“Know your enemy”, said Sun Tzu around 500 B.C, although probably not referencing risk management. This well-known piece of wisdom does however apply perfectly to avoiding cyber attacks on public Wi-Fi: the threats you face are invisible to the naked eye, and can be best avoided with awareness of their existence. With that in mind, here are the three most common ways unsecure public Wi-Fi can be used maliciously to hijack passwords, drain bank accounts or steal your identity.
Thankfully, it only takes a few easy precautions to avoid them and ensure your personal information stays private and secure.
Imagine there is a tube connecting your house to a friend’s house, and you send each other messages through that tube. Now imagine someone cutting a hole in it without your knowledge. At the very least, the person in the middle could read the messages you send to your friend. Or worse, they could also start impersonating your friend, making you reveal personal information, the kind you only tell someone you completely trust.
The man in the middle takes advantage of your false sense of security. Say you go to your local coffee shop, get your double shot latte, sit in your usual spot by the window and connect to your usual hotspot “CupofJava”. A hacker can set up a network with the same network name of “CupofJava”, and act as a signal transmitter between your device and the legitimate hotspot. This allows them to potentially intercept all unencrypted traffic. Traffic is only encrypted when a website URL begins with https, not http. If you ever try to connect to a secure site like your online bank and the URL is unencrypted, it is almost certainly someone guiding you to a fake login page with the hopes of capturing your account details.
Using browsing protection features in applications like F-Secure Freedome can help protect against these kinds of scams.
The Evil Twin
Despite sounding like a cliché soap opera story line, setting up an evil twin is an easy way for hackers to intercept private data. It’s similar to man in the middle, but instead of placing themselves between you and the hotspot, the hacker actually become the hotspot and trick you into making a connection, automatically or manually.
If you have ever connected to a network called “Free Wi-Fi”, your device will remember the name and connect to it automatically when in range. But your device doesn’t care if it actually is the same network; it will by default connect automatically to any network called “Free Wi-Fi”. A hacker just needs to go to a public place, set up a hotspot with a very popular name, and wait for someone to automatically connect. In this case, your device puts you at risk and you may not even know it. For this reason, you should always check that Wi-Fi is turned off on your device when you are not using it.
Packet sniffers are tools that hackers can leave running to intercept unencrypted data that travels over a Wi-Fi network they are connected to. There is software readily available which allows a hacker to easily capture every bit of unencrypted data that is sent over the network. Thankfully, services such as Facebook and Gmail have started encrypting their traffic, but a lot of websites still don’t.
Besides, even if a website uses an encrypted HTTPS connection for logging in, it may still send unencrypted cookies. Cookies are little files that contain things like tracking information, website settings and crucially, whether a user is already logged in. This means that when intercepted, an unencrypted cookie can be used to impersonate you. The website will think it remembers you being logged in when in fact it is someone pretending to be you. Unlike the other methods, packet sniffing simply requires the hacker to be in the same network as you, without needing to set up a hotspot of their own.
Protecting yourself allows you to be more connected with less risk: it’s a win-win!