Many people, including those of us who bank online, have a vague understanding of how wi-fi hotspots work. We can scarcely distinguish between one that’s secured and one that’s unsecured, and yet we use them with gay abandon to check email, surf the web, download files – or to do a spot of banking.
Unsecured wi-fi hotspots are a “gold mine” for scammers, and using them for something as innocuous as checking your email exposes you to the risk of having sensitive personal information stolen, Carey van Vlaanderen, the chief executive of security software provider ESET Southern Africa, says.
Sitting in an airport is the ideal time to grab your laptop and send a couple of emails or pay a few bills. Using a free wi-fi hotspot, you connect and send and are on your way. What you don’t know is that your log-in credentials and network traffic can be sniffed and captured by scammers, Van Vlaanderen says.
An attacker may use proxy technology, which intercepts your wi-fi communication and captures and stores it, before sending it on to a genuine wi-fi hotspot. Open wi-fi network traffic can also be picked up by an attacker who is not even connected to the network.
Shaun Norris, the head of information technology at ESET Southern Africa, says it is relatively easy to set up a fake hotspot that relays all traffic to a real hotspot connected to the internet. “Many smartphones can host a hotspot on the phone itself. I could go to my favourite coffee shop – call it Café Coffee – and create a hotspot on my phone and call it Café Coffee-2 to trick people into using it so that I could sniff traffic sent from their device to the internet,” Norris says.
Van Vlaanderen says hotspots with unrecognisable names or ones that closely resemble the hotspot’s actual name should immediately raise a red flag.
Secure (encrypted) wireless will always require you to enter a password before even connecting your device to the network, Norris says.
“Most public hotspots leave the network open – or unencrypted – to avoid the hassle this creates (of giving users a password and helping them to log on).
“An open network is by nature insecure and should be used with caution, regardless of whether or not you have to enter a password via your web browser to gain access to the net through this network.
“Free wi-fi tends to be unencrypted (open) and by nature insecure. Paid wi-fi is more likely to require authentication and be provided by a reputable service provider. However, any open wi-fi, paid or not, raises the risk to your device and data,” Norris says.
Dominic White, a security consultant at SensePost, a company that specialises in information security, says he does not know of a single paid-for wi-fi service provider in South Africa that uses encrypted wi-fi access points.
When you use an unencrypted, or open, network, Norris says, all the data from your device to the hotspot are in plain text and anyone with a “network sniffer” can read the data sent between you and the hotspot.
“If you have no choice but to use these open networks, you should ensure that every site you visit where you might type or view personal information is secured by SSL (you want to see https:// in your browser, not http://) and that your device is protected to the best possible level against internet threats,” Norris says (see “Rules for safe online banking”, below).
White agrees: “If there’s an alternative, a user should always aim for it rather than a public, open wi-fi access point. There are ways of protecting yourself when using an open wi-fi hotspot, but I would make sure not to access anything critical.”
Open wi-fi networks can be targeted only by people physically co-located at the network, he says.
“Secondly, the primary use of the attack would be to observe someone’s internet use and capture their credentials. This is more likely to be done by someone ‘out of interest’ or if targeting a specific individual,” White says.
It’s safer to use a 3G card/dongle (a USB stick), White says, but the safety of 3G networks is “decreasing rapidly, as attacks become easier and cheaper to reproduce”.
According to research commissioned by ESET, almost half of internet users worldwide connect to the web using portable devices as the primary connection device: notebooks or laptops are the most popular (41 percent), followed by netbooks (three percent), smartphones (two percent) and tablets (one percent). This is indicative of the demand for wi-fi hotspots.
WHAT ABOUT AT HOME?
It’s important to secure your home wi-fi network using encryption and a strong password. If your network is open, it’s fairly easy for someone to gain access to it, Derek Bayer, the consulting manager at information technology infrastructure company Clarotech, says.
“Often, the wi-fi access point has been set up with the default settings, which varies from completely open to using a password, which can be found online in the user manual.” Home users generally rely on friends and family who “know something about IT” to help them set up their wi-fi, which can leave them exposed, because it was set up insecurely and they don’t have the know-how to make changes in future, he says.
“My advice is: make sure your access point is set up with WPA2 authentication and secured with Advanced Encryption Standard. And select a complicated password, because secure access and encryption means very little if you’ve used the default or common passwords, such as the name of your pet or spouse,” Bayer says.
WHAT THE TERMS MEAN
* Wi-fi is a mechanism for wirelessly connecting electronic devices. A device enabled with wi-fi, such as a laptop computer, smartphone or tablet, can connect to the internet via a wireless hotspot.
* Wi-fi hotspots are public places – such as cafés, hotels and airports – where you can access the internet free or for a fee. A wi-fi hotspot is a network access point. It usually has a range of about 20 metres indoors. You can have multiple overlapping access points that cover a large area.
* An unsecured hotspot is one that allows users to gain access to a network without a password.
* A network sniffer is a hardware and software tool that grabs the traffic flowing into and out of a computer attached to a network and can be used to decipher passwords.
* HTTPS/TLS/SSL can be considered synonyms. HTTPS is a combination of the Hypertext Transfer Protocol (HTTP) with Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocol to provide encrypted communication and secure identification of an endpoint.
BANKS’ SOFTWARE ‘DOES NOT PROVIDE ENOUGH PROTECTION’
The free software downloadable from the banks does not provide sufficient protection against the wide variety of security threats out there, especially when using public wi-fi. This is according to Dominic White, a security consultant at information security company SensePost, and Shaun Norris, the head of information technology at security software provider ESET Southern Africa.
“The sad reality is that while antivirus software is approximately 80-percent effective against run-of-the-mill malware, against a targeted attack it’s probably closer to 40-percent effective. Antivirus software provides little in the way of protecting your traffic as it flows across a network,” White says.
Some banks are rolling out Trusteer Rapport, “which helps with phishing attacks either by helping a user spot a phishing attack or by helping the bank spot new ones”, he says. Standard Bank and Nedbank offer Trusteer Rapport for free to their internet banking users.
Norris says the best defence for your device is a multi-layered approach (see “Rules for safe online banking”, below).
RULES FOR SAFE ONLINE BANKING
Shaun Norris, the head of information technology at security software provider ESET Southern Africa, shares his personal rules for secure internet banking:
* Only at home (or work) when connected to a known network;
* Only with the latest operating system updates installed;
* Only with the latest antivirus/security software updates installed (with a quality antivirus/ security product such as ESET Smart Security);
* Only with the latest version of a security-conscious browser (Mozilla Firefox or Google Chrome) and definitely not with MS-Internet Explorer (any version); and
* If possible or practical, from behind a router or firewall that “masks” your public IP address. (If you have an ADSL router at home, this will usually be the case.)
SEVEN HABITS OF HIGHLY SECURE WI-FI USERS
Dominic White is a security consultant at SensePost, a company that specialises in information security. White provides the following list – although not exhaustive – of safe computing habits, which, he says, should help you to protect yourself:
1. Use your 3G dongle (USB stick). If that’s not an option, use an encrypted wi-fi network. This will be a network that uses the WPA (Wi-fi Protected Access) protocol, not WEP (Wired Equivalent Privacy). Consider WEP equivalent to an open network. You will know that the network is encrypted if you need a password to connect to it in the first place. If you need the password only after you connect, the network is not encrypted.
2. Try to use the https/SSL/TLS version of all websites. Sites such as Google, Gmail, Facebook and Twitter provide a preference setting to force your connection always to use https. An add-on for the Firefox browser, HTTPS Everywhere (https://www.eff.org/https-everywhere), will try to do this for you automatically on many of the most popular sites. This will ensure that your browsing session is encrypted between you and the service, and even if someone intercepts your network traffic, they will not be able to inspect it.
3. Validate the website’s security certificate. Even if you use HTTPS, if you do not validate the website’s security certificate, an attacker could present you with a fake certificate, to perform a “man-in-the-middle” attack. These attacks are very feasible due to the average person’s inability to verify a certificate.
To make verification easier, White recommends two browser add-ons. Once again, they are only for Firefox. The first is Perspectives (http://perspectives-project.org/), which performs two checks each time your browser sees a certificate. First, Perspectives ensures that the certificate is the same certificate that several “network notaries” dotted around the internet have seen (in an attack, your browser would see a different certificate to what they see). A network notary is a watchdog server that, without relying on certificate authorities, regularly monitors the SSL certificates used by over 100 000 websites to help your browser detect “man-in-the-middle” attacks. Second, Perspectives ensures that the notaries have seen the certificate for more than a couple of days. This happens quite transparently, and you will see a warning only if there is a problem of which you should be aware.
The other slightly more technical add-on is CertPatrol (http://patrol.psyced.org/). This will alert you whenever a security certificate changes from one visit to another without good reason (for example, the old certificate expired and had to be replaced).
4. Ignoring certificate warnings is a bad idea on any network. There have been numerous attacks of late due to people doing just this.
5. Use a different password for each website. This will prevent a captured credential from one service being reused on another. White says he uses password manager SuperGenPass and maintains his own version of it at http://singe.za.net/sgp/
“Specifically, it will generate a unique password per website you use, and you will only need to remember one secure password from which these are generated.
“Other password managers like 1Password or KeyPassX do the same, but store the passwords in a database that is unlocked with the master password. I prefer SuperGenPass, as there are no databases that need to be carried around,” White says.
6. Disable file-sharing services and use a personal firewall if possible. Often, people leave means of accessing files on their devices open when they move from their home or office network to an open network. This could be as simple as iTunes sharing their library, or leaving their C drive shared to the public.
7. Limit what you do on any public (open) network. Browsing your favourite news website is significantly less risky than logging on to internet banking, for example.
