Europol issues public Wi-Fi security warning

Europol has issued a warning about sending sensitive information over public Wi-Fi hotspots

Europol has issued a warning about sending sensitive information over public Wi-Fi hotspots.

The warning comes in the light of a growing number of cyber attacks using personal information stolen through public Wi-Fi hotspots, Europol’s cyber crime centre head Troels Oerting told the BBC.

Attackers are increasingly using open insecure Wi-Fi to steal personal information including online banking credentials to commit fraud, he said.

Europol, which helps co-ordinate investigations into organised crime across Europe, is helping several EU member states that have seen attacks carried out on Wi-Fi networks.

Typically, attackers set up rogue Wi-Fi hotspots to dupe victims into mistaking them for official public Wi-Fi hotspots and connecting to them.

This means attackers are able to monitor all communications through the rogue Wi-Fi access points and steal data exchanged with banks, retailers and other online service providers.

"Everything that you send through the Wi-Fi is potentially at risk, and this is something that we need to be very concerned about,” said Oerting.

The warning comes just months after the European parliament turned off its public Wi-Fi after it was discovered it was being hijacked to carry out man-in-the-middle attacks.

In such attacks, an intruder intercepts communications between two parties, usually a user and a website. The attacker can use the information accessed to commit identity theft or other types of fraud.

Read more about mobile and Wi-Fi security

In an experiment conducted in London in November 2013 by security firm First Base Technologies, none of the public participants were aware that hackers could set up rogue wireless access points or evil twins that masquerade as legitimate hotspots to be used for stealing personal information.

They were also surprised to discover that many details were exchanged with their online service provider in clear text and not in an encrypted form.

In another experiment conducted using security firm’s own private wireless network and a variety of smartphones apps, First Base Technologies was able to use easily available smartphone apps to attack other devices on the same network.

One of these apps forced victim devices to use the attacking phone as the gateway to the internet, which meant all traffic was sent through the attacking phone, and in many cases the app was able to strip the encryption from ‘secure’ connections.

When it comes to improving security around the use of mobile data connections for business communications, education is extremely important, said Peter Wood, chief executive at First Base Technologies.

“I am a strong believer in colleagues, employees and managers as intelligent people who can fulfil the role of human firewall,” he said.

Failure to involve people in maintaining security and relying on technical controls alone is risky, said Wood, because people will always go around controls if they do not fully understand the consequences.

“In most organisations there needs to be a greater understanding of the threats and risks, starting at the top, but the C-suite are almost always setting a bad example,” he said.

Providers of public Wi-Fi hotspots also have a role to play, said Wood, by ensuring they deploy technologies that can make their facilities 200 times more secure, which could be used as a selling point.

According to a recent Kaspersky Lab survey, 34% of people using a PC admitted to taking no special measures to protect their online activity when using a Wi-Fi hotspot, while only 13% take the time to actively check the encryption standard of any access point before they use it.

“What is encouraging from our survey is the fact only 14% were comfortable banking or shopping online when connected to an untrusted Wi-Fi hotspot,” said David Emm, senior security researcher at Kaspersky Lab.

“Taking charge yourself greatly reduces the window of opportunity for cybercriminals to profit from any lax Internet security,” he said.

Emm recommends that to reduce the risk of attack when using public Wi-Fi, all users should:

  • Use only trusted and secure Wi-Fi networks when doing anything confidential that involves typing a username and password, or transmitting confidential data.
  • Make sure, before signing in to any web site, that  it is secure by looking for ‘https’ in the URL and the unbroken padlock symbol as well as checking the security certificate.
  • Secure the computer used to access public Wi-Fi with a reputable Internet security product.
  • Protect all devices, including laptops, tablets, and smartphones.


Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I use this to collect user data around city where I stay, providing for people AP with no password, people are stupid, thrust me they are really stupid...


With the head of Europol’s cybercrime centre highlighting the data risks of Public Wi-Fi networks, urging users to only send personal information over networks they trust, the wide-ranging debate on Public networks has been reignited.

Together with the stark warning from the Europol head, a recent test of Public Wi-Fi found that, although hugely useful in areas where there are ample hotspots on offer, in comparison to mobile broadband, Public Wi-Fi coverage and reliability didn’t really come close.

Combined, this recent coverage on Public Wi-Fi poses the question whether these networks need to be considered with caution, not only in terms of their availability, but also considering the security aspect and how to actually monetise them in the longer term and give the user confidence in utilising them.

A public Wi-Fi network that generates no revenue yet costs money to deploy can be seen as a loss leader for, say a coffee chain, in order to entice a customer, but leads to a disjointed group of hot-spots that have varying degrees of access.

Mobile broadband and Public Wi-Fi, whilst great for the consumer who only needs casual access (and invariably has a smartphone that can tether to a laptop), can be seen as a nightmare for the corporate. Security concerns, secure tokens, VPNs and access to specific content all need to be taken into consideration. Giving blanket internet access to the business user over un secured networks is not only a security concern it will also go against many corporate standards.

Providing mobile broadband that can be locked down via access lists, IP address and firewall is the best way for corporates to ensure that their staff can operate safely outside the office limits and within their guidelines. Extending the secure corporate LAN to mobile devices such as laptops, tablets and other connected devices, without having to resort to costly dial in tokens, VPNs and logging into Open Public Wi-Fi Hot spots (whilst retaining full control of the type of content that can be accessed), has to be the nirvana.

Mike van Bunnens
Managing Director
Comms365 Limited