Free public Wi-Fi is now available in many places. Airports, hotels, and coffee shops all promote free internet connection as an added benefit of using their services. For many people, being able to connect to free internet on the go seems ideal. This would be particularly useful for the traveling business person, now able to access their work emails or share documents online.
However, there are more risks to using public Wi-Fi hotspots than many internet users might have realized, and most of those risks are related to Man in the Middle attacks.
When considering whether to connect to the public Wi-Fi network at your local coffee shop, the airport, etc., I have two simple words of advice—don’t and Don’t. The massive flaw discovered in WPA2, the encryption standard that secures all modern Wi-Fi networks, launched the possibility that anyone near you could easily access your information if you use a Wi-Fi network. This includes information that was understood as being encrypted. Today’s Wi-Fi standards are flawed and should not be trusted.
One of the biggest threats with free Wi-Fi is the ability of hackers to position themselves between you and the connection point. So, instead of talking directly with the hotspot, you end up sending your information to the hacker. The hacker also has access to every piece of information you send out—emails, phone numbers, credit card information, business data, the list goes on. And once a hacker has that information, you’ve basically given them the keys to the kingdom.
However, despite numerous warnings, headlines, and efforts to educate, many people still don’t understand why connecting to free Wi-Fi is an incredibly dangerous situation regardless of what you’re doing online. And while you may think ‘okay, I’m not checking my personal email or logging into my bank account, I’m just checking the sports scores,’ remember anything you do on a public Wi-Fi network is NOT secure. Any information you share or access on these networks is as good as gone.
Man in the Middle attack
A Man in the Middle (MitM) attack occurs when a malicious actor manages to intercept the communication between two parties. There are various types of MitM attacks, but one of the most common is to intercept a user’s request to access a website, sending back a response with a fraudulent webpage that looks legitimate. This may happen to pretty much any website, from online banking to file sharing and email providers.
For example, if Alice tries to access her email and a hacker manages to intercept the communication between her device and the email provider, he can perform a MitM attack, luring her into a fake website. If the hacker gains access to her login and password, he could use her email to perform more malicious actions, such as sending phishing emails to Alice’s contact list.
Wi-Fi eavesdropping is one kind of MitM attack where the hacker uses a public WiFi to monitor the activities of anyone that connects to it. The information intercepted may vary from personal data to patterns in internet traffic and browsing.
Typically, this is done by creating a fake Wi-Fi network with a name that seems legitimate. The fake hotspot name is often very similar to the one of a nearby store or company. This is also known as the Evil Twin method.
For example, a consumer may enter a coffee shop and realize that there are three Wi-Fi networks available with similar names: CoffeeShop, CoffeeShop1, and CoffeeShop2. The chances are that at least one of these is a fraudster’s Wi-Fi.
Cookies Theft and Session Hijacking
Basically speaking, cookies are small packets of data that web browsers collect from websites as a way to retain some browsing information. These packets of data are usually stored locally (as text files) on the user’s computer so that the website recognizes the user when they return.
Cookies are useful because they facilitate communication between users and the websites they visit. For example, cookies allow users to remain logged in without having to enter their credentials every time they visit a particular webpage. They may also be used by online shops to record items that customers previously added to their shopping carts or to monitor their surfing activity.
Since cookies are simples text files, they cannot carry a keylogger or malware so they won’t do any harm to your computer. However, cookies can be dangerous in terms of privacy and are often used on MitM attacks.
If you find yourself in a situation where you absolutely must connect to Wi-Fi (first ask if you really need to connect) here are a few suggestions to improve your safety:
Do not touch any of your personally identifiable information (PII)
If you use information over a public Wi-Fi network, you are not treating it like it is valuable. Therefore, if you must use a public Wi-Fi network, avoid touching any PII including banking information, social security numbers, and home addresses at all costs. Remember, some accounts require you to enter things like phone numbers when you sign up, so even though you may not remember entering it, you may inadvertently be allowing access to personal information.
Use virtual private networks (VPN) instead
A VPN allows you to create a secure connection to another network over the Internet. VPNs can be used to access region-restricted websites, shield your browsing activity from prying eyes on public Wi-Fi, and more. They are an excellent alternative to public Wi-Fi networks. While they do cost some money, the peace of mind and additional security is well worth it. Additionally, most employers will equip their employees with a way to connect to a VPN network on the go. And, they should. While employees are on the go and need to access Wi-Fi networks to do their jobs, the company’s data is at a high-risk if they use a public network.
Use SSL connections
If you don’t have access to a VPN. you’re not completely out of luck. You can still add a layer of encryption to your connection. When browsing the internet, be sure to enable the “Always Use HTTPS” option on websites that you visit frequently, including any and all sites that require you to enter any type of credentials (most websites that require an account or credentials have the “HTTPS” option somewhere in their settings).
Invest in an unlimited data plan
Most of the time, individuals find themselves hastily connecting to public Wi-Fi networks to save themselves from overage charges on their phone bills. But your mobile is just as likely to be attacked as your laptop, if not more. In fact, with the WPA2 flaw mentioned above, Android mobile devices were found to be the most vulnerable. Investing in an unlimited data plan will not only eliminate your need for accessing insecure Wi-Fi networks, but it will also often allow you to use your mobile device to create a personal internet “hotspot,” meaning a VPN connection wouldn’t even be necessary.
Turn off sharing
Be honest, when connecting to the internet at Starbucks or on the road at the airport, do you really need to have file sharing turned on? Not likely. File sharing is usually pretty easy to turn off from the system preferences or control panel, depending on your OS. Or let Windows turn it off for you by choosing the “public” option the first time you connect to a new, unsecured network.
There may come a time when your only option is an unsecured, free, public Wi-Fi hotspot, and your work simply cannot wait. If that’s the case, understanding the risks of public Wi-Fi may prevent you from falling victim to an attack. Regardless, it’s high time that individuals and employers take the risks associated with our growing use of public Wi-Fi networks more seriously. These steps are simple, easy, relatively inexpensive, and could save you from massive amounts of data theft both at home and at work.
Cybercriminals are always looking for new ways to access people’s data, so it is essential to inform yourself and stay vigilant. Here we discussed some of the many risks that public WiFi networks may present. Although most of those risks can be mitigated just by using a password-protected connection, it is important to understand how these attacks work and how you prevent yourself from becoming the next victim.