Is Wi-Fi being used by phishers and other identity thieves? Some folk reckon so, pointing to tricks such as the Evil Twin threat and something called ‘WiPhishing’, which, according to Information Week, goes like this:
“We call WiPhishing the act of covertly setting up a wireless-enabled laptop or access point for the purpose of getting wireless laptops to associate with it,” Cirond CEO Nicholas Miller said in a statement. “Hackers who are on a ‘WiFishing expedition’ may set the name of their rogue wireless access point (or laptop) to an SSID that is commonly used by wireless laptop users.”
For example, a WiPhisher could set the SSID of an access point or laptop to be the same as the default settings for widely-sold access points or hotspot services offered by vendors such as T-Mobile and Wayport, Miller said.
“Hackers are also likely to increasingly post common SSID names on their Web sites as this practice gains momentum,” Miller said.
I’m not trying to be cynical here, because I think Wi-Fi security is a real issue, but these kind of statements are more often than not made by folk who stand to gain the more afraid people are, because they sell ‘solutions’. The Cirond statement, issued on the PR businesswire on Feb 4, was quickly picked up by four or five industry websites including Information Week, SYSCON, Internet Telephony Magazine and InternetWeek (and now, of course, Loose Wire Blog).
So, threat, or hype? Probably both. So we should probably call it a Thrype.
Forget phishing for your passwords via dodgy emails. Just use Wi-Fi.
Internet security company Secure Computing Corporation have today released a report prepared by security consultants Canola/Jones Internet Investigations which “documents the serious risks of password theft that business travelers encounter when using the Internet in hotels, cafes, airports, and trade show kiosks.” The full report is available (in PDF format) here.
Posing as a business traveler, the author “found multiple methods available to cyber-criminals that could be used to steal passwords and corporate information”. Wireless access points are especially vulnerable: “Tests conducted at an airport Internet cafe and at a popular chain of coffee shops showed that unencrypted streams of data from the laptops of patrons could easily be seen in many instances by another patron sitting nearby with wireless ‘sniffer’ software.”
Even hotel broadband is risky. Canola/Jones shows “how a hotel guest can use widely available snooping software with a laptop logged onto the hotel network. The guest can successfully snoop on the hard drives of fellow guests who have file sharing” enabled on their PCs. Corporate data and passwords can easily be stolen.” Gulp. Other holes: keyboard logging software secretly installed on public terminals, and the hardy perennial, shoulder surfing, where a ne’er-do-well passes your terminal just as you happen to be entering a banking password.
Needless to say, this is all pretty scary. And Secure Computing would like to offer you a solution: their “two-factor authentication SafeWord line of tokens” which generate one-time-only passcodes for each user session. But there are other ways of foiling most of these exploits: Firewalls on your computer, common sense (don’t go to important websites like Internet banking on a public computer), and only using public Wi-Fi when you a) know it’s encrypted and b) you’re not dealing in sensitive data. Have I forgotten anything?