April 12, 2011 at 9:00 AM ET
You've heard it for years: Using free coffee shop Wi-Fi isn't safe. But then, you've done it anyway, viewing critical work documents or doing online banking. So let's talk turkey. To borrow from a modern parental dilemma, I really don't want you doing that, but if you do, you should be taking the proper precautions. This edition of Five Red Tape Traps will help you do that.
Finding a free Wi-Fi hotspot is like finding an oasis in the data desert. You might be wandering around helplessly detached with your laptop, iPod Touch or iPad when you come upon a coffee shop or airport lounge that promises to quench your thirst for e-mail. At moments like that, most consumers have one thing on their minds: connecting as quickly as possible.
Somewhere along the line, you've probably heard that recklessly using Wi-Fi can be dangerous. Perhaps you've even heard that the danger level recently increased with the release of a new tool named Firesheep, which makes snooping on unsecure coffee shop networks easy for anyone with a Web browser. There are a lot of fish in that sea: The Wi-Fi Alliance says there are now 92,000 hot spots in the U.S., and every one of them needs to be used with care.
The problem is simple: When you're using Wi-Fi, you're sending data through the air that gets picked up by a radio antenna on a router. Of course, anyone else with an antenna can receive the signal, too. If the data are scrambled, no big deal. But scrambling involves settings that could make life harder for customers, and there isn't a coffee shop in the world that wants to provide IT support to latte drinkers. Hence most free hotspots provide little or no security. It falls to the latte drinker to surf safely.
Sadly, staying truly safe means heeding some rather brutal advice.
"I just tell people not to do anything at a coffee shop that they wouldn't write on the back of a postcard," said Kelly Davis-Felner, marketing director for The Wi-Fi Alliance, a global trade group that certifies Wi-Fi devices. She says the alliance is working on new technologies that will automatically make free Wi-Fi safer, but for now, you should pay heed to these five traps and their antidotes.
1.) It's never happened to me. This is probably the biggest problem facing improved Wi-Fi security. Sure, you start out only reading the NYTimes.com website at coffee shops, but that's just the gateway site. One day, reading the business section, you see a stock you hold in your retirement account took a hit. You can't resist visiting your broker's account. Then you are tempted to go to your online bank to increase your monthly contributions. And nothing bad happens, so what's the problem?
"There's this great disconnect that even if someone took advantage of you and stole your data, you might not be aware of it," Marian Merritt, Internet safety advocate at Symantec Corp. "Someone could be using Firesheep against you, and you wouldn't know it." This same phenomenon happens in credit card theft: When a criminal buys something with your credit card, you almost never know where the account number was originally stolen.
As a result, it's easy to get complacent with Wi-Fi, and get lured into doing riskier things. Here's the easiest, most basic rule of thumb everyone should follow: Do only casual Web browsing when in that coffee shop, ideally at websites where your password is already stored so it needn't be typed. Remember, half of you use that DailyNews.com password at your online banking website, too, so even a seemingly harmless visit to your town's obituaries could expose your money to a hacker.
2.) Shoulder surfing. Tech writers love using non-words like VPN in a sentence, but often the biggest risk comes from the simplest attack. You probably glance over your shoulder before you enter your PIN code at an ATM. You should bring some of that healthy paranoia to coffee shops, too. Someone could easily look over your shoulder and spot critical personal information while you sip your warm beverage and stare out the window. One low-tech investment that might be worth your while is a privacy filter for your screen that cuts down severely on the viewing angle.
3.) HTTP vs. HTTPS. Even if you are using a wide-open hotspot, you can still scramble those radio transmissions for safety. Make sure you login to websites like Facebook and Amazon only when there's that familiar "https" prefix in the address where your browser is headed. That means the information you transmit won't be readable by someone who plucks it out of the air. In fact, it will be encrypted at every step between your computer and the website's servers.
Note, however, that you might find yourself switching between http and https as you surf, particularly if you click on outside links. That means before you type something critical, like a login or a credit card, you should check again that your browser is pointed at an https site.
Generally, Web mail programs allow safe https logins, but some switch back and forth depending on how you are using the site. One tip: In Gmail, visit settings and click "always use https."
4.) Avoid "Free Public Wi-Fi." Often, when you are looking for a hotspot, your helpful computer will indicate there are five or six networks nearby. Don't pick the first one, or even the one with the strongest signal. Pick the one that belongs to the establishment you are visiting. Anything else could be a trap. You should double-check the name of the network with the store, and stores should place the name prominently behind the register. Connecting to random accounts -- and having your computer connect automatically to networks with names like "linksys" -- sets you up for what's called an "evil twin" attack. (No, this is not a reference to a book of the same name). Criminals can set up rogue access points with attractive-sounding names, connect to your computer and then honor most Web browsing requests -- all the while logging your activity. The only way to avoid this is to manually connect to networks you know are provided by reputable firms.
5) VPN. Finally, the advice given by professionals to professionals is to use virtual private network tools -- VPNs -- when connecting to the Internet through public wireless networks. VPNs offer an encryption-lined tunnel between your machine and a server somewhere else on the Internet which keeps your data free from prying eyes along that pathway. Firesheep is powerless against VPNs.
The problem is VPNs require two pieces, and most consumers can't be bothered with setting up both. A VPN client must be installed on the coffee drinkers' computer, and a VPN server must be set up elsewhere to accept the connection. People who work at security-conscious companies often have these installed for them. It's possible to use your home computer as a VPN server, which would mean you'd essentially be surfing the Web from that machine when you were in your local coffee shop. But that's a bridge too far for most consumers.
Several commercial companies have stepped up to fill this gap. HotSpotVPN.com, for example, offers tunneling service for under $10 per month. HotSpotShield uses a different model, providing free tunnel service in exchange for serving advertisements to users.
But most average surfers won't want the ads or the subscription because they don't realize what's at stake, said Merritt, the Symantec safety advocate. She thinks hotspot providers should shoulder a little more responsibility.
"They should recommend that consumers look into using VPNs, perhaps right on their login pages," said Merritt. "They should provide information that consumers don't even know to ask about .... If consumers had greater awareness, they would be more concerned."
"Five Red Tape Traps" is an occasional series which will focus on answering the most important questions consumer face in the 21st Century economy. Previously: