Earlier this year, a big media panic blew up over the so-called Evil Twin attack, in which a hacker can set up a plausible access point in a public space, pose as a commercial hotspot, and harvest credit card details.
The panic was not entirely unfounded. Measures to avoid Evil Twin attacks are easy, but often overlooked.
How the attack works
Let's say that I'm a hacker. I set up my laptop to act as an access point. I give it a legitimate-sounding name, like T-Mobile Hotspot, to fool unsuspecting surfers. I put my laptop in a backpack and read a newspaper while sipping some java at the local coffee shop. All I have to do is wait for you to connect.
If I'm looking to steal from you, I'll require you to enter a credit card number to get access, just like T-Mobile does - then I'll have your credit card information. While you surf the Web, my computer redirects you to Web pages I have created that happen to look like the ones you visit on a daily basis.
In fact, the only difference between the Citibank page you visit every day and the one I have made is that my page is unencrypted. I can log all of the information you put into various Web forms, and when you check your e-mail, I can read it along with you.
How do you discriminate?
"The only way to tell the difference between legitimate and non-legitimate is intent," says Jeffrey Schiller, network manager and security architect at the Massachusetts Institute of Technology. "The fundamental problem is when you are in a public place there is no way to discriminate."
Schiller offers an example of how easy it could be to fall victim to an evil twin attack. While at the airport during a recent trip to New York, he says, he turned his laptop into an access point. His intention was to get access to the Internet, but as soon as he created the hotspot, Schiller noticed that three people had connected via his computer.
"I probably could have seen their e-mail" and been able to track their movements on the Web, he says.
Watch out for the flaws in security measures
According to Schiller, there are several measures already in place by most Web browsers to warn about unencrypted Web pages. However, he says, each of them has various security flaws.
- Pop-up warnings: Web browsers often use a pop-up dialog box to indicate that information being sent is not encrypted. The problem with this, Schiller says, is that these boxes offer the option to "never show this again." If you have clicked this box just once, you will no longer be warned if you are sending information through unencrypted channels.
- The lock icon: Most Web browsers display a small lock icon to indicate an officially regulated, encrypted Web page. The problem with these, Schiller says, is that you must be diligent about looking for them every time you log on to a new page. Additionally, if a hacker changes even one letter in the domain name you are familiar with (an example Schiller offers is replacing the lowercase L in lehman.com with a one, 1ehman.com), they can then register that domain name. When you are redirected to that page it will display the lock icon, and you may never notice the changed domain name. Why would an illegitimate site be able to display this lock icon? Because, Schiller says, the public certifying authority that gives out digital signatures to legitimate sites can be fooled into giving digital signatures to illegitimate sites.
- HTTPs and unfamiliar links: According to Schiller, most banks advertise the unencrypted version of their Web pages (https indicates a secure version; http, however, is easier to remember). When you log on to that page and click to enter the encrypted version, you can be redirected to a page with a domain name that is unrelated to the bank's home page. If you do not recognise the name, it is difficult to know if you have been redirected to a page operated by the bank or by a hacker. Which, Schiller says, makes users "sitting ducks."
How to protect yourself
Those who perpetrate evil twin attacks are benefiting from the distractions of public places. According to Schiller, "they're depending on you not (paying) attention."
If you are diligent, these tips will make you less likely to fall victim to an attack.
- Check your Wi-Fi settings: Many laptops are set to constantly search and log on to the nearest hotspot. While this option might seem convenient, it does not allow you to monitor which hotspots you are logging on to and determine if they are legitimate. Turning off this option will prevent your computer from logging on to a hotspot without your knowledge.
- Pay attention to dialog boxes: Pop-up warnings are there for a reason - to protect you. If you are lucky enough to have not clicked the "never show this again" option, make sure you read these warnings carefully before agreeing to send information.
- Use one of your credit cards only on the Web: Open a credit card account that is used solely for the purposes of shopping on the Web. Ideally, you should be able to access account records online so you don't have to wait for monthly statements to monitor any activity. "Be prepared to close that account on short notice if it's been compromised," says Schiller.
- Conduct private business in private: "Maybe you don't need to move money around or check your bank statements when you are connected to a public hotspot that you're not really familiar with," says Schiller. If you restrict your public surfing to Web pages you don't mind a stranger reading along with you, there is little an evil twin attacker can do to harm you.
Legal help in the US - the Spy Act
In the US there is a proposed "Securely Protect Yourself Against Spyware Act", or Spy Act. The House of Representatives has put language in this to prosecute those caught wirelessly stealing your information.
The Spy Act was recently moved through the House Committee on Energy and Commerce, and would require companies that produce spyware to notify users and receive their consent before software is installed. Additionally, companies would be required to provide users with easy uninstall options.
Now that the bill is fully written and out of committee, it is only a matter of time before it comes to the House floor for a vote. If passed by the House, the bill would need to be introduced and passed by the Senate before becoming law.
But while the Spy Act now makes it possible to punish those who conduct evil twin attacks, the very nature of the problem may make it difficult to identify the culprits. Victims may never realise that the hotspot they used to surf the Web was illegitimate, and once that hotspot has been shut down, it can be impossible to find the perpetrator.
The best advice is to stay vigilant and protect yourself.
Erin Biba writes for the Medill News Service.