Internet users love public WiFi, despite the fact that free connections are filled with security concerns. As noted by Dark Reading, while over 90 percent of users believe public hotspots are insecure, 89 percent go ahead and connect anyway. And that’s just the beginning: Many Netizens are willing to leverage free WiFi to conduct financial and other critical data transactions — according to Gizmodo, two million Australian users do their banking on public WiFi every day, despite the potential risks.
And no-cost WiFi networks are rapidly expanding. Urban centers such as New York City recently rolled out subway station WiFi while social media giant Facebook has introduced a WiFi finding app that helps guide users to the nearest bastion of available Internet. With public WiFi such a big draw — and user showing no signs of logging off even if personal data is at risk — it’s worth taking a look at the top wireless threats and how you can stay safe on free-for-all connections.
Ideally, any private WiFi you’re using, such as corporate offerings or home networks, should use strong encryption to ensure that your data isn’t on display for any malicious actor with a mind to hack your connection. The Internet available in coffee shops, airports, and hotels, meanwhile, often eschews encryption in favor of usability and speed: It’s quick and painless for users to connect and start surfing but everything sent and received is in plain text, meaning anyone with the means and motive to eavesdrop on your browsing session can see exactly what’s in that company email, instant message or Facebook post.
Think of it like this: Instead of having a quiet conversation with friends, unencrypted WiFi connections create a scenario where you’re shouting potentially private information from the digital rooftops. Not a great idea if you want to stay safe online.
Defeating Dummy Hotspots
[pullquote]Are Starbucks Wifi1 or AirprtWireless really legitimate connections?[/pullquote] The certainly look on the up-and-up at first glance, but here’s the problem: There are no rules or restrictions when it comes to naming WiFi channels. As a result, all cybercriminals need to do is create a hotspot name that seems believable and then create a “dummy network” by broadcasting over a relatively small radius — usually within the coffee shop or airport terminal. Unsuspecting victims see an open WiFi network with great signal strength, click to connect and are then prompted to enter extra personal details, such as date of birth of Facebook login credentials.
In some cases, hackers aren’t really offering an actual WiFi connection, and after multiple attempts users go elsewhere, leaving criminals in possession of usable personal data. As noted by Kaspersky Lab, meanwhile, others use dummy hotspots to relay your information to a legitimate WiFi network allowing them to access — and obtain — every piece of data you send out.
Staying Ahead Of Cyber Stalkers
Browser companies are getting backlash for tracking user behavior, but what if the problem didn’t come from Google or Microsoft but rather an interested cybercriminal looking to create a profile of your habits and steal critical information? Since public WiFi connections are typically light on security, it’s easy for tech-savvy attackers to stalk your surfing habits and discover exactly where you’re going, who you’re talking to and what you’re doing online.
Reducing The Risk Of Credential Theft
Financial institutions are making it easier than ever to access bank accounts, transfer money, and complete transactions online. As a result, many users are tapping public WiFi to conduct daily banking tasks, send money transfers or even make large purchases. The problem? Your credentials are up for grabs when using a free network since all hackers need to do is watch where you’re going, record your login/password information and then gain access once you’ve logged out.
Imagine this nightmare of a scenario: You open your laptop at the coffee shop to check your bank balance only to encounter a “password error” message. Contacting the bank leads to the discovery that hackers gained account access, transferred out thousands of dollars and along the way opened several new credit cards in your name. Bottom line? Don’t access any sensitive information over a public WiFi connection — this includes banking websites, medical portals or online payment sites. And since many people use the same password for multiple sites including their social profiles it’s not a bad idea to steer clear of Facebook and Twitter in addition to more sensitive sites.
Steering Clear Of Critical Compromise
[pullquote]The ultimate hacker score and user threat when using public WiFi? Total device compromise.[/pullquote] It could start with attackers putting something simple, such as a keylogger, onto your laptop and then recording everything you type during subsequent WiFi visits.
The next level? Cybercriminals send you a legitimate-looking email (since they can see you checking the account while you sip your latte) then convince you to download a malicious attachment or direct you to a compromised website. The result is the same in both cases: Your device is infected with malware; even logging off the network won’t reverse the damage. Once infected, there are a number of potential consequences — ransomware which locks down your files and demands payment, processes which run in the background collecting personal information and access details which are then sent to a command and control (C&C server) and then sold via the Dark Web or used to create a fake identity, or simply a hailstorm of unwanted ads which warn you to install “antivirus” programs that are simply more bloated malware.
Best Practices For Staying Safe
So there you have it — big threats just from logging on to your favorite coffee shop WiFi or browsing the ‘net while waiting at the airport. But it’s not all bad news — since you’re going to use public WiFi anyway, there are options to help you stay safe, including:
- Surf Responsibly — Want to use social networks? Opt for your phone and its more secure 4G or LTE connection, or “tether” your computer to your mobile device. If you’re on laptop WiFi, steer clear of any banking sites, don’t make any purchases and be on the lookout for strange login activity across email or other accounts.
- Go HTTPS — While you can’t brute-force encryption on your own, enabling HTTPS-only connections means that you’ll get some protection from sites which use SSL-based encryption to secure communication between devices and Web pages. It’s not perfect, but it’s better than total transparency.
- Use a VPN — Virtual private networks (VPNs) create a network-within-a-network to obfuscate any information you’re sending, where it’s going and what happens when it gets there. While using a VPN won’t prevent dummy hotspot creators from intercepting your data, chances are they won’t be willing to put in the time and effort it takes to crack the encryption and make sense of what you’re sending. Plus, using a VPN makes you effectively invisible to any tracking solutions set up by free WiFi providers which may be used for advertising or data collection. Most VPNs are available as lightweight applications which you simply launch to establish a secure connection.
Is public WiFi secure? Absolutely not — and users on public connections may encounter threats ranging from data theft to browser tracking to credential compromise or malware infections. Ideally, steer clear of free WiFi hotspots. Realistically? Surf safe, use HTTPS where possible and opt for a VPN if you’re determined to access personal data on public WiFi.