CRIMINALS HOOKED ON PHISHING
Phishing is the fastest-growing e-commerce crime tool in the world. Interpol says criminals are migrating to e-commerce crime because it is more profitable than drug-dealing and less risky, Christo Vrey, the managing executive of digital channels at Absa Bank, says.
Gavin Opperman, the chief executive of Absa Retail Bank, says clients should educate themselves about the modus operandi of fraudsters and adopt safe online banking practices to avoid falling prey to scamsters and phishing attacks.
“Phishing is done via SMS, email or telephone and aims to get hold of your personal and banking details in order to fraudulently withdraw money from your account. Never divulge your banking details to anyone via any of these channels,” Opperman says.
The key thing to remember is that your bank will never send you an email asking you to click on a link or open an attachment to upgrade your service or confirm your log-on details, he says.
Vrey says when you receive a suspicious email with an embedded link, hover your cursor over the link and it will reveal the real URL. For example, the link may read www.absa.co.za, but when you place your cursor over it, the real URL – say, http://666phishingexpedition.com/index/php – will be revealed. Be careful not to click on the link. “Clicking on the link verifies your email address and drops a cookie or virus on your PC, feeding back your key strokes,” Vrey says.
Dominic White, a security consultant at SensePost, says there has been a sharp increase in phishing attacks in South Africa over the past year.
White says you should access your bank’s website only by navigating directly to it. “I have a bookmark with the secured (https) URL of my bank directly stored in it, to prevent my mistyping and hitting a page cyber-squatting on abss.co.za, for example,” he says.
Although the banks hold clients responsible for negligent behaviour, defining negligence isn’t always cut and dried. Absa and Nedbank say they base decisions of liability on the merits of each case.
Stephen Higgins, the media liaison for First National Bank (FNB), says that FNB’s policy is clear: “If you give away your log-in or personal details, you will be held liable for your losses.”
Fraudsters often launch attacks on the back of current events, Higgins says. For example, in tax filing season or after a natural disaster, they will send out a flood of emails and try to dupe clients into parting with their banking details.
None of the banks would divulge the number of cases of online fraud or phishing that they investigate in a week or how many clients download their antivirus software.
NOT-SO-CLEVER PASSWORDS YOU SHOULD PASS UP
According to data gathered by Mark Burnett, the author of the book Perfect Password, 98.8 percent of internet users share the same 10 000 passwords.
It seems incredible that “password” is still the most popular password, but it is – with “123456” a close second. At first glance, “5683” might seem to be a pretty random passcode or personal identification number, but it spells out “love” on a keypad, and that’s as much of a gift to hackers as the ridiculously common password “iloveyou”. Careless, forehead-slapping mistakes of this kind are widespread within companies, too.
So why are our passwords still so predictable? According to Burnett, the common advice we are given – particularly to mix letters and numbers, as in “pass123” – is misguided. “People just aren’t as savvy as they think they are,” he says.
“For example, many people try to be clever with passwords like ncc1701 or thx1138, but these are the ship number for the starship Enterprise and George Lucas’s first film respectively, and they’re incredibly common. Rather than bothering with how many capitals, numbers and symbols we have in our passwords, we should be concentrating on making them longer.”
There are three ways that a password can be compromised.
The first is simply to ask us what it is. Social engineering techniques can persuade us to give it up very easily – for example, via a rogue email purporting to be from a bank.
The second is to have a guess, and, as we’ve seen, 10 000 guesses will hit paydirt 98 percent of the time.
The last method is brute-force cracking, where all the potential combinations are laboriously worked through until the right one is chanced upon – and that’s where the length of a password becomes crucial. Visit the website howsecureismypassword.net, tap in an eight-character password, and it will tell you that a desktop computer can guess it in a matter of hours. But extend that to a 12-character password, and we’re talking several centuries.
“If your password contains 15 characters or more, it no longer matters how random it is,” Burnett says. “It doesn’t matter if there is an English word in there somewhere; it doesn’t matter how many numbers or symbols you use; it doesn’t matter if you use the same letter too much; and it doesn’t need to be changed every 30 days.”
Many techniques for password selection involve mnemonic methods – for example, the initial letters of the phrase “You were only supposed to blow the bloody doors off” will generate “ywostbtbdo”.
The other issue that worries the password-choosing public is the knowledge that the same password should not be used across every website we log into. But the mental energy it takes to retain more than two or three passwords encourages us, once again, to be lazy.
Services such as 1Password, KeePass and LastPass offer a convenient “remembering” facility, where all you have to do is provide a master password and it does the rest of the work for you.
Although LastPass was subject to a hacking attack earlier this year, Burnett still recommends using such services – with the proviso that the master password is strong and long. “The LastPass issue shouldn’t have affected anyone with a strong enough master password,” he says.
“Mine is 24 characters long – but there are services like KeePass which keep all the passwords stored on your computer rather than online.” – The Independent