Europol warns: public Wi-Fi isn't safe
By Nicole Kobie
Posted on 7 Mar 2014 at 16:33
Public Wi-Fi isn't safe enough for banking and other sensitive online transactions, according to Europol.
The European policing agency is helping authorities in multiple countries deal with an increasing number of attacks that attempt to steal banking passwords and other identifying details over public Wi-Fi networks, Troels Oerting, the head of Europol's cyber crime centre, told the BBC.
"We should teach users that they should not address sensitive information while being on an open insecure Wi-Fi internet," he said. "They should do this from home where they know actually the Wi-Fi and its security; but if you are in a coffee shop somewhere you shouldn't access your bank, or do all of these things that actually transfer very sensitive information."
We should teach users that they should not address sensitive information while being on an open insecure Wi-Fi internet
The policing organisation's warning comes four years after the infamous Firesheep browser extension, which highlighted how easy it was to hijack Wi-Fi sessions by using a packet sniffer.
Kaspersky Lab researcher David Emm noted that such an attack could be run by a person sitting next to you on their laptop - but since the typical Wi-Fi router has a range of 100 metres, they could equally be sitting in a different building or in a nearby car park.
Aside from Firesheep-style sniffing, Oerting warned that hackers are also setting up fake hotspot login sites that allow them to run man-in-the-middle attacks, sitting between you and your bank, for example.
He added that the European Parliament had turned off its public Wi-Fi after uncovering a similar attack using its network.
Indeed, Emm points out that a man-in-the-middle attack "can be used to capture any confidential data you type in, get access to what’s on your device, install malware on the device or even use your device to distribute spam messages on their behalf."
Better late than never
The warning was "better late than never", according to F-Secure analyst Sean Sullivan.
He added that "this has been a concern for years - that's why sensible companies force employees to use VPN connections".
"Does insecurity stop me from using open hotspots? Nope, I use free Wi-Fi all the time," he said. "And I don't plan on changing that particular habit any time soon."
"If you want to use an open Wi-Fi hotspot to search for the latest sports scores - go for it," he added. "But if you want to check your bank balance, read your email, or have a private chat with your friends – get yourself a VPN service."
While that's sensible advice, Kaspersky Lab said a recent survey it conducted revealed that 34% of people took no "special measures" to protect themselves when on a public Wi-Fi network.
Not possible - except for the NSA
My understanding is that the man in the middle attacks weren't possible unless someone can forge the certificate. However, with the recent revelations of the "bugs" in both Apple products and Linux, such attacks are indeed "easy". Thank you NSA for making us vulnerable to such things.
By MJ2010 on 7 Mar 2014
This is one reason why I use a VPN to my home network, that said it's obviously only an option if you have a good enough connection.
Or is a VPN inadequate these days as well?
By tech3475 on 7 Mar 2014
100 meters range?!
>>but since the typical Wi-Fi router has a range of 100 metres
I would love to own a wifi hub that worked 100 meters away! Which model wifi is this? I work in an IT firm, and I'm sure many of our clients would be interested too.
Possibly you mean 100 *feet*. Or given the performance of some devices, possibly 100 *inches*.
By ANTIcarr0t on 8 Mar 2014
Couldn't agree more. 100m is a router from science fiction!
By sihaz2 on 9 Mar 2014
It is possible to intercept a wifi signal from 8 miles!
By stasi47 on 9 Mar 2014
MJ2010 mate ur a massive noob. SSLStrip is all you need and unless the victim checks for a HTTPS address he will never know.
By JammyGit on 10 Mar 2014
If the network isn't encrypted, don't join it.
By big_D on 10 Mar 2014
Man in the middle attacks on an open Wi-Fi connection are perfectly possible and have been demonstrated many times.
Also with the hacked cert authorities, it wouldn't be impossible to get a "valid" looking certificate to spoof the connection - although the desktop browser makers do a fairly good job of invalidating the certs, once it is known a cert authority has been cracked.
And as Jammy says, unless people know to look, they probably wouldn't even notice a crude MitM attack.
By big_D on 10 Mar 2014
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords