How To Avoid Data Theft When Using Public Wi-Fi
3/04/2014 @ 12:30 pm
Each week seems to bring news of yet another security breach that puts our personal information into the hands of hackers. The username and password theft here at Forbes.com, the hack of Kickstarter users’ contact info, and of course, the massive data breach at Target are just a few examples highlighting the ongoing battle for data security. But the recent emphasis on data theft from websites and retailers makes it all too easy to lose sight of an even more prevalent security and privacy disaster: the public Wi-Fi networks that we eagerly seek out in coffee shops, hotel rooms and airports.
Free Wi-Fi would seem to have little downside. Business owners know that few amenities are as valued as free Internet access and available outlets. Wireless routers are inexpensive, require minimal setup, and can cover wide physical areas. Unfortunately, these very properties also make them enticing targets for hackers. Dozens of users browsing, emailing, and chatting on a single network, whose password is displayed on the counter next to the biscotti, is about as tempting a target as there is. And make no mistake. It takes zero hacking skills to surreptitiously monitor and/or hijack communications over a public Wi-Fi network. Widely available freeware makes eavesdropping on emails and web browsing as simple as pressing a button.
Wi-Fi hotspots are surprisingly easy targets for hackers looking to steal your data. Photo Credit: Adam Pantozzi/Times Alliance
“The proliferation of public Wi-Fi is one of the biggest threats to consumer data,” says David Kennedy, founder of information security firm TrustedSec. “A hacker can monitor the network traffic of an entire store with an iPad-sized device hidden away in his backpack.” The issue isn’t just that the networks are so easy to attack. With little public awareness that the threat even exists, users routinely expose valuable personal data over Wi-Fi hotspots, making the networks an even more attractive target.
Security experts point to a number of options that hackers can use to gain access to personal information. But they all stem from the fact that the public network is, well, public. “The fact that anyone can join the network is what makes it so unsafe,” cautions Matthew Green, an assistant professor at Johns Hopkins’ Information Security Institute. ”A password login to join the network might feel reassuring,” he adds, “but if everybody knows the password, that’s no better than not having one at all.” A hacker’s first task is simply getting on the same network that you’re using. Whether the network password is doled out by the barista at the counter or printed in your hotel room’s welcome packet, once it is public, your security is automatically compromised.
All is not lost, though. Here are four simple steps you can take to keep prying eyes away.
Verify the network name
One extremely common attack involves a hacker setting up a public Wi-Fi hotspot of their own at your favorite Wi-Fi watering hole. It will likely have a name very similar to the hotspot the legitimate business is offering. This attack is effective because the nefarious hotspot actually works, allowing you to browse the web as you normally would. The problem is that all of your emails, site logins and social media activity are being routed through the hacker’s network, where they can be monitored and collected. Before connecting to any hotspot, ask an employee for the shop’s full network name and carefully check that it matches the one you see in your Wi-Fi menu.
Look for “https” in the url bar
Encrypting the communication between your computer and any site you visit can go a long way towards maintaining privacy and security. Fortunately, the most widely implemented form of encryption involves nothing more on your end than taking a careful look at your browser’s url bar. A site address begining with “https” – it’s the “s” that’s crucial – indicates that SSL encryption is active. Your browser will also display a padlock icon in the address bar to indicate an SSL connection is active. With SSL encryption, the information you send and receive appears garbled to prying eyes, so that even if your communication is intercepted, it’s unreadable. The SSL protocol is one that websites implement on their back-end and it has long been standard practice for financial institutions and communication sites like Gmail, Facebook, and Twitter. Certainly any online shopping site you visit should have SSL enabled when you reach a login page, view your account information, or enter payment details.
A crucial part of SSL’s effectiveness lies in the fact that before the encryption process is even begun, the website actually verifies its identity to your browser. If your browser cannot verify that the site is actually what it claims to be, you’ll get a pop-up window alerting you to an “untrusted” security certificate. While there can be benign reasons behind an SSL verification warning, Kennedy advises that when using public Wi-Fi, “If you see this warning, do not visit the site. Period.”
Use a VPN service
If you’d like to ensure that all of your browsing traffic is encrypted, no matter what sites you visit or mobile apps you use, consider signing up for a VPN (virtual private network) service. A VPN service adds a physical barrier between you and the web by routing all of your communications, in an encrypted format, through a physical server controlled by the VPN company. It is only after your encrypted communication passes through the VPN server that it reaches the web. Someone snooping on traffic over the Wi-Fi network will just see garbled data passing between your computer or device and this secondary VPN server. Because the interaction with the web is actually happening through a middleman – the VPN server – a measure of user anonymity is provided as well. Two reliable and low-cost VPN services that I use regularly are Private Internet Access and TunnelBear. Both can be used with desktop computers as well as Android and iOS devices, with monthly subscriptions available for less than $7 and prepaid annual plans offered at a discounted rate.
Keep your software up to date
Data security is an arms race, and to keep your defenses up, it is crucial that you’re running the latest updates for your operating system and web browser. This point was emphasized just last month, as Apple was forced to issue updates to its iOS and OS X users to fix a bug that compromised SSL encryption.
There’s no magic bullet for data security. While site owners and retailers must clearly step up their game in protecting our privacy, we also need to do our part in eliminating at least the low-hanging fruit for hackers. Fortunately, with just a little awareness, and these simple steps, you can protect your data and still enjoy the convenience of public Wi-Fi.