You’ve come to expect it — free public Wi-Fi everywhere you go. But if that Wi-Fi hotspot you use is provided by a con artist, you could wind up paying a steep price for the Internet connection.
A quarter of the adults who use the Internet, access it via public Wi-Fi once a week or more, according to a new AARP Fraud Watch Network report titled Convenience Versus Security. Many are doing risky things when they use these hotspots, an accompanying survey found, putting themselves in danger of fraud or identity theft.
More than a quarter (27 percent) said they’ve banked online via public Wi-Fi in the last three months. An identical percentage had purchased a product or service with a credit card this way, they survey found.
Experts say those practices put users at risk.
"We're concerned that people are trading security for convenience," said Doug Shadel with the AARP Fraud Watch Network. "People are doing things on free Wi-Fi that are really alarming."
The report noted that hackers have two common methods of attack:
- Evil Twin Attack: They create Wi-Fi hotspots that have the same or nearly identical name of the legitimate ones you trust, such as a favorite hotel or coffee shop.
- Man in the Middle Attack: They provide a stronger Wi-Fi signal to get between you and the legitimate connection.
In either scenario, the crooks can see every unencrypted communication that happens while you are connected to the Internet: email messages, credit card account information, user names and passwords, even security credentials for your work computer, if you log onto the network remotely.
Shadel said he has interviewed hackers who made a living this way. Sometimes they simply set up their electronic traps while parked near a business where customers are accustomed to enjoying the complimentary Wi-Fi.
“Nine out of 10 times, they were after the user name-password (combination),” Shadel told NBC News. “And if you’re using that password for multiple accounts and they snag it, they can now get into them all.”
The report also found that most respondents were not up to speed on the best protection scheme for home wireless networks: 84 percent did not know that the most up-to-date security for a home Wi-Fi network is not WEP — Wired Equivalent Privacy. Experts advise using at least WPA2 wireless encryption for better protection against the same sort of eavesdropping that occurs on public Wi-Fi networks.
“It’s incredibly difficult, if not impossible, for the average person to know if a Wi-Fi network is trustworthy or not. So you should just assume they are not, unless you know differently.”
It doesn’t take a criminal mastermind to commit these crimes. Andrew Becherer, a security expert with the NCC Group, says the software to hack into a Wi-Fi network is widely available at little or no cost, making it possible for any small-time crook to do it.
“It’s incredibly difficult, if not impossible, for the average person to know if a Wi-Fi network is trustworthy or not,” Becherer said. “So you should just assume they are not, unless you know differently.”
Any shared Internet access, whether free or paid, presents the same level of risk, Becherer told NBC News, unless you or someone you trust — such as your employer — directly controls it.
Becherer does use public Wi-Fi to check his email, but he’ll never do any banking or anything else dealing with financial matters. When he’s in an unfamiliar place, Becherer uses a Virtual Private Network (VPN). This service creates a “tunnel between your device and a secure place on the Internet,” to prevent a potential attacker from seeing what you’re doing, he explained.
The Federal Trade Commission offers a handy tipsheet for staying safe on public Wi-Fi networks, including using VPN.
Meantime, test your knowledge about Wi-Fi security. Take AARP’s online quiz.