This isn’t targeted at tech users as such, most will already know this, but everyone else. Read this before you use public Wifi networks.
If you don’t know who else is using the same wireless network as you, or if the key is publicly and readily available. Disconnect, right away, until you’ve read this.
Starbucks, McDonald’s, Costa, and more!
So … FREE WiFi is everywhere these days. It’s in coffee shops, schools, pubs, shopping centres, city centres, business lounges, airports, and pretty much everywhere else that there’s a congregation of people who are likely going to want to use the internet. Free WiFi is great, it keeps cells costs down, stops you from using your data cap, and it’s normally of a better signal than 3G networks in congested places.
However, it could be a prime hunting ground for you having your data stolen, from sneaky hackers, using not so secret – or hard to obtain – technology.
The Raspberry Pi is a brilliant piece of tech, but with very little modification (for less than £50 too) you can turn one into a wireless network spoofing device.
Let’s grab a coffee …
So you’ve been to a Starbucks in town. The wireless network is either named as “Starbucks” or your phone is configured to automatically join open, or saved, wireless networks. So it thinks “ooh free wifi, I’ll hook up!”.
You’re stood there, ordering a coffee whilst checking your bank balance before you pay whilst your coffee is being made. Meanwhile, there’s a gentleman that’s sat on a table near the counter with a laptop, probably just doing some business work. Nothing to worry about.
You’re sat there enjoying your caramel latte and get a low balance alert from your bank via SMS. I know Starbucks is expensive but you had enough for a coffee in there, and surely money to last you the rest of the month – so what the hell’s gone on!
It’s likely when you opened up your online banking app, popped in your login, checked your balance, then put your phone away. Nobody saw you enter your details, or at least nobody over your shoulder.
This type of attack is known as a man in the middle, or middleman attack.
Here’s a step by step
- You walk into Starbucks and your phone auto-joins the public wifi
- What you’ve actually joined is the hacker’s network with the same name
- The hacker relays any requests your phone makes to the real wireless network
- including false SSL certificates and so on – so the site still looks secure
- The bank’s web server think’s “A secure user wants to log in”
- Your phone thinks “I’ve secured this connection to the web server so I’ll send my login”
- Hacker intercepts the packets, and can easily grab your unencoded password as they’ve been pretending to be the secure website all along
- Bye bye bank details, cash, and more!
Ok techs, it’s not that simple, there are lots of things that can go wrong, for example, your bank normally texts you to set up a recipient, but it could be anything – PayPal, Facebook, Twitter, email, anything. The point is, you were none the wiser. The bank’s site will have been secure, but security certificates can be spoofed, but without getting too technical, if you’re being middle manned, there’s nothing you can do to detect it.
One Password for All Sites?
The big problem isn’t that they might get into your bank, as it’s likely with the second factor you have to enter, that three-digit code, is cyclic (asks for different digits every time) – so they might not be able to re-enter your bank. However, where else do you use that passcode?
Your email? Facebook? Twitter? LinkedIn? Work? College? Healthcare accounts?
Your phone will be automatically authenticating with email clients when it connects to WiFi to check for mail so your email login will be sent. If someone has access to your email they could reset all of your codes and access every account that you have, then get into everything.
Pretty scary right? … it should be! We heard at IP Expo last week of a reporter who’d had hackers manage to enter her house via a very simple slip up involving a Phishing attack.
What can I do?!
Luckily, there are three very simple, and cheap solutions that will protect your accounts, and your connection from “man in the middle attacks”, and one of them will help protect you from the new IP bill in the UK too!
Step 1: Enable Two-Factor Authentication
Two-factor authentication is nails. It requires a secondary code, or verification from a trusted device, to allow access to an account for a new login from somewhere it wasn’t expecting. Basically, you get texted a code when you log into your account from a new device.
Most providers will also support the awesome Google Authenticator app, which makes it really simple to enable two factor, and only have access to it from a single physical mobile device – because if someone can get access to your email, they can normally get on to your mobile provider account or iCloud, and read your texts.
Bottom line, use the Google Authenticator App, there are loads of tutorials online for all the different services out there. Tweet me if you want me to write a few down for you!
Step 2: Get a VPN
A VPN creates a secure tunnel through the WiFi network you’re currently using and connects to the internet through a point somewhere else in the world. So basically insulating you from the network that you’re currently on.
The best one I’ve seen out there, and it’s very cheap, is this one: https://www.privateinternetaccess.com
It’s very simple to set up, they have apps for all devices, and switching it on and off is as simple as tapping a button. It’s about $40 per year, or about £35, and this kind of protection is well worth its weight in gold.
Step 3: Use a Password Manager
You’d think this one would be stupid, as having all your passwords in the same place for a hacker to take their pick from sounds ridiculous. However … if you use something like LastPass, teamed up with two-factor authentication – then you should be totally laughing.
The idea is to use the password manager to generate rock solid codes for each new account you create (or existing ones), and then store them in your password manager. This way, even if you do get phished, you’ll never give away your master password – each service is then insulated from the others.
There should be no way that anyone could get into your LastPass, so set up a really secure password (you’ll only log in once per device) that you’ve not used anywhere, ever, before … then set up two-factor authentication. Job done.
It’ll take half an hour, but it’ll keep you safe …
It’s worth every minute and penny that you’ll spend. Two-factor and Password Management not only protect you from “man in the middle” attacks, but they cover you for phishing scams in email too; where someone pretends to be “apple” and gets you to “reset your password” – something else to watch out for. If someone tries to log in and doesn’t have your mobile device, they’ll get nowhere. If they do get to log in, they won’t get to other sites as all your passwords will be different and even harder to crack.
The weakness isn’t always a technical one, social engineered attacks are prime time, such as phishing, and they’re getting ever more commonplace as attacks that are technical based are becoming harder and harder to carry out – thanks to simple technologies like we’ve covered today.
To find out if you’ve already been password leaked, check out: https://haveibeenpwned.com/
It’s a jungle out there folks, stay safe, be vigilant, and get a VPN 😉