This article was published on August 8, 2015

How to stop hackers from stealing your information on public Wi-Fi


How to stop hackers from stealing your information on public Wi-Fi

You enjoy “free internet” through Wi-Fi hotspots libraries, coffee shops, at bars, and other public places. It seems harmless. Little do you know, a stranger could know your birthplace, the schools you attended, and your recent search history in 20 minutes.

Just a couple of years ago, strangers could login as you on Facebook if you were on the same Wi-Fi network as them. They’d be able to view and send messages from your account, and even post statuses.

You don’t have to swear off public Wi-Fi for the rest of your life, and it’s not entirely the venue’s fault. Instead, let’s figure out why public Wi-Fi is so attractive to hackers and explore how they steal your information. We’ll share a simple solution that protects you from the vast majority of hackers’ strategies and tactics.

Public Wi-Fi security: how hackers steal your data

free wifi in a coffeshop

Most public connections are either unsecured or have shared passwords. Public Wi-Fi makes for an easy target for hackers.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Hackers want to sit between you and the websites you visit in order to look at your information. They do this with little effort on public Wi-Fi. Besides the lack of security, all sorts of different people might their share sensitive information through public Wi-Fi.

In comparison, let’s say a hacker eavesdropped on someone’s residential Wi-Fi. The hacker would only see sensitive information from one or two people before they needed to hack another house.

The Man In the Middle

Most hackers strike with a man in the middle (MITM) attack. Simply put, they watch or tweak your data in transit.

In a MITM attack, the hacker sees the information going to and from your computer. They intercept, and alter, the communication between you and the website. (Think that sounds scary? Just wait till your appliances connect to the internet.)

The Evil Twin

The “evil twin” is a variation of MITM attacks. With this attack, hackers set up rogue Wi-Fi hotspots. You might connect to a harmless looking hotspot, like one entitled, “Free Public Wi-Fi”. You figure that maybe someone was being generous.

Little do you know, you might have fallen right into a hacker’s trap. Once you’re connected, hackers can see any data you send and collect through this internet connection.

unplug

Devious hackers can set up a legitimate-looking Wi-Fi connection. For example, hackers can broadcast a network name that’s the name of a coffee shop or library. Unsuspecting victims will connect to the evil twin. Unfortunately, their computer still looks connected to the legitimate hub instead.

Some hacker techniques are advanced enough to lure your computer into automatically connecting to their Wi-Fi connection. They do this by broadcasting fake certificates and credentials that match routers you’ve connected to in the past.

The Packet Sniffer

MITM and evil twins aren’t the only strategies for hackers. They use software called packet sniffers to collect victims’ data. A packet sniffer captures all packets of data that pass through a network interface (e.g., the network interface card in your computer).

Network or system administrators can use packet sniffing to monitor and troubleshoot network traffic. Unfortunately, when hackers use packet sniffing, they eavesdrop on network traffic. They listen in on the information you send through the public Wi-Fi connection and use it for their own interests.

It’s actually pretty easy for hackers to pull off these attacks. Here’s how you can protect yourself from hackers snooping on your sensitive information:

How to protect your data from hackers

Some public Wi-Fi connections (like Starbucks) force you to login after you’ve connected. That means it’s safe, right?

Actually, these authentication screens have nothing to do with security. Rather, it’s about the provider trying to identify you (and potentially charge you in cases with paid Wi-Fi). Here are some tactics to defend yourself from hackers’ attacks.

Two-Factor Authentication for Passwords

TechRepublic suggests combining two factor authentication and VPNs to keep sensitive business information secure. This layer of defense is also useful with your personal information. VPNs make it difficult for hackers to read your password.

Play safe with another layer of defence. Turn on two-factor authentication for all your web services (e.g., email, social networks, etc.). This simply means that when you try to login to a website, the website will text message your phone with a code that you’ll enter into the site in addition to your password.

Even if a hacker has your password, they won’t have your phone — which makes it much more difficult for them to login to your account.

Two-Factor Authentication

Constant Vigilance

It might seem obvious to some, but you have to err on the side of caution when browsing the internet. Never let your curiosity get the best of you. In your browser, block cookies and remove tracking. Avoid unsafe or untrusted software (especially if it’s free or sounds too good to be true), and avoid dodgy links in your inbox, or on your social media feeds.

