Truth 28 Wireless access scams
You have just checked into a hotel while on a business trip. After getting settled, you decide to use the hotel’s wireless access to check your email and maybe get a little work done. You open your Web browser, and instead of connecting to your familiar home page, it instead connects to a Web page supplied by the hotel. The hotel offers Internet access for $12.99 per day. Since you plan to only be online for an hour or two, this seems pretty ridiculous. You click on your wireless icon again to see if you can locate another wireless network you can use. You scroll down the list and see an unsecured access point named “WiFly.” You select it, and within a few seconds you are connected.
You open a new Web browser and once again you are redirected to a different Web page. This time the page displays a message from the company WiFly, which also charges for access, though the cost is only $1.99 per day. You fill out the online form with your name, credit card type, credit card number, expiration date, and the 3-digit security code on the back of the card. Once approved, you are redirected to a WiFly home page confirming your connection.
You now attempt to connect to your Web mail site. As the page starts to load, a security warning pops up explaining that there is a problem with the site’s security certificate and asks if you would like to proceed. Thinking maybe you mistyped the address, you select No, close your browser, reopen the browser, and try to reconnect to your Web mail page. Once again, the same message pops up. This time, you select Yes to continue. The correct page comes up, and everything looks normal. In addition, the lock icon in your task tray is locked, indicating that the page is encrypted. You also note that the site address begins with https:, indicating that you are on a secured site. Once you have verified that your connection is secure, you log in into your mail account with your username and password. Sure enough, everything works great, and you read all your new emails. When you are done, you log out. You continue to browse for another hour or two, and every once in a while that same security certificate message pops up, but by now you have realized there is just something wrong with your connection, so you just ignore those, selecting Yes each time.
Unfortunately, when your credit card statement arrives, you find that thousands of dollars in fraudulent charges have been racked up on your card.
It turns out that the company, WiFly, didn’t really exist. The connection that was made via wireless really went to a wireless device that had been set up in another room located somewhere in the hotel. When you entered your credit card information, you actually submitted it to an identity thief who was sitting nearby recording it. The identity thief then just passed the connection to the Internet back through his own computer in what is known as a man-in-the-middle design. This means that everything you, the victim, did was actually passing through the identity thief’s computer and then through to the Internet.
Remember that security warning that kept popping up? That was because all your Web traffic was actually being redirected first to the identity thief’s computer, decrypted, logged, and then reencrypted and passed on to its final destination. That warning was real, and the only thing that could protect you from falling victim. Once you chose to continue, you chose to ignore the warning and put your information at risk.
I performed tests with this type of attack in airports, hotels, coffee shops, and book stores. In most cases, I offered the service for a small fee. I was able to easily gather credit card and other personal information. During some of these tests, I would ask for social security numbers (SSN) as well. I was amazed at the success I had. While gathering the credit cards proved that identity thieves could be successful with this type of attack, obtaining the SSNs proved this attack could be even more dangerous.
Had I been a real identity thief, this information would have been used for numerous attacks.
In addition, I had the ability to gather login credentials for email and online banking accounts, chat programs, online business applications, and various other online services. Had I been a real identity thief, this information would have been used for numerous attacks.
Because this type of attack can happen anywhere that you connect via a wireless connection, it is extremely important that you follow a few simple guidelines.
If you have a choice between using wireless and plugging into an actual wire, choose the wire. You should be able to assume the wire is plugged into the hotel’s network, so you know for certain you are using its connection. While this is far more secure, this connection does not guarantee 100% privacy. Note: Other risks come into play if you choose to use the hotel business center. See Truth 25.
Choose to connect to the service offered by the establishment you are visiting. If you are at a hotel, use the service it advertises in the room. Attempting to save a buck by using a different service provider may end up costing you more in the long run.
If you are required to use a credit card to purchase service, try to use a card that has a low credit limit and, more importantly, never user your bank debit card. Because a bank debit card draws directly from your bank account, if this number is stolen, your cash can be drained quickly and could take a while before you are able to have it reimbursed. With a credit card, however, you are not required to pay any bogus charges while they are being investigated.
If you receive a security warning that indicates the security certificate has an issue of any kind, do not continue. I cannot stress this enough. A legitimate Web site should never have an invalid security certificate. When in doubt, contact the company via phone and explain what is happening. If you select to continue, you will not receive any additional warnings while at that Web site, and you may be putting your confidential information at risk.
A free wireless access point can be just as dangerous as a pay service. While you may not have given credit card information, you may still be at risk of your connection being monitored and your personal information being stolen.