Sensitive transactions over wireless: A recipe for disaster

Europol issues warning regarding public wi-fi networks

Industry experts have been proclaiming for a while now that we’re headed toward a world without wires. Some pundits have predicted that new fast wireless technologies, capable of gigabit speeds, will usher in the death of Ethernet. The majority of home networks are wi-fi based. Companies connect wireless access points to their wired networks to make it easier for BYOD users to connect.

In addition to these home and business networks that are intended for the exclusive use of the residents and employees, respectively, public open wi-fi networks abound. No matter where you are – public parks, shopping malls, airports, restaurants, government complexes – you’re likely to find a few available “hot spots”.

I’ve spent my last few vacations on cruise ships, and every time we dock in a port, the first thing many cruisers do is hunt for a wi-fi network to which they can connect their phones, tablets or laptops to get back in touch with the world (Internet service is available on most ships, but in most cases it’s very slow and very expensive). Of course, the free nets are the most popular; everybody likes to get something for nothing – especially if you just lost a few hundred dollars, or a few thousand, in the ship’s casino.

The problem is that “free” sometimes comes at the cost of security. That might not be so important for those who are just getting in a little chatting with their families back home or uploading photos of the trip to Facebook. I cringe, though, at the thought of how many of my fellow cruisers may be spending part of their port days paying bills online that they forgot to take care of before leaving, or sending email to co-workers about confidential company business, or who just can’t wait to place an online order so they’ll have some of those delicious rum cakes waiting for them when they get back home.

Conducting financial transactions or sensitive business over an open wi-fi network is a lot like taking candy from a stranger. It might be fine – but it might not. You don’t know the motivation of the person(s) operating the free network.  There are legitimate businesses that operate free nets as a service to customers. There are government entities that operate “free” public wi-fi services funded by tax dollars. There are individuals who believe in sharing their Internet connections with the world and open up their wi-fi networks to anyone who wants to use it.

Unfortunately, there are also scammers – many of them – who set up open wireless networks for the purpose of intercepting the information that goes across them or even hacking into the hard drives of the people who use them. They usually give their networks SSIDs (names) that make them appear to be “official” such as ATL Free Net or Hotel Public Network. Then they steal credit card information, personal data for identity theft, business trade secrets and anything else of value that they can find. They can also install malicious software on the device so that even when you’re back home on a secure connection, the malware sends information back to the hacker’s “mother ship.”

This has been a problem for many years but it has grown so serious that Europol – The European Union’s criminal law enforcement agency – has issued a warning to users that they should avoid doing any type of serious business over open public wi-fi networks. IT professionals already know that this is a best security practice, but it’s something that needs to be imparted to users – not just on a one-time basis but frequently, and especially as we approach the spring and summer vacationing season when many of them will be taking their computing devices to tourist towns in the U.S. and abroad. Such places are a favorite target of scammers because they know that in today’s busy mobile world, many travelers will be checking in at work and taking care of household business from afar in the middle of their trips.

What’s the solution? Use networks you know you can trust, those run by trusted entities, even if you do have to pay for it. Or go through a VPN service to create a secure “network within a network” for sending sensitive data. Even better (although not always feasible) is to conduct such business only when on the premises of your home or work network, where you have control over the security implementations.