You may want to think twice before logging into a public wireless hotspot. Sure, grabbing a few minutes of connectivity is convenient, but identity thieves are discovering that, through “evil twin” attacks, hotspots are a great way to steal unsuspecting users’ private information.
So how does an evil twin attack work? Let’s say that I’m a hacker. I set up my computer to transmit a signal that turns my PC into an access point, or Wi-Fi hotspot. I’ll even give it a legitimate-sounding name, like T-Mobile Hotspot, to fool unsuspecting surfers.
Next, I put my laptop in a backpack and read a newspaper while sipping some java at the local coffee shop. All I have to do is wait for you to connect. (And if I’m looking to steal from you, I’ll require you to enter a credit card number to get access, just like T-Mobile USA Inc. does — then I’ll have your credit card information.) While you surf the Web, my computer redirects you to Web pages I have created that happen to look like the ones you visit on a daily basis.
In fact, the only difference between the Citibank page you visit every day and the one I have made is that my page is unencrypted. I can log all of the information you input into various Web forms, and when you check your e-mail, I can read it along with you.
Why it works so well
“The only way to tell the difference between (a) legitimate and non-legitimate (access point) is intent,” says Jeffrey Schiller, network manager and security architect at the Massachusetts Institute of Technology. “The fundamental problem is when you are in a public place there is no way to discriminate.”
Schiller offers an example of how easy it could be to fall victim to an evil twin attack. While at the airport during a recent trip to New York, he says, he turned his laptop into an access point. His intention was to get access to the Internet, but as soon as he created the hotspot, Schiller noticed that three people had begun using his computer as an access point.
“I probably could have seen their e-mail” and been able to track their movements on the Web, he says.
Don’t let your browser make you feel safe
According to Schiller, there are several measures already in place by most Web browsers to warn about unencrypted Web pages. However, he says, each of them has various security flaws.
Pop-up warnings: Web browsers often use a pop-up dialog box to indicate that information being sent is not encrypted. The problem with this, Schiller says, is that these boxes offer the option to “never show this again.” If you have clicked this box just once, you will no longer be warned if you are sending information through unencrypted channels.
The lock icon: Most Web browsers display a small lock icon to indicate an officially regulated, encrypted Web page. The problem with these, Schiller says, is that you must be diligent about looking for them every time you log on to a new page. Additionally, if a hacker changes even one letter in the domain name you are familiar with (an example Schiller offers is replacing the lowercase L in lehman.com with a one, 1ehman.com), they can then register that domain name. When you are redirected to that page it will display the lock icon, and you may never notice the changed domain name. Why would an illegitimate site be able to display this lock icon? Because, Schiller says, the public certifying authority that gives out digital signatures to legitimate sites can be fooled into giving digital signatures to illegitimate sites.
HTTPs and unfamiliar links: According to Schiller, most banks advertise the unencrypted version of their Web pages (https indicates a secure version; http, however, is easier to remember). When you log on to that page and click to enter the encrypted version, you can be redirected to a page with a domain name that is unrelated to the bank’s home page. If you do not recognize the name, it is difficult to know if you have been redirected to a page operated by the bank or by a hacker. Which, Schiller says, makes users “sitting ducks.”
How to protect yourself
Those who perpetrate evil twin attacks are benefiting from the distractions of public places. According to Schiller, “they’re depending on you not (paying) attention.”
If you are diligent, these tips will make you less likely to fall victim to an attack.
Check your Wi-Fi settings: Many laptops are set to constantly search and log on to the nearest hotspot. While this option might seem convenient, it does not allow you to monitor which hotspots you are logging on to and determine if they are legitimate. Turning off this option will prevent your computer from logging on to a hotspot without your knowledge.
Pay attention to dialog boxes: Pop-up warnings are there for a reason — to protect you. If you are lucky enough to have not clicked the “never show this again” option, make sure you read these warnings carefully before agreeing to send information.
Use one of your credit cards on the Web only: Open a credit card account that is used solely for the purposes of shopping on the Web. Ideally, you should be able to access account records online so you don’t have to wait for monthly statements to monitor any activity. “Be prepared to close that account on short notice if it’s been compromised,” says Schiller. Conduct private business in private: “Maybe you don’t need to move money around or check your bank statem
ents when you are connected to a public hotspot that you’re not really familiar with,” says Schiller. If you restrict your public surfing to Web pages you don’t mind a stranger reading along with you, there is little an evil twin attacker can do to harm you.
Legal help?
The U.S. House of Representatives has put language in the proposed Securely Protect Yourself Against Spyware Act, or Spy Act, to prosecute those caught wirelessly stealing your information.
Recently moved through the House Committee on Energy and Commerce, the Spy Act would require companies that produce spyware to notify users and receive their consent before software is installed. Additionally, companies would be required to provide users with easy uninstall options.
Now that the bill is fully written and out of committee, it is only a matter of time before it comes to the House floor for a vote. If passed by the House, the bill would need to be introduced and passed by the Senate before becoming law.
But while the Spy Act now makes it possible to punish those who conduct evil twin attacks, the very nature of the problem may make it difficult to identify the culprits. Victims may never realize that the hotspot they used to surf the Web was illegitimate, and once that hotspot has been shut down, it can be impossible to find the perpetrator.
The best advice is to stay vigilant and protect yourself.
