Let's take for the example the situation with hotel wireless, here's a very common scenario for any of us who spend time away from home on business. You check into a hotel, you've got a report due and need to check your email to see if there's any changes to tomorrow's agenda.
You check the hotel leaflets and fire up your laptop and access the hotels Wifi page, you see that you can get 7 days Wifi access for $60, or 24 hours for $25 - you think that's an extortionate amount just to read an email even if you can claim the money back.
So let's stop here at this point - the numbers may be different, the justification not quite the same. But needless to say you've been in a similar situation, you want to check your email but you feel you're being ripped off.
So you have a little look at other available Wireless networks, Hmm you see one called Lowcost Wifi and try and attach to it. Success and you reach a little access page fairly similar to the hotel page - you get a little warning about a problem with the security certificate but that's always happening so you click passed the warning.
"Low cost Wifi - 3 hours access for just $1.99
Simple, Quick and effective Internet Access for the Business Professional"
Little padlock in the bottom corner - says you are using a secure site and it all looks legitimate and a much better price that the hotel Wifi. Besides you only just want to check your email - $1.99 is much fairer price for a few minutes Wifi Access.
So you happily pop in your credit card details and a few seconds later you're surfing the internet and download your emails.
Public Wifi Security - Be Afraid
What has actually happened is that you have been subject to what is called a man in the middle attack. Someone in or nearby the hotel has very simply produced a simple logon page and is impersonating a Wifi access point. All they need is a little technical skill, a wifi enabled laptop and a criminal intent. The Access page is on their laptop and so now is a text file with all your Credit Card details.
After stealing your card details you are redirected to the Hotel Internet connection and can browse normally whilst the attacker alllows it. He normally will as there is usually more fun to be had if you are checking your email, logging on to online banking, using paypal etc.
All of this will be logged and recorded ready to empty your accounts and stealing your identity. Prepare for endless hours of phone calls, arguments and credit repair tasks ahead.
Ouch So Hotel Wireless isn't so Secure
Well unfortunately it varies, in this situation the attacker was taking advantage of a rip off access point. The payoff is worth it - sitting outside a big hotel like this will always pay off - one score can be worth thousands all it needs is patience.
What were the mistakes? Well obviously sticking to using the Hotel Wifi service would have been wiser, always make sure you use the advertised service if you need to use hotel wifi, but remember this too can be impersonated. The one point in this story where you can see the scam is the warning about the invalid security certificate - I'll put a post up about this soon - it's one warning you should take seriously.
Using Identity Cloaker or another secure browsing application would have helped here although not completely protected you. The attacker would not have been able to log all your connection details, emails and other passwords but it wouldn't have helped save your credit card details as they were inputted directly onto the attackers computer.
I hope this helps people stay secure, seriously these attacks are happening all the time, it's big money to these criminal gangs. Be careful when you use any sort of public access Wifi. Read my post here for more information on Anonymous Internet Surfing.