5 Ways Hackers Can Use Public Wi-Fi to Steal Your Identity

Philip Bates 03-10-2016

We’ve all been tempted to use public Wi-Fi: it’s free, saves on your data allowance, and is always helpful in speeding up loading times.


You might love public Wi-Fi — but so do hackers.

Here are just a few ways cybercriminals can get access to your private data and potentially steal your identity and what you can do to protect yourself.

1. Man-in-the-Middle Attacks

The technological term, man-in-the-middle (MITM) What Is a Man-in-the-Middle Attack? Security Jargon Explained If you've heard of "man-in-the-middle" attacks but aren't quite sure what that means, this is the article for you. Read More is an attack whereby a third party intercepts communications between two participants. Instead of data being shared directly between server and client, that link is broken by another element. The uninvited hijacker then presents their own version of a site to display to you, adding in their own messages.

Anyone using public Wi-Fi is especially vulnerable to a MITM attack. Because the information transmitted is generally unencrypted, it’s not just the hotspot that’s public — it’s your data too. You might as well shout out your details. A compromised router can vacuum up a lot of personal material relatively simply: just getting into your emails, for instance, gives hackers access to your usernames, passwords, and private messages, and plenty more besides 6 Ways Your Email Address Can Be Exploited by Scammers What happens when a scammer hacks your email account? They can exploit your reputation, financial accounts, and much more. Read More !

The most worrying thing is if you use online banking or exchange payment details over emails or instant messaging.

What can you do? Don’t input any data if you see a notification that a site might not be genuine. Even if you’re desperate. A website’s credentials are checked using SSL/TSL certificates What Is an SSL Certificate, and Do You Need One? Browsing the Internet can be scary when personal information is involved. Read More , so take warning messages about authenticity seriously.

Public Wi-Fi might not be encrypted, but e-commerce companies like PayPal, eBay, and Amazon employ their own encryption techniques. (In fact, most major sites that request a password use encryption.) You can check for this by looking at the URL. If it’s an HTTPS address What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More — that additional “S” meaning “Secure” — there’s some level of encryption. A plugin like HTTPS Everywhere will force your browser into defaulting to encrypted transmissions where available.

2. Fake Wi-Fi Connections

This variation of an MITM attack is also known as the “Evil Twin”. The technique intercepts your data in transit, but bypasses any security systems a public Wi-Fi hotspot might have.

A few years ago, Doctor Who showed the perils of technology, in particular the trouble caused by connecting to a malicious router. In that case, users were integrated into an alien intelligence — admittedly unlikely. But in reality, victims could be handing over all their private information, merely because they were tricked into joining the wrong network.

It’s fairly easy to set up a fake access point (AP), and is well worth the effort for cybercriminals. They can use any device with internet capabilities, including a smartphone, to set up an AP with the same name as a genuine hotspot. Any transmitted data sent after joining a fake network goes via a hacker.

What can you do? There are some tips to keep in mind on how to spot “Evil Twin” public Wi-Fi. Be suspicious if you see two similarly-named network connections. If they’re to an associated shop or eatery, talk to the staff there. Similarly, alert management if you’re at work and spot a fake AP.

We always recommend using a virtual private network (VPN) What Is The Definition Of A Virtual Private Network Virtual private networks are more important now than ever before. But do you know what they are? Here's what you need to know. Read More . This establishes a level of encryption between the end-user and a website, so potential intercepted data is unreadable by a hacker without the correct decryption key. You’ve plenty of reasons to use a VPN 8 Instances You Weren't Using a VPN but Should've Been: The VPN Checklist If you haven't already considered subscribing to a VPN to secure your privacy, now is the time. Read More , and one definitely is to combat MITM attacks in their myriad forms.

3. Packet Sniffing

It’s an amusing name, but the actual practice of “packet sniffing” is far from a laughing matter. This method enables a hacker to acquire airborne information then analyze it at their own speed.

This is relatively simple, and not even illegal in some cases. Seriously. David Maimon, Assistant Professor at the University of Maryland, investigated the dangers of using public Wi-Fi and said:

When we started we had to get approval and the legal team in Maryland checked whether it’s okay to sniff and couldn’t find any law preventing you from sniffing. Banners before you log in to public WiFi, where you agree terms of use, sometimes specifically mention you’re not allowed to sniff and that makes it illegal, but if there’s no banner then it’s not illegal at all.

A device transmits a data packet across an unencrypted network, which can then be read by free software like Wireshark. That’s right: it’s free. Look online and you’ll even see “how to” guides, teaching you how to use Wireshark. Why? Because it’s a handy tool for analyzing web traffic, including, ironically enough, finding cybercriminals and vulnerabilities that need patching.

Wireshark in Use Example
Image Credit: Wireshark Team via Wikimedia Commons

Nonetheless, hackers can obtain an abundance of data then scan through it at their leisure for important information like passwords.

What can you do? Again, you need to rely on strong encryption, so we recommend a VPN. If you’re not sure about that, make sure sites requiring private information use SSL/TSL certificates (so look for HTTPS).

