You may want to think twice before logging into a public wireless hotspot. Sure, grabbing a few minutes of connectivity is convenient, but identity thieves are discovering that, through "evil twin" attacks, hotspots are a great way to steal unsuspecting users' private information.
Let's say that I'm a hacker. I can set up my computer to transmit a signal that turns it into an access point, or Wi-Fi hotspot. I'll even give it a legitimate-sounding name, like T-Mobile Hotspot, to fool unsuspecting surfers.
Next, I put my laptop in a backpack and read a newspaper while sipping some java at the local coffee shop. All I have to do is wait for you to connect. I'll require you to enter a credit card number to get access to the web, just like T-Mobile does. I’m then free to plunder your card’s resources.
While you surf the web, my computer redirects you to web pages I have created that happen to look like the ones you visit on a daily basis. In fact, the only difference between the Citibank page you visit every day and the one I have made is that my page is unencrypted. I can log all of the information you input into various web forms, and when you check your e-mail, I can read it along with you.
"The only way to tell the difference between [a] legitimate and non-legitimate [access point] is intent," says Jeffrey Schiller, network manager and security architect at the Massachusetts Institute of Technology. "The fundamental problem is when you are in a public place there is no way to discriminate."
Schiller offers an example of how easy it could be to fall victim to an evil twin attack. While at the airport during a recent trip to New York, he says, he turned his laptop into an access point. His intention was to get access to the internet, but as soon as he created the hotspot, Schiller noticed that three people had begun using his computer as an access point.
"I probably could have seen their email" and been able to track their movements on the web, he says.
According to Schiller, there are several measures already in place by most web browsers to warn about unencrypted web pages. However, he says, each of them has various security flaws:
Pop-up warnings: Web browsers often use a pop-up dialog box to indicate that information being sent is not encrypted. The problem with this, Schiller says, is that these boxes offer the option to "never show this again." If you have clicked this box just once, you will no longer be warned if you are sending information through unencrypted channels.
The Lock Icon: Most web browsers display a small lock icon to indicate an officially regulated, encrypted Web page. The problem with these, Schiller says, is that you must be diligent about looking for them every time you log on to a new page. Additionally, if a hacker changes even one letter in the domain name you are familiar with (an example Schiller offers is replacing the lowercase L in lehman.com with a one, 1ehman.com), they can then register that domain name. When you are redirected to that page it will display the lock icon, and you may never notice the changed domain name.
HTTPS and unfamiliar links: According to Schiller, most banks advertise the unencrypted version of their Web pages (https indicates a secure version; http, however, is easier to remember). When you log on to that page and click to enter the encrypted version, you can be redirected to a page with a domain name that is unrelated to the bank's home page. If you do not recognise the name, it is difficult to know if you have been redirected to a page operated by the bank or by a hacker.
Those who perpetrate evil twin attacks are benefiting from the distractions of public places. According to Schiller, "they're depending on you not [paying] attention." If you are diligent, these tips will make you less likely to fall victim to an attack:
Check your Wi-Fi settings: Many laptops are set to constantly search and log on to the nearest hotspot. While this option might seem convenient, it does not allow you to monitor which hotspots you are logging on to and determine if they are legitimate. Turning off this option will prevent your computer from logging on to a hotspot without your knowledge.
Pay attention to dialog boxes: Pop-up warnings are there for a reason – to protect you. If you are lucky enough to have not clicked the "never show this again" option, make sure you read these warnings carefully before agreeing to send information.
Keep a credit card for internet use only: Open a credit card account that is used solely for shopping on the web. Ideally, you should be able to access account records online so you don't have to wait for monthly statements to monitor any activity. "Be prepared to close that account on short notice if it's been compromised," says Schiller.
Conduct private business in private: "Maybe you don't need to move money around or check your bank statements when you are connected to a public hotspot that you're not really familiar with," says Schiller. If you restrict your public surfing to Web pages you don't mind a stranger reading along with you, there is little an evil twin attacker can do to harm you.