WiFi hacks fly under the radarWhile theft of data from unsuspecting consumers using public WiFi spots is presumed to be fairly pervasive, it doesn’t get the attention that major hacks of corporate or financial systems do. These thefts happen in dribbles – with bad guys stealing bits of information from many users and accounts – rather than a tsunami. One contributing factor is that WiFi is so pervasive. A 2015 report by WiFi network provider iPass estimated that there were more than 50 million public hotspots worldwide – one for every 150 people, a number which is expected to grow to 340 million by 2018, or one for every 20 people on earth. Another factor is that so many public WiFi networks are inherently insecure. Kaspersky Security Network recently analyzed some 32 million public hotspots and found that 25 percent do not use any encryption at all, meaning that anyone with an antenna can pick up the communications. Another three percent use an old form of encryption that is essentially ineffective. Third, hacking WiFi networks doesn’t require sophisticated technical knowledge. Some of the tools are widely available and easy to use. That’s not to say that large international crime rings aren’t involved. In December 2014, Australian police caught members of a criminal syndicate opening a bank account in Sydney using a stolen identity they got by hacking people’s phones through a free WiFi network. The operation stole more than $6 million, and police arrested almost 50 people in connection with the crime. Hackers are not only setting up their own fake WiFi spots but in some cases may hack into existing, legit networks. In Israel last fall, for example, a white-hat hacker showed how he could take advantage of vulnerabilities in network routers to take over the free Wi-Fi network of Tel Aviv.
How hackers do it: common techniquesExperts say there are several common ways that hackers compromise public WiFi networks.
- Fake hotspots: Hackers set up a fake network with an innocuous name that fools consumers into thinking it’s legitimate, such as “Starbucks WiFi” in a coffee shop. They can then record all the keystrokes of people who use that network, including user names and passwords to various accounts.
- Man-in-the-middle attacks: Cybercriminals take over a public network and use the established connection to the victim’s machine to redirect their communications, often to a fake website that looks like your bank, for example, and tricks you into giving up log-in credentials.
- Malware: Once on the network, they can send you fake notices saying you need to install an update. But rather than updating your system, they install malware that then gives them complete access to your system, including files and photos. They might even be able to turn on the web camera or microphone and eavesdrop.
- Sniffing: Using a WiFi sniffer, anyone can locate insecure WiFi networks and monitor their traffic. They can record that traffic and analyze it to discover useful details.
How to be protect your info on public WiFi
- Use a virtual private network (VPN): There are many VPN services that you can use with smartphones and computers. A VPN lets you connect to the provider’s servers via an encrypted connection, which protects prying eyes from seeing any information. However, the quality and business models of these services vary, so research them carefully. Free or very low-cost services sometimes collect data from your activity.
- Change the settings on your device so it does not automatically connect when it senses a WiFi network. In public spaces, before connecting try to ask someone (like the hotel manager) for the name of the WiFi hotspot to make sure you’re not connecting to a fake one.
- Use 2-factor authentication, which requires you to provide two things to prove your identity. When logging onto your Dropbox account, for example, it asks for your password and then texts a code to your smart phone. You must enter the code before you are granted access.
- When using a public WiFi network, limit activity to web browsing. Avoid using any accounts that require log-in information (such as e-mail and bank accounts), avoid sending any private data across the network, don’t download any apps, and don’t install any updates.
- Keep your operating system and apps patched and up to date.
- Use a cellular connection instead of the free WiFi service.
- Enable the “always use https” option on websites you visit often or that require passwords and log-ins. When you log in to the website, make sure the URL address starts with “https,” which means it’s encrypted.
- Make sure the WiFi network uses the latest encryption technique, known as WPA (WiFi Protected Access)-2 protocol.