Europol has issued a warning about sending sensitive information over public Wi-Fi hotspots.
The warning comes in the light of a growing number of cyber attacks using personal information stolen through public Wi-Fi hotspots, Europol’s cyber crime centre head Troels Oerting told the BBC.
Attackers are increasingly using open insecure Wi-Fi to steal personal information including online banking credentials to commit fraud, he said.
Europol, which helps co-ordinate investigations into organised crime across Europe, is helping several EU member states that have seen attacks carried out on Wi-Fi networks.
Typically, attackers set up rogue Wi-Fi hotspots to dupe victims into mistaking them for official public Wi-Fi hotspots and connecting to them.
This means attackers are able to monitor all communications through the rogue Wi-Fi access points and steal data exchanged with banks, retailers and other online service providers.
"Everything that you send through the Wi-Fi is potentially at risk, and this is something that we need to be very concerned about,” said Oerting.
The warning comes just months after the European parliament turned off its public Wi-Fi after it was discovered it was being hijacked to carry out man-in-the-middle attacks.
In such attacks, an intruder intercepts communications between two parties, usually a user and a website. The attacker can use the information accessed to commit identity theft or other types of fraud.
Read more about mobile and Wi-Fi security
- Securing your Wi-Fi data network
- All quiet on the Wi-Fi security front
- Underexposed risks of public Wi-Fi hotspots
- Security, Wi-Fi top network technology purchasing survey for 2014
- Most businesses hit by mobile security incident, study shows
- How to secure mobile endpoints? Start with a mobile strategy
- Mobile Security Strategies
- Best practices for improving mobile data security
In an experiment conducted in London in November 2013 by security firm First Base Technologies, none of the public participants were aware that hackers could set up rogue wireless access points or evil twins that masquerade as legitimate hotspots to be used for stealing personal information.
They were also surprised to discover that many details were exchanged with their online service provider in clear text and not in an encrypted form.
In another experiment conducted using security firm’s own private wireless network and a variety of smartphones apps, First Base Technologies was able to use easily available smartphone apps to attack other devices on the same network.
One of these apps forced victim devices to use the attacking phone as the gateway to the internet, which meant all traffic was sent through the attacking phone, and in many cases the app was able to strip the encryption from ‘secure’ connections.
When it comes to improving security around the use of mobile data connections for business communications, education is extremely important, said Peter Wood, chief executive at First Base Technologies.
“I am a strong believer in colleagues, employees and managers as intelligent people who can fulfil the role of human firewall,” he said.
Failure to involve people in maintaining security and relying on technical controls alone is risky, said Wood, because people will always go around controls if they do not fully understand the consequences.
“In most organisations there needs to be a greater understanding of the threats and risks, starting at the top, but the C-suite are almost always setting a bad example,” he said.
Providers of public Wi-Fi hotspots also have a role to play, said Wood, by ensuring they deploy technologies that can make their facilities 200 times more secure, which could be used as a selling point.
According to a recent Kaspersky Lab survey, 34% of people using a PC admitted to taking no special measures to protect their online activity when using a Wi-Fi hotspot, while only 13% take the time to actively check the encryption standard of any access point before they use it.
“What is encouraging from our survey is the fact only 14% were comfortable banking or shopping online when connected to an untrusted Wi-Fi hotspot,” said David Emm, senior security researcher at Kaspersky Lab.
“Taking charge yourself greatly reduces the window of opportunity for cybercriminals to profit from any lax Internet security,” he said.
Emm recommends that to reduce the risk of attack when using public Wi-Fi, all users should:
- Use only trusted and secure Wi-Fi networks when doing anything confidential that involves typing a username and password, or transmitting confidential data.
- Make sure, before signing in to any web site, that it is secure by looking for ‘https’ in the URL and the unbroken padlock symbol as well as checking the security certificate.
- Secure the computer used to access public Wi-Fi with a reputable Internet security product.
- Protect all devices, including laptops, tablets, and smartphones.