Don’t let free Wi-Fi lull you into a false sense of security
● Theft of sensitive information from cafe patrons surfing the internet at a free Wi-Fi hotspot is easy for cyber criminals, whether you are a wealthy entrepreneur or a server.
Surfing the net for general information such as tourist sites while you are travelling or for what’s on at your local cinema poses no threat, but activities such as online banking, checking investments online and shopping online should be avoided at public WiFi hotspots.
Even logging into an e-mail web account such as Gmail means fraudsters can pick up your login details and use them later.
Jim Green, a security expert from IT security company GNL Cyber, says when you use a Wi-Fi hotspot, the data travelling to and from your device is being carried on radio frequencies that can be intercepted by anyone with a Wi-Fi-enabled device that has interception software on it.
In what is known as a “man-in-the-middle” attack, the attacker sets up their own Wi-Fi access point with the same name (or SSID) as the free Wi-Fi hotspot and causes the victim’s device to connect to their device where the attacker can intercept and manipulate your data messages, upload malware to your device or misrepresent your identity on the internet.
Dominic White, the chief technical officer at cyber security company SensePost, says public Wi-Fi networks that require a password to access the internet are marginally more secure.
However, the reality is that for a public Wi-Fi hotspot (where anyone can find out the password) the difference is negligible, as attackers only need to put in a little more effort to gain access to the communications unencrypted.
Also, several hotspots prompt you for a password through a webpage when you first connect (something called a captive portal), and most users don’t understand that this isn’t the same thing as a connection-level password, he says.
“By harvesting login credentials to sites that the victim is using, the attacker can then access the victim’s accounts in his own time,” Green warns.
With your bank details, the fraudster can raid your account.
To prevent you from receiving a bank notification that a transaction has taken place on your account, criminals launch a smishing attack — they send so many missed calls or SMSes to your cellphone that you eventually switch it off, says Danny Myburgh, MD of digital forensic lab Cyanre. As soon as your phone goes over to voicemail, the criminals know you have switched off your phone and then they step in and transfer money out.
Banks offer their clients the option of receiving an authentication SMS for logins into their bank accounts and PINs sent via SMS for loading a new beneficiary in order to make a payment.
If you do have such measures on your bank account, Myburgh says, fraudsters may attempt a cellphone SIM card swap to gain access to the SMS verifications and PINs. If they succeed you will not receive any messages as they go to another number set up by the criminals.
Once the fraudster has your bank account details, they log into your account, register a beneficiary and transfer money into an account set up at a bank using false details or ‘rent’ a bank customer’s account. The cash is then withdrawn from that false or rented bank account at an ATM, he says.
According to Myburgh, while some criminals target large organisations to go after the big money and spend time and money researching the business to find opportunities in a targeted attack, the average salary earner and pensioner are at risk, too.
Myburgh says his business is aware of cases where the amounts stolen from individuals were as low as R500.
And if you think you don’t have enough money in your account for most of the month, criminals review your history and lie in wait for your salary to appear in your account, when they swoop in, he says.
Typically, it takes 28 days from the time a fraudster compromises an account to the point they transfer money out, he says.
In this time, they watch your transactions, set up a beneficiary, possibly apply for online credit (such as an overdraft), raise account payment limits and check whether you have a home loan facility linked to your current account, he says.
Once you have taken steps to ensure your Wi-Fi connection is secure, you still need to practise safe browsing on the internet.
Checking on a website’s security certificates can help, but to truly understand what you’re doing requires security expertise most users don’t have, White says.
A digital certificate is an electronic “passport” that allows a person, computer or organisation to exchange information securely over the internet using the public key infrastructure provided by a trusted, designated authority and made available to everyone through a publicly accessible repository or directory.
Instead, as an internet user, you should be on the lookout for certificate errors (see “How to safeguard yourself” alongside), which browser creators have put a lot of effort into over the last few years.
Green agrees, saying that checking on a website certificate will reduce your chances of being intercepted, but it will not guarantee that your connection is secure.
For sensitive activities such as internet banking, Green’s preference is to avoid using public Wi-Fi hotspots altogether or use a MiFi device (a portable router that has its own SIM card) to provide your own portable hotspot connected directly to the cellular network for more sensitive transactions.
But even using your own Wi-Fi router in your home or office, which has been properly set up with a password, could be vulnerable, according to Kalyani Pillay, CEO of the South African Banking Risk Information Centre. She says an attack on the Wi-Fi-protected access protocol that secures Wi-Fi connections was discovered in 2016.
It is called KRACK, which stands for Key Reinstallation Attack.
She says any device that uses Wi-Fi may be vulnerable to KRACK, which bypasses the security protocol that is used by most routers and devices that can communicate with the internet.
KRACK compromises the authentication handshake — which is like a secret greeting —
between your device and the modem or router which confirms that the user is allowed to legitimately access it. Once the WiFi security handshake is broken, attackers can gain access to personal and confidential information should you be sending or using it online.
On the upside, though, Green says since the discovery of KRACK, device manufacturers have been working on new versions of software to overcome the vulnerability it exploits.
To safeguard yourself, you should regularly update the software for your laptop, tablet, phone or router in line with recommendations from the device manufacturer. This applies to all devices including Wi-Fi access points and devices, Green says.