It may soon be safer to type passwords on public Wi-Fi
WPA3, a new security protocol, better encrypts hotel, coffeshop communication
Statistics enthusiast focused on data-driven content
Using public Wi-Fi networks may become a whole lot safer as new security upgrades coming later this year vow to keep your online traffic private.
The Wi-Fi Alliance, the organization that sets Wi-Fi standards, announced a new security protocol called WPA3 in January 2018 aimed at better protecting the vulnerable public Wi-Fi arena. The upcoming privacy protections will impede people from guessing passwords and better secure both your online browsing activity and Wi-Fi-connected gadgets.
This is good news for consumers and their payment card details. “The biggest threat people have to their privacy today is their security,” said Matt Erickson, executive director of the Digital Privacy Alliance.
Here’s what you should know about the public Wi-Fi changes to come and how it should – and should not – impact how you manage your finances and shop online:
Current public Wi-Fi vulnerability
WPA3, the successor to the WPA2 technology that currently protects nearly every phone, computer and router on a Wi-Fi network, has been designed to patch a security hole in existing Wi-Fi setups. The WPA2 hole, which was revealed in October 2017, can expose anything typed on an Internet-connected device, such as passwords, credit card numbers and contact information details.
As mobile shopping continues to increase in popularity and smartphones are ever-present, the odds of consumers exposing private information in an unsecure Wi-Fi situation are high. What might seem like a quick credit card purchase while waiting to pick up takeout food may actually be a gateway for fraudsters to snag payment information.
“If you go to a coffee shop that has open Wi-Fi, then it’s completely unencrypted, completely unsecured,” explained Erickson. “So, in that instance, you have to rely on the services you are using to provide any kind of security for the traffic you are sending over the internet. Anybody with an antenna can read what you are typing, and WPA3 is supposed to provide means to overcome that.”
What WPA3 will do?
While Wi-Fi technology manufacturers have attempted to fix the known security hole with software updates, WPA3 is more than a patch. It seeks to implement new features and address areas of the security protocol that haven’t been broached since WPA2 was introduced more than a decade ago.
There are three key changes WPA3 will bring to Wi-Fi networks and users, says Greg Young, vice president of cybersecurity for Trend Micro:
1. Better defense against guessing the router admin
password, even if the password chosen is very simple.
2. Stronger and better encryption.
3. Better privacy for “open” or public Wi-Fi connections since those will be uniquely encrypted.
“All three changes are counters to the most common attacks that go after payment card details: grabbing them at a compromised router, listening in on less protected open networks or beating weak encryption.”
For consumers who frequent public Wi-Fi hotspots, such as coffee shops, hotels or libraries, increased privacy on such public networks will greatly reduce the odds that online traffic – including the passwords and sensitive details entered on websites – is exposed to anyone keeping tabs on the Wi-Fi activity.
With WPA3, encryption will be built in the open network, providing users with a secure and private channel that others can’t spy on. The change could provide consumers nearly as much privacy as secured Wi-Fi networks, such as what you have at home or the office, when fully implemented.
Overall, the adoption of WPA3 should give consumers added peace of mind as they do things such as browse the Internet on their tablet while out to lunch or working online at hotels.
“According to the developers, it will be more secure and it will take some of the burden off of consumers,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Essentially, what they have told us is ‘Even if you decide to use weak passwords, we might still protect you.’”
However, WPA3 defenses are not bulletproof. The added encryption protections will prevent mass, passive surveillance of public Wi-Fi activities, but a hacker could still steal data through a direct attack.
“WPA3 as described is an incremental improvement, not a revolutionary one,” Young said. “Older routers or poorly configured new ones will still be a big part of the landscape, and Wi-Fi is, of course, only part of the experience that online shopping and payment involves.”
The new security standards will not arrive overnight. According to the Wi-Fi Alliance, additional details about WPA3 and how it will be rolled out will be released later this year.
“First, the standard does need finalization, and that takes a while,” Erickson said. “The Wi-Fi Alliance is made up of many different companies, each with their own interests.”
Once the standards are finalized, the security update will need support from hardware and software manufacturers, which will require another transitional time period. Then, Wi-Fi hosting businesses and individuals will need to make sure their networks and equipment are up-to-date.
“WPA3 needs to be designed into new routers and devices, and then these devices need to be put into place,” Young said. “So, change will proceed at the speed of manufacturer adoption and router replacements. This won’t be fast.”
Consumers, don't let down your guard
While the tech industry works on increasing privacy and security by design, it’s still the responsibility of consumers to ensure they are protecting themselves and the information they put in cyberspace.
“It’s great from a cultural standpoint that the industry is stepping up and fixing a lot of these vulnerabilities for us and working to make us safe, but this is a shared responsibility,” Velasquez said. “At the end of the day, I don’t want consumers abdicating that responsibility and going, ‘Well, now I don’t have to worry about those things.’
“This is great, but I liken it to getting a new insurance policy for your car. You don’t get it and go, ‘Wow, I’ve got even better coverage and a lower deductible. Now I can really drive like a maniac.’ You still have personal responsibility to be safe.”
While the adoption of WPA3 should offer added peace of mind when browsing publicly, continue to follow traditional advice when it comes to safe Wi-Fi behavior. For example, encrypt your mobile device and keep it up-to-date to ensure the strength of security protections,
“Safely doing business over Wi-Fi falls in two categories: protecting where you do Wi-Fi business and limiting the impact of a payment information compromise,” Young said. “Doing anything sensitive in an open Wi-Fi environment remains risky.”
Additionally, always make sure you are using SSL-encrypted websites for shopping, paying bills or logging into accounts. SSL-encrypted websites will either note “secure” at the top of the window or show a closed padlock symbol by the URL bar.
“That’s really the only way to guarantee safety, because that means there is a completely encrypted tunnel between you and whoever you are giving your payment card information to,” Erickson said. “And then on top of that, make sure you are running on secured networks when you do pay for things online.”
Even after WPA3 is thoroughly implemented, browse cautiously on public Wi-Fi networks.
“You’re only as secure as their configuration, and you really can’t know how good it is: Coffee shops and libraries remain a minefield,” Young said. When in doubt, wait until you are home to make sensitive internet transactions. “There are ways to limit your exposure, but it’s a good data point that at hacker conferences no one uses the public Wi-Fi,” he added.
- Credit freezes are now free – but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...
- Employer credit checks: Who does them, how they work and what laws apply – If you're applying for a new job, a credit check could determine your fate, depending on the position and where it's based. Here's how they work and what to expect ...
- My card issuer of 25 years suddenly wants to know more about me – Under the Patriot Act, banks are required to verify the identities of their customers and maintain accurate information on them. But my bank's demand to know how I earn my income is an invasion of my privacy ...