Wi-Fi Hotspot Have an Evil Twin

You may want to think twice before logging into a public wireless hotspot. Sure, grabbing a few minutes of connectivity is convenient, but identity thieves are discovering that, through "evil twin" attacks, hotspots are a great way to steal unsuspecting users' private information.

So how does an evil twin attack work? Let's say that I'm a hacker. I set up my computer to transmit a signal that turns my PC into an access point, or Wi-Fi hotspot. I'll even give it a legitimate-sounding name, like T-Mobile Hotspot, to fool unsuspecting surfers.

Next, I put my laptop in a backpack and read a newspaper while sipping some java at the local coffee shop. All I have to do is wait for you to connect. (And if I'm looking to steal from you, I'll require you to enter a credit card number to get access, just like T-Mobile does--then I'll have your credit card information.) While you surf the Web, my computer redirects you to Web pages I have created that happen to look like the ones you visit on a daily basis.

In fact, the only difference between the Citibank page you visit every day and the one I have made is that my page is unencrypted. I can log all of the information you input into various Web forms, and when you check your e-mail, I can read it along with you.

 

Don't Let Your Browser Make You Feel Safe

There are several measures already in place by most Web browsers to warn about unencrypted Web pages. However, he says, each of them has various security flaws.

Pop-Up Warnings: Web browsers often use a pop-up dialog box to indicate that information being sent is not encrypted. The problem with this is that these boxes offer the option to "never show this again." If you have clicked this box just once, you will no longer be warned if you are sending information through unencrypted channels.

The Lock Icon: Most Web browsers display a small lock icon to indicate an officially regulated, encrypted Web page. The problem with these, is that you must be diligent about looking for them every time you log on to a new page. Additionally, if a hacker changes even one letter in the domain name you are familiar with (an example  replacing the lowercase L in lehman.com with a one, 1ehman.com), they can then register that domain name. When you are redirected to that page it will display the lock icon, and you may never notice the changed domain name. Why would an illegitimate site be able to display this lock icon? Because, the public certifying authority that gives out digital signatures to legitimate sites can be fooled into giving digital signatures to illegitimate sites.

HTTPS and Unfamiliar Links:  Most banks advertise the unencrypted version of their Web pages (https indicates a secure version; http, however, is easier to remember). When you log on to that page and click to enter the encrypted version, you can be redirected to a page with a domain name that is unrelated to the bank's home page. If you do not recognize the name, it is difficult to know if you have been redirected to a page operated by the bank or by a hacker.

How to Protect Yourself

If you are diligent, these tips will make you less likely to fall victim to an attack.

Check Your Wi-Fi Settings: Many laptops are set to constantly search and log on to the nearest hotspot. While this option might seem convenient, it does not allow you to monitor which hotspots you are logging on to and determine if they are legitimate. Turning off this option will prevent your computer from logging on to a hotspot without your knowledge.

Pay Attention to Dialog Boxes: Pop-up warnings are there for a reason--to protect you. If you are lucky enough to have not clicked the "never show this again" option, make sure you read these warnings carefully before agreeing to send information.

Use One of Your Credit Cards on the Web Only: Open a credit card account that is used solely for the purposes of shopping on the Web. Ideally, you should be able to access account records online so you don't have to wait for monthly statements to monitor any activity. "Be prepared to close that account on short notice if it's been compromised,"

Conduct Private Business in Private: "Maybe you don't need to move money around or check your bank statements when you are connected to a public hotspot . If you restrict your public surfing to Web pages you don't mind a stranger reading along with you, there is little an evil twin attacker can do to harm you.

Legal Help?

The House of Representatives has put language in the proposed Securely Protect Yourself Against Spyware Act, or Spy Act, to prosecute those caught wirelessly stealing your information.

But while the Spy Act now makes it possible to punish those who conduct evil twin attacks, the very nature of the problem may make it difficult to identify the culprits. Victims may never realize that the hotspot they used to surf the Web was illegitimate, and once that hotspot has been shut down, it can be impossible to find the perpetrator.

The best advice is to stay vigilant and protect yourself.

By Erin Biba, PCWorld