Sign up to our newsletter
Using public Wi-Fi can be risky – and security experts such as Europol’s Troels Oerting have even suggested it’s TOO risky, and that we should abandon public Wi-Fi hotspots altogether.
If your computer happens to be filled with trade secrets (or any business data for that matter), that’s probably a good idea – your colleagues will appreciate your waiting until you are somewhere you can connect securely.
Earlier this year, Oerting, the head of Europe’s Europol Cyber Crime division, warned that free hotspots were increasingly used to steal private information from consumers in Europe, as reported by We Live Security here. Oerting said, “We have seen an increase in the misuse of Wi-Fi in order to steal information, identity or passwords and money from the users who use public or insecure wi-fi connections.”
Up to 10% of workers admit to using public hotspots with work machines, according to a recent survey by phone insurer ProtectYourBubble.
For ordinary PC and smartphone users, Wi-Fi is not ideal – but it’s sometimes near-inescapable.
ESET Researcher Stephen Cobb says in a how-to for computing on the go,
“Consider using a 3G or 4G hotspot instead of hotel Internet or free public Wi-Fi hotspots. If you are logging into a work network, use a VPN, and do not visit banking or shopping sites.”
Frequent travellers might find it cheaper to buy a local SIM card for data – or share a 3G or 4G data connection from a smart device.
But if you are travelling somewhere where cellphone reception is poor, these steps will help you get online as safely as possible.
The worst thing you can do is assume a Wi-Fi network is legitimate – or run by the establishment you’re in. It might be a decoy deployed by a criminal.
As a general rule, don’t connect to any network called, ‘Free Wi-Fi’ – if they’re advertising that, they may well want you to sign up for a newsletter or endure adverts, even if the hotspot isn’t malicious.
Mark James, ESET Security Specialist, says, “If it’s a public service (coffee shop, McDonalds etc.) check the WiFi name with a member of staff – don’t just connect to the first one you see, it could be there to harvest your information.”
Once you’ve reassured yourself that the hotspot is legitimate, you probably want to check email messages – this is best done via your PC, as you can use the browser’s secure icon (usually a lock or similar in your address bar) to check that you are connected securely (ie via HTTPS).
Hackers who are monitoring network traffic are looking for you to type in passwords – email acount ones, social network passwords.
Mark James, ESET Security Specialist says, ‘I would personally limit my activities to anything that does not require a username and password to log in, but please bear in mind most apps on your smartphone will auto login. Generally browsing and information look-ups are going to be fairly safe.’
Overall, smartphones come a poor second to PCs or Macs when it comes to public Wi-Fi hotspots – the ‘defenses’ built into PC browsers make it easier to reassure yourself you’re being safe.
Using email apps on your phone can leak data – a secure HTTPS website is better, ESET’s Mark James says.
“For email, it’s better to use a secure HTTPS website for emails rather than using pop3 from your mobile, as this is easily interrogated using free apps on the same WiFi connection.” If you’re sending corporate email, or sensitive emails, it’s best to use encryption (a more detailed We Live Security how-to offers tips here).
Typically, attacks on Wi-Fi hotspots are ‘man-in-the-middle’ attacks – where an attacker is able to access your data as it travels.
That means anything financial or corporate is out – don’t type in your credit card details, don’t buy anything, don’t visit your bank’s website.
If you have to connect to your work environment, use a VPN – otherwise, wait until you’re in a safer environment.
If you’re going to use your computer in a risky environment, ensure sharing is switched off – you don’t want unknown attackers having access to your files.
On a Mac, you’ll find this under Sharing Preferences.
Set all your websites to ‘secure’ before you log on
Most web services will offer the option to enable HTTPS – secure browsing – by default. It’s sensible to ensure that you’ve activated this on services you’re going to use frequently.
HTTPS helps ensure that a browser is connecting to what it thinks it is. The Electronic Frontier Foundation offers a plug-in which forces your browser to connect via HTTPS where possible.
Many services – such as Google Mail – do this by default, but others which don’t default to the more secure setting will offer an option to enable it. Find it in your accounts ‘Settings’ menu and enable it.
Travelers will be on safe ground researching information, or checking news sites, or looking at maps of the local area – but anything financial, such as booking a hotel, is best done either via your mobile device’s connection, or just over the phone.
In remote areas, or certain countries in the Far East, it’s perfectly normal to encounter Wi-Fi networks with no security whatsoever – in most cases, this is simply for ease of use, as guests are constantly traveling through the hotel or bar, or cafe.
Don’t connect to these hotspots, ESET’s Mark James warns: “If someone is snooping your data you will NOT know they are doing it.”
Even big chain Wi-Fi Hotspots pose risks – and the last thing you want is your smart device attempting to connect to the same hotspot later, when you’re not looking.
Smart devices can give away a surprising amount of data from apps connecting to remote servers – so it’s always a good policy to police your list of ‘known’ networks thoroughly
The worst of these can be Hotspot networks which your cellphone provider has a deal with – which phones will sometimes default to connecting to, without alerting the user, as reported by We Live Security here.
The report found that the two services allowed smartphones to reconnect to public Wi-Fi hotspots automatically, which could leave users vulnerable to fake hotspots with the right name, able to redirect users to bogus websites to harvest usernames and passwords.
Ars Technica’s IT editor Sean Gallagher writes that the services open both Android and iPhone to a serious security threat, saying, “There’s a much bigger threat to your security than somebody randomly fishing for you to connect to them—the networks you’ve already connected to and trusted, like AT&T and Xfinity.”
Author Alan Martin, ESET