Despite the increasingly fast data transfer speeds being offered by technologies such as 3G, modern mobile users would typically prefer to opt for a wireless connection for improved speed, reliability and lower cost. Wireless hotspots are now commonplace at commuter locations such as coffee shops, airports, bars, hotels and train stations, and with BT being one of the biggest providers of free hotspots around the country, most could be forgiven for thinking that it’s perfectly safe to use these sorts of services.
This doesn’t seem to be the case, however, and a recent investigative report by The Guardian showed that not only are consumers far too quick to jump on the nearest connection, it is also far easier than you’d think to steal personal information and drum up huge bills on an unwitting consumer’s phone.
The number of users that currently take advantage of BT’s hotspots and similar services runs into the millions, and according to the report, each of these could be vulnerable to fraud and identity theft. Volunteers were used to conduct the research and armed with a portable router that costs less than £50, were able to simulate official looking wireless gateways, encourage users to connect and then show how personal data could be stolen, email accounts accessed and goods and services purchased using the consumer’s payment information.
In addition, some users could find that their phone automatically logs into recognised wireless hotspots without their knowledge – a feature that is designed as a convenience but can carry significant risk. Chief Executive of security company Cryptocard had a stark warning for iPhone users "An O2 iPhone will automatically connect, because BT Openzone connectivity is usually part of the package for free internet access. It will pass over its credentials and because it can see the internet through the hotspot, it will start sending and receiving data."
Furthermore, BT customers who take part in the BT Fon community service, which requires them to allow a small amount of their Wi-Fi bandwidth to be used publicly in return for a similar benefit, will find their phones automatically hunting for registered hotspots after an initial login, which could lead to similar attacks.
“We became aware of the potential for criminals to use Wi-Fi in this way last year and have become increasingly concerned.” said Stuart Hyde, the Association of Chief Police Officers' lead on e-crime prevention. “All they need is to set themselves up in a public place with a laptop and a mobile router called 'BTOpenzone' or 'Free Wifi' and unsuspecting members of the public come along and connect to them. Once that happens, there is software out there that enables them to gather usernames and passwords for each site a user signs in to while surfing the net. And once criminals have access to your email accounts, Facebook account, Amazon history and so on, the potential for fraud and identity theft is very serious indeed. Until there are improvements in security, I would advise people to be very wary indeed when using insecure Wi-Fi in public places"
In addition to setting up bogus gateways in order to retrieve personal details from phones that connect to them, a second connection was set up that required people to pay for the service by entering their credit card details. The terms and conditions of this “fake” connection clearly stated that it offers no protection for private information, yet amazingly three people signed up within 30 minutes. Of course this was just a test, and all personal information was subsequently destroyed and requests to join pay connections rejected, but it’s a stark illustration of how little care modern consumers are taking when connecting to the internet away from home.
BT has been aware of this problem for some time and is working to find an efficient solution that will allows users to access hotspots with peace of mind, but in the meantime it’s important for consumers to be vigilant and to engage in safe practice when using these sorts of service.
Eight ways to protect against fraudulent wireless
There are a number of things consumers can do to help ensure they are not caught out by malicious users trying to steal their data over wireless.
Be aware that the problem exists. Though it might sound obvious, it’s important to be aware that these sorts of threats do exist and to exercise caution when connecting to wireless networks. Pay particular attention to the name of the network and ensure it is formatted correctly – thieves will often attempt to mimic a common name such as BTOpen that might sound safe, but could be a malicious user posing as a legitimate service. If in doubt, speak to BT to find out exactly how their hotspots are labelled.
Install security software. Security software that features a robust firewall can help prevent certain attacks and antivirus tools will detect any malicious files that someone may try to install to a device remotely.
Use a virtual private network (VPN) Wherever possible use a virtual private network to connect to the internet, particularly if you are dealing with sensitive data or financial information.
Select a secure email session. Most online email accounts have the option to log in securely or enable a public terminal, which means no cache is stored from this session. Always select this option if you are checking mail away from the home.
Consider an extended data contract. Most smartphone users will find themselves accessing the internet fairly frequently and even if you don’t actively browse the web, platforms such as Android use widgets that can request updates automatically, or email accounts set up on a phone could refresh without your knowledge. For this reason it’s often prudent to expand a small data package for a small additional monthly fee, or even opt for unlimited data from your provider. This means there will be far less instances where you’ll need to connect to a hotspot, and most modern phones offer fast enough connections to prevent any frustrating delays.
Check your wireless settings. It’s good practice to remember to switch off a wi-fi connection on a phone when not in use. This will save on battery life and help prevent the phone from automatically connecting when a compatible hotspot is within range. Also make sure that any settings that may configure the wireless function of a phone to automatically enabled, or for a remote hotspot to be automatically connected to when in range, are disabled.
Online activity. If you’re using a wireless network that is effectively “unknown”, in that it isn’t a home or office network you are familiar with, avoid activities such as bank transactions, online payments, and the entry of passwords and user details wherever possible. While you may still be at risk of some of the problems highlighted above, this will at least prevent passive attacks from recording the data you enter into your phone.
Can it wait? Finally, consider whether it’s really necessary to be online at that particular time. It’s quite possible that whatever needs doing could wait until you return home or reach the office, or using the phone’s own 3G connection may be a realistic alternative.