With the proliferation of easy-to-carry wireless electronics and mobile technology, as well as the increasing availability of public wireless hotspots, communications and access to information has become more and more convenient. But you may want to think twice before logging into a free, unprotected hotspot. Grabbing a few minutes of connectivity has become simple, but identity thieves are discovering that piggybacking onto Wi-Fi is a great way to steal unsuspecting users' private information.
Here are some examples of how that might happen and some tips to protect yourself.
Man in the Middle
In a "Man-in-the-middle attack," a malicious user inserts himself between two parties in a communication and impersonates both sides of the exchange. The attacker then intercepts, sends and receives data meant for each user, such as account numbers or passwords. Such an attack occurs most commonly when people are using free or unsecured Wi-Fi connections.
Also beware the "Evil Twin" attack; that's the term for a Wi-Fi access point that appears to be a legitimate one offered on the premises (like a coffee shop or hotel lobby), but actually has been set up by a hacker to eavesdrop on wireless communications among online users. The fake access point might be labeled as "free airport wi-fi" or "free hotel wi-fi," when in reality it is created by a hacker who is hoping to steal personal identifying information such as user id, name and passwords to steal your identity or take over your smart phone or laptop. Often users are unaware they have been duped until well after the incident has occurred.
Then there's the "War Driving" attack, which is the act of searching unlocked (e.g., no password required) or poorly protected Wi-Fi networks by a person in a car, using a portable computer, smartphone, or other personal digital device. War drivers log and collect wireless network info, without actually jumping onto the networks. And, if the hackers identify yours as unlocked or relatively unprotected, they can download malware onto the system and/or surreptitiously search the computers and devices connected to the network for personal, company and financial data, log in credentials, passwords, etc.
Seven Tips to Help You Defend Against These Types of Attacks
There are a number of preventive actions you can take to lessen the chance of your becoming a victim.
Here are a few:
- Treat all Wi-Fi links with suspicion: Don't assume that the Wi-Fi link is legitimate; it could be bogus. And, don't connect to an unknown or unrecognized wireless access point. Some bogus links - that have been set up by malicious users - will have a connection name that's deliberately similar to the coffee shop, hotel, or venue that's offering free Wi-Fi; speak with an employee at the location that's providing the connection, if possible, to verify.
- Consider using your cell phone: If you need to access any websites that store or require the input of any sensitive information - including social networking, online shopping, and online banking sites - it may be worthwhile accessing them via your cell phone network, instead of the public Wi-Fi connection.
- Protect your device against cyber attacks: Make sure all of your devices are protected by a rigorous anti-malware and security solution - and ensure that it's updated as regularly as possible.
- Conduct private business privately: If you restrict your public surfing to Web pages you don't mind a stranger reading along with you, there is little an attacker can do; for example, don't access your online bank account using public Wi-Fi.
- Watch your settings: Consider changing the settings on your mobile device so it doesn't automatically connect to nearby Wi-Fi. That way, you have more control over when and how your device uses public Wi-Fi.
- Turn off your wireless network when you are not using it. If you're on your computer (but not using the Internet or sending email) in an area with public Wi-Fi access, disable your wireless connection. If you're using an external Wi-Fi card, you can remove it. If you're using an internal Wi-Fi card, right-click the connection and then click Disable.
- Use encryption. Encryption scrambles the information you send over the internet into a code so that it's not accessible to others. Two main types of encryption are available: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). WPA2 is strongest; use it if you have a choice. WEP is an out-of-date security protocol for routers making it vulnerable to hackers.
"When it comes to scams, prevention is the best protection for consumers," says Attorney General Bob Ferguson. "As technology changes, scam artists are constantly finding new ways to conduct cybercrime.
For more information about the "Cyber Safety" campaign, visit www.aarp.org/wa.
You can sign up for the AARP Fraud Watch Network at www.aarp.org/fraudwatchnetwork or by calling 800-646-2283. By joining the AARP Fraud Watch Network, you'll receive alerts and notifications about new scams as they emerge.
File a consumer complaint with the Attorney General's Office at www.atg.wa.gov.