4. Sidejacking (Session Hijacking)

Sidejacking relies on obtaining information via packet sniffing. Instead of using that data retroactively, however, a hacker uses it on-location. Even worse, it bypasses some degrees of encryption!

Log-in details are typically sent through an encrypted network (hopefully) and verified using the account information held by the website. This then responds using cookies sent to your device. But the latter isn’t always encrypted — a hacker can hijack your session and can gain access to any private accounts you’re logged into.

While cybercriminals can’t read your password through sidejacking, they could download malware that would obtain such data, even including Skype. Furthermore, they can get plenty of information to steal your identity. A wealth of data can be inferred from your Facebook presence alone!

Public hotspots are especially appealing for this hack because there’s typically a high percentage of users with open sessions. The Firefox extension, Firesheep demonstrated how easily sidejacking can be accomplished, forcing Facebook and Twitter to require HTTPS when signing in.

What can you do? Again, HTTPS offers a good level of encryption, so if you really must go on sites requiring personal information, do it through this secure connection. Similarly, a VPN should combat sidejacking.

As an added security measure, make sure you always log out when you’re leaving a hotspot, or risk letting a hacker continue to use your session. With Facebook, you can at least check the locations where you’re logged in and sign out remotely.

5. Shoulder-Surfing

This might seem obvious, but we often forget these sort of simple security measures.

Man Using an ATM
Image Credit: Richard via Flickr

Whenever using an ATM, you should check those around you, making sure no one’s peeking as you enter your PIN How Scammers Can Use ATMs To Clean You Out That ATM in the wall of your local bank might look like an easy way to get some cash, but you need to make sure that the scammers didn't get there first. Read More .

It’s also a danger when it comes to public Wi-Fi. If one or more individuals are hovering around when you’re visiting private sites, stay suspicious. Don’t submit anything personal like a password. It’s a very basic scam, but one that certainly still works for hustlers and hackers.

A “shoulder surfer” might not even need to be behind you: just watching what you type can give criminals something to work with 10 of the World's Most Famous and Best Hackers (and Their Fascinating Stories) White-hat hackers versus black-hat hackers. Here are the best and most famous hackers in history and what they're doing today. Read More .

What can you do? Be vigilant. Know who’s around you. Sometimes, a little bit of paranoia can help. If you’re not sure of those around you, don’t go on anything private.

Don’t underestimate the importance of what you’re filling out or reading either: medical information can be useful to identity thieves 5 Reasons Why Medical Identity Theft is Increasing Scammers want your personal details and bank account information – but did you know that your medical records are also of interest to them? Find out what you can do about it. Read More , for example. If it’s a document or webpage you wouldn’t want anybody else seeing, take precautions to stop that very thing from happening.

Another option is to purchase a privacy screen — which limits the amount of people who can see what’s on your screen — or indeed make one yourself Keep Out Prying Eyes With A Computer Privacy Screen Are your co-workers paying too much attention to your display? A privacy screen can help – here are your options. Read More !

Tell Me More About VPNs!

The core concern with public Wi-Fi is the lack of encryption. The aforementioned VPNs scramble your personal information so without the correct decryption key, it can’t be read (in most cases, anyway). If you regularly use hotspots, using a VPN is essential.

Fortunately, you’ll find quite a few completely free VPNs 8 Totally Free VPN Services to Protect Your Privacy Free unlimited data VPNs don't exist unless they're scams. Here are the best actually free VPNs around that you can try safely. Read More , both for laptops and devices like smartphones. Opera has extended its VPN service from Windows and Mac to Android phones, for instance, or you could use plug-ins on Chrome The 10 Best Free VPN Extensions for Google Chrome Here are the best free VPN extensions for Chrome to block trackers, bypass region blocking, and much more. Read More . If you do most of your private business on a smartphone, check out these apps for Android The 5 Best VPNs for Android Need a VPN for your Android device? Here are the best Android VPNs and how to get started with them. Read More or these VPN services for your iPhone or iPad 2 Free VPN Services for Secure Browsing on Your iOS Device Read More .

Opera VPN Promo
Image Credit: Iphonedigital via Flickr

The vast majority of us use public Wi-Fi, but we need to be more careful about it, and VPNs are central to the arsenal of the security-conscious. It’s also a good idea to prevent your devices from auto-connecting to open Wi-Fi networks Stay Safe! How to Prevent Your Devices From Auto-Connecting to Wi-Fi Networks Auto-connecting to wireless networks saves time, but it can be a security risk. Time to stop automatically connecting to Wi-Fi! Read More .

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Gavin
    October 5, 2016 at 10:51 am

    Nice work, Philip. The only time I make extended use of my VPN is when public WiFi is the only option.

    • Philip Bates
      October 31, 2016 at 8:21 pm

      Thanks Gavin - appreciate your words. I very rarely use Public Wi-Fi; I know that's bad for my mobile data but I simply don't trust it. And I definitely don't use it when personal information is required!