Do you want to buy those shoes you are looking at online while sipping coffee and enjoying free Wi-Fi at the local bistro? Better stop before you shop.
Waiting like a mugger in a dark corner may be a hacker, intercepting such information as your credit card numbers, name, address and more before it ever reaches the Internet shoe seller.
“Public Wi-Fi is inherently unsecure. Anyone using it ought to do so with the premise that everything you do is visible to a third-party stranger with access to that hot spot,” said Kevin Clark, first assistant Monmouth County prosecutor, an expert in cybercrime. “The chances of you being hacked far exceeds the chances of your home being burglarized. This is a big business.”
Public Wi-Fi is almost everywhere — in stores, libraries and restaurants and soon on commuter trains and in stations — but so is the danger. The best advice for users is not to be lulled by the convenience of Wi-Fi, to be skeptical and to take your own precautions to secure your computer and information, Clark said.
Experts warn against making any financial transactions or using credit cards on public Wi-Fi, which can provide identity thieves with the information they need to go on a shopping spree with your money. Click on the thumbnail image at the top of this story to watch a video demonstration of how hackers can watch your moves on unsecured networks and tips for using public Wi-Fi.
Easy for attackers
How hard is it to access your private information? Ryan McVeety, a senior in Red Bank Regional High School’s information technology academy, set up a demonstration to show how easy it is to read a user name and password on an unsecured network. Seconds after a “victim” typed in a user name and password, McVeety, of Little Silver, who studied cybersecurity at Red Bank Regional, was able to capture them on another computer and read the information back.
Both he and his teacher Mandy Galante warned that users of free public Wi-Fi must be on guard.
“Is it safe? Absolutely not. Internet shopping (on open public Wi-Fi) is a bad idea,” Galante said.
Some experts even advise against checking Facebook or email accounts for the same reason, because too much information can be exposed to hackers that allows them to use programs that guess passwords, gain access to information and steal a person’s identity.
“Public, unsecured open (Wi-Fi) networks, those are quite unsafe to use,” said Reza Curtmola, an associate professor of computer science at the New Jersey Institute of Technology. “It’s dangerous to connect to the Internet on them for several reasons.”
The biggest danger is on open, public Wi-Fi networks that do not require a password, he said, Many people are lulled into a false sense of security by the convenience, and security software on your computer will not stop them, Curtmola said.
“Most people don’t know the ease that an attacker can intercept their communications,” he said.
Why free Wi-Fi?
It is not that Wi-Fi providers are unaware or do not care about the dangers. The Monmouth County Library system’s Wi-Fi policy warns users that their information is not protected.
“We warn everyone who picks up the policy that we have an open Wi-Fi system,” said Coleen Dee Berry, library public participation specialist. “We have to balance being open to all the residents of the county who want to use Wi-Fi, and we hope they employ a certain amount of personal responsibility.”
She questioned how secure a password system would be on Wi-Fi used by hundreds of people who could share the password.
“We’re full public access. That’s our reason for being,” Berry said. “In instances like superstorm Sandy and Hurricane Irene, people came here because they wanted computer access. You try not to put up barriers to that use.”
That means it is up to users to safeguard themselves, experts said.
Warding off hackers
Other problems include users believing they are connecting to the legitimate Wi-Fi network when they are really connecting to a “rogue access point,” Curtmola said. Users are directed to a legitimate-looking website that prompts them to provide information such as credit card numbers, he said.
Ways to identify a rogue site are if a prompt asks you to re-enter your user name and password and if the Web browser suddenly says the security certificate is invalid, Clark said. Log off and shut down your computer if that happens, he said.
“How often have you been in the airport (on your computer), and a dozen free Wi-Fi connections pop up?” Clark said. “Make sure you’re connecting to a real network. If you’re in doubt, ask the proprietor.”
Another step to protecting yourself is to use Wi-Fi that is password protected and more secure than an open network, Curtmola said. The password means there is some degree of encryption and limited access.
“If you have to choose between secure and nonsecure, always choose the secure Wi-Fi network, even if you have to pay for it,” he said.
All the experts interviewed said Wi-Fi users should visit only secure websites with “https” addresses.
The next highest level of security is using a VPN, which Curtmola said is always encrypted. Websites with https addresses only encrypt certain Internet traffic, such as mail, but not all communications, Clark said.
“It has a learning curve for the average user and is a little slower,” said Curtmola, who added that a local computer shop can install the software and configure it.
VPN networks also can be rented, Clark said.
“If I was going to connect to anything on public Wi-Fi, I’d want a VPN,” he said.
Other security measures include turning off all file, printer and any sharing uses, which a third party can use to access your computer, Clark said. If your computer has firewalls, use them to prevent unsolicited incoming communications, he said.
Consider enabling “two factor” authentication on every website, which requires a “second log-in” of a code emailed or texted to an account you have designated, he said.
“If you log in from a different IP (Internet provider) address that’s not recognized, it will prompt you to re-log in again,” Clark said.
A strong, random password, changed often, is an important defense, Clark said. Skip using any known dictionary words and make passwords as many characters as a site will allow, he said. Use a password manager to store, generate and remember the passwords for you, but you will need one “really good master password” to unlock it, he said.
“Take the longest password allowed. Make it random and alphanumeric,” Clark said. “If they know anything about you, they can construct your password.”
The guessing is done by “dictionary attack” programs and computers capable of generating a billion password variations a second to find one that works, Clark said.