Unless you protect yourself, the next time you're logging onto the internet in a public place, you could be the target of a hacker. Jenny Southan explains why
If you are not deeply paranoid about people hacking into your "highly classified s***", and you don't think you are the subject of a secret government conspiracy that wants to read all your private messages and emails, then you probably should.
Trust me, there are people out there who want to steal your identity, find out about your confidential business dealings, or at the very least, scrape your credit card details. It's like the Wild West out there in cyberspace, so unless you protect yourself, the next time you're logging onto the internet in a public place, you could be the target of an attack.
In the feature I wrote about e-privacy last summer (subscribers can read it here), I confronted the issue of how much personal data we are both involuntarily – and voluntarily – giving away online, and whether the payback is worth it.
Brad Pitt in Burn After Reading: Deeply paranoid about people hacking into his "highly classified s***" (© Focus Features)
Jane Frost, chief executive of the Market Research Society, says: "Up until very recently, everyone assumed data was discrete – but data algorithms can actually put these things together and start to understand to an individual level the person whose data it is."
The problem I want to deal with here is free public wifi – whenever I come across a hotspot, especially one that doesn't require a password, I tend to be filled with joy, and immediately whip out my iPhone and laptop and tablet and anything else that is internet-enabled and begin surfing, simultaneously tweeting on one, while emailing or What'sApping on the others.
Yes, I'm a digital junkie. I freely admit it. But I'd hazard a guess that you probably are too.
IN THE HOT SEAT
While this all sounds well and good, the reality is, if you are using public wifi, even if it is password-protected and/or you have paid for it, you are leaving yourself wide open to hackers.
Kent Lawson, president and CEO of Private Wifi, explains: "Wifi signals are just radio waves – all you need is a receiver turned to the right frequency and you can listen in to them. And any ordinary laptop can be a receiver, with just the addition of some simple software downloaded from the web."
What's the difference between public wifi and private wifi at home or in the office?
Lawson says: "Most home and office wifi is pretty much automatically set up using WPA or WPA/2 security. If you have configured it properly and set up a password, those signals are encrypted so even if someone does listen in, it doesn't make any difference because they can't make head nor tail of it.
"But in all public wifi hotspots, public wifi is just that – it's public – and anything that you transmit can be heard by somebody else.
"Most public wifi hotspots have no passwords at all. Some hotspots do have passwords, but those passwords are generally there simply to limit access to those authorised. So, even though a password is required, most are not encrypted at all."
He adds: "It is possible to have a home or office wifi without a password and, therefore, without any encryption. In fact, the last stats that I have seen say that around 25 per cent of home wifi has no password or encryption.
"Some people think they are doing others a favour by leaving their wifi open. However, this can get you into major problems as some people have been known to download child porn, for example, using a neighbour's wifi."
DANTE'S INFERNO
For business travellers who rely on wifi access to perform their jobs while on the road, understanding the risks they could be exposing themselves to is imperative. As Lawson says, it can happen anywhere – even when you have logged on to a password-protected connection in a business class lounge.
He says: “Think of someone sitting in an airport where his or her competitor is listening to what he or she is sending. Think about someone who is sitting in the cheapest seats in economy – you can listen to anyone on the plane through the onboard wifi including the business guys sitting in the front in first class that are sending their spreadsheets around. The hacker doesn’t even need to be paying for the wifi to get to them.
"Think about someone in a hotel room who has stripped down to their underwear and got out their laptop and started emailing. You are in your hotel room so you think you are secure but anyone on that floor can listen in.
"You are very vulnerable using hotel wifi. You are not even secure if you are paying US$12.95 for it and you have used a password – that is used to control access not to encrypt it."
How do the bad guys infiltrate your connection? The first way you can be hacked is through "sniffing".
Lawson says: "If you are sitting in a coffee shop or on a plane, there is an antennae that is broadcasting internet signals to everybody that is using that hotspot." Every laptop has a wifi receiver built in but, as Lawson explains, "with the addition of simple software, a computer can change into 'promiscuous mode', and listen to all of the signals that are being broadcast in that particular hotspot and can record them for future use".
He adds: "It's called sniffing because you are sniffing the signals."
The second way you can be hacked is through "rogue hotspots".
