves, and you have no way of tracking him down.
All that is bad enough, but it might not be the end of the attack. Depending on how you’ve connected to that ad hoc network, the next time you turn on your PC, it may automatically broadcast the new “Free Wi-Fi” network ID to the world, and anyone nearby can connect to it in ad hoc peer-to-peer mode without your knowledge — and can do damage if you’ve allowed file sharing.
Security company Commtouch (previously Authentium Inc.) has found dozens of ad hoc networks in Atlanta’s airport, New York’s LaGuardia, the West Palm Beach, Fla., airport and Chicago’s O’Hare. Internet users have reported finding them at LAX airport in Los Angeles.
Commtouch did an in-depth survey of the ad hoc networks found at O’Hare, visiting on three different occasions. It found more than 20 ad hoc networks each time, with 80% of them advertising free Wi-Fi access. The company also found that many of the networks were displaying fake or misleading MAC addresses, a clear sign that they were bent on mischief.
How to protect yourself
The easiest way to protect yourself from Wi-Fi fraud is to not connect to any free wireless networks. If you’re in a coffee shop, airport or hotel that has a legitimate Wi-Fi connection for a small fee, it’s worth the price for peace of mind. Ask the business’ staff if there is a hot spot available and get the name from them.
Mobile device users should make sure they have downloaded all the security updates for their operating systems.
If you function in a wireless environment on a regular basis, you are better off spending the money on a wireless card that you get through AT&T, Verizon or Sprint. This way, you have your own relatively secured wireless connection. This is what I do for access.
If you choose to take advantage of free Wi-Fi availability, here are some things to keep in mind.
- Never connect to a “computer-to-computer” network. When choosing a wireless network, check out the description of each one. A normal wireless network is simply called “wireless network” not a “computer-to-computer” network.
- Use HTTPS to access webmail and avoid protocols that don’t include encryption. Turn off your computer’s file sharing capabilities. The instructions will vary slightly depending on what computer system you’re using (Windows XP, Vista, Windows 7, etc.).
- Use a software firewall to further control who can connect to your computer and how.
- Avoid conducting financial transactions or accessing any sensitive websites if you aren’t using an Internet connection that you know and trust.
It pays to be vigilant whenever you are connecting to a wireless network. If you have any doubt about the Wi-Fi connections, then don’t connect. It’s just not worth the potential problems.
*From The Independent Voice, dated June 12, 2012 by Steve Anderson