Free, public Wi-Fi can be dangerous to your credit card
Lack of security can make your data easy pickings for fraudsters
By Analisa Nazareno | Published: January 19, 2011
If you use a free Wi-Fi connection in an airport, cafe, hotel or some other public space, you may be taking a big risk with your credit card information and other types of important data.
But the good news is there are steps you can take to secure your information.
About one in five people who surf the Internet have used free, public wireless Internet connections (or Wi-Fi), according to JiWire, a San Francisco-based company that directs advertising toward Wi-Fi users. In doing so, they were taking a chance -- whether they realized it or not -- that their computers wouldn't be hacked and their identities stolen by another person sharing the same connection. Experts say that's because anything that you'd do while you're connected is less secure than when you're logged in at home or at your office.
"Whatever you send over the Wi-Fi, whether you are at a restaurant or a grocery shop, the only thing that is secured or encrypted is your log-in," said Rami Khasawneh, chairman for the Management Information Systems department at Lewis University in Romeoville, Ill.
While most merchants, banks and credit card companies encrypt their websites so they are more secure than e-mail and social networks, hackers can use "cookies" from your e-mail and social network sites to potentially steal any credit card or other personal data. That's a serious vulnerability for lots of people, but it's one that many busy consumers are willing to live with.
"The speed of technology has far outpaced the security of the technology," said Robert Siciliano, CEO of Boston-based IDTheftSecurity.com. "What this boils down to is convenience. We forgo security for convenience because we say we don't want to spend an entire Saturday in the office or on a wired connection at home. So we would rather risk a little bit to get a little bit."
Showing the problem
Though experts say free public wireless connections have always left users vulnerable to attack from hackers, the issue came more to the public's attention after a Seattle-based independent software developer released the Firesheep program.
Firesheep helps users capture a Wi-Fi user's "cookies" -- or Internet history tracking data -- and use those cookies to gain access to a user's sessions on e-mail and social networking accounts. Capturing this data allows fraudsters to "sidejack" you, pretending they are you and gaining access to whatever information you've provided the site. For example, if you've e-mailed credit card data, Social Security numbers or other personal information used to identify you in financial transactions, hackers can gain access to them through those e-mails.
The program's developer, Eric Butler, stated on his website that his intention was to convince websites such as Facebook, Twitter, Yahoo!, Hotmail and others to encrypt a user's session after logging in."Someone with bad intentions could do a lot, especially with the social networks, where it's so easy to reach out to someone's followers," said Julien Sobrier, senior security researcher at Zscaler Inc., a San Francisco-based company that specializes in securing online data transfer.
How to stay safe
To prevent cookie sidejacking while using public Wi-Fi, experts say users can do a number of things to protect themselves. For example,
- Users should use mail websites that encrypt data. Sobrier uses Gmail, which has encrypted its mail program since January of 2010. A user can tell whether a website is encrypted if a small padlock icon appears to the right of the site's address in the address bar of a web browser.
- Mobile device users should make sure they have downloaded all the security updates for their operating systems.
- Use VPNs -- virtual private networks -- which encrypt all the information that a user transfers online and make communication more private. Many employers are creating their own VPNs, but Khasawneh said individual users can use open source VPNs, such as the one offered by OpenVPN.
- Use paid Wi-Fi. "They (VPNs) certainly have value, and they certainly are a layer of protection, but they don't solve all the problems. And they can lead to a false sense of security," Siciliano said. "If you are functioning in a wireless environment on a regular basis, you are better off spending the money on a wireless card that you get through AT&T or Sprint rather than going through a free VPN or a $5-$6 a month one. This way, you have your own relatively secured wireless connection as a constant."
Protecting smart phones
The growing market of smart phone users should also be aware that their devices can become subject to the same sidejacking attacks when they switch from their 3G carrier to a wireless hot spot.
"The more likely dynamic is that 3G becomes overloaded and, because of that load, it slows down and customers start to look for alternatives. And the easiest alternative is Wi-Fi," said Kevin Murray, vice president of product marketing at iPass, a Redwood Shores, Calif., wireless connection company.
"You can go into the settings and you can actually turn on encryption in the settings of the phone," Murray said.
Dangerous, even when wired
While cookie sidejacking is possible and protecting yourself from others sharing your network is a good idea, other security experts say users have more to fear from cyber criminals across the globe, rather than the person sitting on the other side of a café.
To surf and connect safely, computer users should always be wary about what they are doing on the Internet, says Mark Bower, vice president with Voltage Security, a Cupertino, Calif.-based company that specializes in data security.
Really make sure that you are careful about your Internet habits.
|-- Mark Bower
"Really make sure that you are careful about your Internet habits," Bower said. "Don't just e-mail your credit card information, even if a hotel or merchant is asking you to do that."
And, Bower says, be careful about which links you click because the links can download and launch malicious programs onto your computer.
"Those are the simple techniques that attackers use to deliver viruses and Trojans, which can then be used to steal your logins to bank accounts and so on," Bower said.
If users suspect a malicious attack, Siciliano suggests they back up important files, then reinstall their operating systems and start fresh.
"Once you start fresh, you can begin at the beginning," Siciliano said. "That's not even an option for us as human beings when we get sick, but that is an option for us as PC users."See related: Secrets of a former credit card thief, 7 reasons your credit card gets blocked, 6 ways to protect your credit cards when traveling, Debt collectors turn to social networks, When you should, shouldn't give out your Social Security number, Solve credit card problems through Twitter, Follow CreditCards.com on Twitter
- Banks make chargebacks easier to initiate – To dispute a charge, often all it takes is the click of a button on the card issuer's website or app ...
- You may soon be able to buy lottery tickets at grocery checkout – States have to approve shoppers using smartphones linked to credit or debit cards to purchase Powerball and Mega Millions chances ...
- EMV chip card torture test – We put EMV chip credit cards through a series of tests to see how they stand up to common threats such as extreme temperatures, water and corrosive liquids ...