"This is commonly done in airports," Lawson says. "It's infamous in the US that there are sites around that are called things like 'Free O-Hare Wifi', which someone has set up as a rogue hotspot with a name that sounds trustworthy to people, so they connect to it but then everything they transmit or receive can be stored." This is also known as a "Man in the Middle" attack.
Watch this video to see a hotspot hacking demo on ABC7 Eyewitness News by PrivateWifi
But what can the hacker actually get access to?
Lawson says: "If the signals aren't encrypted you get everything – whether that is images they are downloading, spreadsheets or emails they are sending or sites they are visiting. It's the ultimate stealthy crime because there is no way to know it is going on.
"We have anecdotal evidence of people who have used their credit card in the air and by the time they have got off the plane, their data has been sent out into the world. The only way you can tell is you are on wifi and, shortly after, your identity has been stolen."
FIGHTING FIRE WITH FIRE
How can you protect yourself? A basic way is through HTTPS (hypertext transfer protocol secure), a way of browsing more safely online.
Normally, if you look at the top of your address bar, the URL will begin with http://, which means your website connection is unencrypted, but if you notice it says https:// (Facebook is a good example, or PayPal), it will be partially encrypted, thus offering you a layer of security against eavesdropping.
All you have to do is make sure "secure browsing" is turned on, but you will have to do it manually for each site by going into its settings. (Click here for more information).
Lawson says: "HTTPS is the best that the industry can provide; however, there are several things that are wrong with it.
"First, how many of us are going to be looking up into the URL bar to see if the lock is there [a grey or green padlock tends to show if the site is secure and the connection encrypted]. It's not something normal people will do reliably. Secondly, it relies on certificates, which anybody can fake.”
Watch this video to learn more:
Lawson says: "HTTPS is a little bit like your email provider that has some anti-virus and spam filters but you would certainly not rely on your internet service provider for your anti-virus, firewall and spam filter.
"It is my opinion that it is the user's responsibility to protect themselves in wifi hotspots, full stop. Ultimately, everyone has to do this for themselves."
How do you go about it? According to Lawson, everyone needs to install a personal VPN (virtual private network).
He says: "The only way to protect yourself is to encrypt your signal just as you would at home. The technology that allows you to do that is called a VPN. A VPN is some simple software that is downloaded on to your device, whether that is a PC, a Mac, a phone or a tablet, and that software does the encryption and decryption. This provides ‘bank level security’ and nobody can crack into it – even the NSA.
"The people who need this stuff are consumers, because they are at risk of general privacy and credit card loss and identity theft, which in the US is the number one consumer-related complaint to the Federal Trade Commission, and has been for several years.
"Professionals have issues with confidential client information – in California, for example, the attorneys are prohibited by their bar association from using public wifi unless they use a VPN, and also small and medium-size businesses. Many large companies provide VPNs for their people who travel but SMEs that don't have an IT department to maintain a VPN probably won't."
FOR YOUR EYES ONLY
This is where companies like Lawson's Private Wifi come in. (There are lots of others too, and you can read about them here).
How does it work? According to privatewifi.com: "Private Wifi is a Virtual Private Network (VPN) using 128-bit encryption, the same technology used by your bank or your credit card company. But we use it to secure everything you send and receive – web traffic, emails, and IMs.
"Private Wifi works by creating an encrypted 'tunnel' between your device and a secure server in another location. All of your data travels through the tunnel at high speed, invisible to anyone else who might be looking. By rerouting your data through an encrypted server in another location, you stay anonymous. No government, advertiser, website, malware or hacker can track you.
"Private Wifi runs invisibly in the background while you browse the web or write an email. The software installs in minutes. Once installed and activated, it creates a secure connection in seconds.
"It works just like the anti-virus or firewall software you probably already have, only better. Every time you connect to the internet, our patent-pending software detects if the network is secure. If the network is not secure, Private Wifi automatically activates itself, encrypting your connection. It works anywhere, even on the wired networks in many hotel rooms."
Sounds pretty awesome. But how much does it cost? Private Wifi offers a ten-day free trial. After that, you can pay US$9.99 a month for three devices or US$12.99 for up to five. Alternatively, it costs US$79.99 a year for three, or US$99.99 for five. For many of us, this could be money well spent.
There are also free apps:
Over and out.
Read our contributor biography of Jenny Southan
