Wi-Fi Security – What You Should Know When Travelling
Director Steve Southern shares a cautionary tale
I have a new toy on my desk – here it is…
I purchased it a couple of months ago for around £60 because I’m interested in Wi-Fi security. It’s a remarkably powerful and versatile device. One of the really cool things it can do is look for and ‘harvest’ wireless network hotspots – these are the things stored by your computer, tablet or phone such as ‘Costa Guest’, ‘Hilton Guest’, or ‘BTHub5-AB12.’ It can then ‘pretend’ to be any of these hotspots so your device will be fooled into thinking it’s a legitimate wireless hotspot and connect to it. Except you will then be connected to me, and you will be totally unaware.
You’ll still have wireless Internet access, but all of your network traffic will be going through my device, including passwords – which by the way can be quickly and easily cracked. I suppose I’m using the device for research purposes and to improve my own knowledge and understanding of wireless security – all legitimate aims – but others may be inclined to use it for what we might describe as illegitimate reasons. So should you be worried? The short answer is, yes. While there may not be many people wandering around with devices such as this in their briefcase, the fact is that many public wireless access points are not secure – they require no authentication – i.e. a password, and are by their very nature open to all and sundry. Like most things in life it really comes down to your attitude to risk, but knowing about things like my little device will hopefully help you to make a more informed decision.
I could provide some detailed guidance on wireless security but I don’t need to because someone else already has. I strongly recommend that you take a look at https://www.getsafeonline.org/protecting-your-computer/wireless-networks-and-hotspots-pyc/. Like other advice and guidance on this site it is simple and easy to understand, and will take less than five minutes to read. You will then be in an even better position to make an informed decision about how, when, and where to connect to wireless networks.
If you heed only one recommendation from this getsafeonline page I would urge you to consider using a VPN. Many of us use VPNs for business, but I also use one for personal Internet access, and it’s a very sensible precaution. There are many available – I use VPN UK https://vpnuk.info/ - for a monthly subscription of £5.99.
The final piece of advice from the getsafeonline page says “Be aware of who is around you and may be watching what you are doing online.” This is excellent advice for anyone travelling, not just in relation to being online, and it reminds me of an occasion when I was travelling by rail from York to London.
I was sat behind a lady who was travelling with two teenage children and a man - an apparently ordinary, happy family. So far so normal. The lady then gets on her mobile - I'm going to call her Christine, (not her real name, and all other 'personal' details to follow have also been changed) - and says, "Hi, I'd like to book my car in for an MOT tomorrow please." There followed some brief dialogue between Christine and the garage person to agree timings.
Then Christine comes out with the following, more or less verbatim:
"LN48 GPS, it's a Volkswagen Golf. No, it's petrol. NE27 4LX. Number 8. Adams. 07532 697488." As I had a pencil in my hand, I paused from my Su Doku deliberations and noted down these details in the margin of my Times newspaper. I then mentally replayed the questions Christine had just been asked by the garage person: "Car registration and make? Is it a diesel? Postcode? House number? Surname? And a contact telephone number?" An apparently innocuous and very brief conversation - it probably lasted less than 45 seconds - but in a very public place, and I now knew quite a lot about Christine.
Trying not to dwell on it, I returned to my Su Doku. A few minutes later Christine is in conversation with the teenage boy about something Christine has purchased online (a scooter), and a problem over the payment. You might guess what then transpired. That's right - Christine gets on her mobile again - explains the problem with the payment to the call centre person, whereupon after a few seconds, she states the following: "Christine Adams. 5574 1187 3983 4490. 08/13. 446." Destined never to complete my Su Duko, I again noted down the aforementioned details, and again mentally replayed the questions Christine had just been asked: "Full name as it appears on the card please? And the long number on the card? And the expiry? And the 3-digit security code on the back of the card?" Brilliant. I now have a more or less complete personal profile of Christine, and a valid credit or debit card in her name. I can also make certain assumptions about her and her family - relatively affluent for a start, given the iPad, and the way they are all dressed.
Within minutes I can almost certainly identify social media sites that reference Christine and her family where there will undoubtedly be masses of 'collateral' information about her friends, work, pets (always good for guessing passwords), schools for the kids and so on. All of this in a 30-minute period of a two-hour train journey. There's a name for what I'm describing - it's called social engineering - and it's an incredibly easy way to steal someone's identity, commit fraud, enable stalking, and potentially make Christine and her family victims of some other very unpleasant crimes. Travellers beware.