Tether Your Internet Connection

If you have a remarkable data plan, you can tether off your mobile device or phone. Since this is a private connection, it’ll be much more difficult, and less rewarding, for a hacker to break into.

Of course, this can be a bit pricey depending on where you live. It might also tax your phone’s battery, so use with your own power supply.

Encrypt Yourself

When you’re using public Wi-Fi, your computer or mobile phone sends data to the router like radio waves.

You can defend yourself by encrypting your radio waves. Encrypting your data makes it almost impossible for peering eyes to see your data.

smartphone user

Sites that use HTTPS technology encrypt your connection. Websites like Facebook, Paypal, and Google secure your connection with HTTPS (not HTTP). A man in the middle attack occurs significantly less with these instances. (Here’s an in-depth technical explanation on StackExchange.)

Many websites still use HTTP, which makes it likelier for a MITM attack to take place. Let’s say that, hypothetically, https://www.facebook.com doesn’t connect through HTTPS. A hacker might redirect a victim to the hacker’s page, disguised to look like Facebook. They’ll collect sensitive information in this MITM attack.

As an aside, I know that might sound like fear mongering, but someone duped the public and faked a Bloomberg report, and Twitter spiked share prices. If they’re capable of that, a hacker can definitely make a page that looks like Facebook.

Something similar to this actually happened with Facebook in 2010 (back when parts of the site still used HTTP). Developer Eric Butler discovered he could login as other people that were sharing a Wi-Fi connection with him. He even created a Firefox extension called Firesheep to show people how they could do the same.

On a desktop or laptop computer, and in Chrome on Android and Safari for iOS devices, you can verify a site is HTTPS secured with the green badge next to the URL. It’s more difficult to tell which apps are also encrypted (there was a scare just two years ago), although Apple is pushing developers to use HTTPS by default.

Just last year, a paper to be published in Proceedings of the 23rd USENIX Security Symposium showed that the Gmail app could be hacked 92 percent of the time, a Chase app 83 percent of the time, and the Amazon app 48 percent of the time. (The study examined Android apps.)

Because this connection happens inside the app, it’s hard to tell whether it’s secure. Even if an app uses HTTPS, there’s no guarantee that it’s done properly. For example, apps could be set to accept any certificate, and thus be susceptible to MITM attacks.

Unfortunately, many websites and services don’t use HTTPS technology yet. Here’s how you can encrypt your connection for all these other sites.

Encrypt Your Connection with A VPN

Virtual Private Network (VPN) services act as a middleman between your computer and the rest of the Internet. In the process of connecting, VPNs encrypt your data. If you connect to public Wi-Fi and suffer a MITM attack, hackers would have to spend time and energy decoding your data because of the VPN’s encryption.

Cybersecurity
Credit: Shutterstock

VPNs are resilient against packet sniffing as well. VPNs encrypt your packets so that a hacker can’t read it. With a VPN, your computer sends packets to the VPN’s server before moving towards the destination. The VPN encrypts each packet, so no hacker can read them between the VPN server and the website you’re visiting.

If your computer is already compromised, a VPN won’t protect you from hackers. For example, if there’s already spyware on your computer, hackers can read the data before a VPN has a chance to encrypt it. You can protect yourself from this with antivirus and firewall software.

Public Wi-Fi is a Cesspool

Today, it’s almost impossible not to use public Wi-Fi.

Go in knowing the potential consequences. Don’t buy stuff with your credit card on public Wi-Fi. Share less sensitive information on public Wi-Fi. Make sure you’re protected with antivirus and encryption. Use two-factor authentication and HTTPS sites when possible.

You might know how unsettling it can be for a stranger to have your information. These precautions seem excessive, but you won’t be laughing when someone has access to your life’s most sensitive information on their computer.

Top image credit: Picjumbo


Arthur Baxter is an Operations Network Analyst at ExpressVPN, a VPN provider offering over 97 different servers in 78 countries.

Read next: Karma Go review: A Wi-Fi hotspot for the contract-free era

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with