PC Today Article - Does Your Hotspot Have An Evil Twin?

Subscribe Today

Contact Us

Register Now

Home | Tech Support | Article Search | Subscribe & Shop

Does Your Hotspot Have An Evil Twin?

Email This

Print This
View My Personal Library

Unwired June 2007 • Vol.5 Issue 6 Page(s) 16-17 in print issue	Add To My Personal Library
Does Your Hotspot Have An Evil Twin? Awareness Is Key To Preventing Online Attacks

While waiting at Hartsfield-Jackson Atlanta International Airport for a connecting flight to San Francisco, Joseph Angelo thought he’d catch up on his email and do a little Web shopping at a Wi-Fi hotspot near the departure gate. After firing up his notebook and going through the regular logon screens, everything looked as it should with the online store’s slick graphics, professional-looking design, and even its annoying animated ads.

Despite all outward appearances, Angelo had stumbled into the twilight zone of wireless Internet access, where a bogus hotspot intercepted his online connection in order to steal his personal information. A month later, after several odd charges showed up on his credit card bill, he realized that he’d been duped and his online identity was now in jeopardy.

The story has a happy ending, though. Angelo immediately alerted his credit card company, which issued him a new card and reimbursed him for the fraudulent charges. He didn’t lose a penny.

“In a real sense, he was lucky,” explains Richard Rushing, chief security officer at AirDefense, “some people lose big from schemes like this.” AirDefense specializes in securing and boosting the performance of wireless networks.

“The sad part of the story is that this type of attack is becoming more and more common as people demand to be connected all the time and use hotspots without thinking,” adds Rushing.

Separated At Birth

Angelo’s Web journey was sky-jacked by a bogus hotspot masquerading as the real thing. Called an evil twin in the parlance of hackers and security experts, a criminal intent on gathering credit card numbers or other personal data, such as email addresses and corporate login information, sets up a Wi-Fi access point near an established commercial hotspot. Either the sham setup has the same network name or has an enticing come-on such as “Free Access,” “Club Wi-Fi,” or “Special Offer.” As is so often the case on the Web, if the offer sounds too good to be true, it probably is.

This is the wireless world’s equivalent of the bait and switch rip-off because the only thing the people behind the evil twin are really after is your online identity. Although new variations appear all the time, the attack works something like this: After connecting to the phony hotspot, unsuspecting surfers are either asked to verify their billing information by typing in a credit card number or are sent to what seems exactly like a popular Web site (such as Amazon.com, eBay, or Borders), in the hope they will divulge their credit card number there. Others just use keystroke logging software hoping that the victim will give up this and other info while online.

To all outward appearances, the evil twin looks and acts like the real thing, but it is really a façade with little more than the ability to connect and grab your information. “Some evil twins can even knock you off of a legitimate hotspot,” adds Rushing, “and reconnect you with a bogus connection in order to get your information.”

Fool The Pros

There are few statistics available on evil twins, but the consensus is that along with the 100,000 legitimate commercial hotspots in operation today, there are thousands of shams. The problem is that this activity is hit and run, with bogus hotspots popping up and disappearing all the time. “We’ve seen evil twins at Dulles, LAX, and LaGuardia,” says Christian Gunning, director of marketing communications at Boingo Wireless. “It’s next to impossible to track them down due to the mobile nature of wireless data.” Boingo provides wireless Internet access to customers at more than 60,000 wired locations worldwide, including 600 airports and thousands of hotels.

Using any of the AirDefense programs, you can keep your wireless network secure while boosting its performance.

Responsible for millions of dollars in fraud and computer damage every year, evil twins can even fool the pros, as happened two years ago at the Interop networking show in Las Vegas. Even though the aisles of the show were filled with security experts who should have known better, hundreds were enticed to log on to the “free_extreme” access point hidden somewhere on the show floor. They were given a virus in return. “It shows that even the experts can be tricked,” adds Rushing. “Nobody that uses a hotspot today is immune.”

The reason for the popularity of this type of attack is that setting up a hotspot—real or fake—is easier than you might think. All it takes is a few hundred dollars of equipment. Unlike the real thing, a counterfeit hotspot doesn’t need a live Internet connection because it can have duplicates of the Web’s most popular sites saved on its hard drive. An evil twin could be stashed in a closet near the legitimate hotspot, on the dashboard of a parked car, or in the backpack of the person sitting next to you at an Internet café.

You can stop evil twins, but as is the case in cheesy horror movies, it’s not easy. (Refer to the “Better Safe Than Sorry” sidebar.) The key is to use the 802.11x mutual authentication scheme when logging on to a hotspot. Although finding this level of security at a hotspot is hit or miss, Boingo’s client software includes behind-the-scenes authentication at both ends. By swapping digital certificates, you make sure you are who you say you are and the hotspot is what it says it is. “All Boingo hotspots throughout the world have mutual authentication,” explains Gunning. “It’s all encrypted so it’s secure.”

For many people, using the authentication scheme seems too time-consuming. “It’s not perfect, but mutual authentication is a big help,” adds Rushing, “but lots of people don’t think they have the time. Those in a hurry don’t want to wait for the authentication to go through.” Still, it’s worth the wait if it keeps your credit card numbers in your pocket and your identity from falling into the wrong hands.

by Brian Nadel

Better Safe Than Sorry

It’s a wild world out there. The best advice from security pros is to watch your online back. As a first level of protection against evil twins and other dangers lurking in cyberspace, Richard Rushing, chief security officer at AirDefense, recommends downloading and installing the free version of his company’s Wireless Protection Anywhere program (www.airdefense.net/products/adpersonal). The program not only notifies you of risky online behavior (such as leaving a Bluetooth radio turned on), but it also displays warnings when Web attacks seem likely. Having the latest antivirus software couldn’t hurt, either.

Regardless of where you are, it’s a good idea to be careful about wireless connections. In addition to the basics, such as always using mutual authentication and demanding an encrypted connection, try to restrict your online activities to secure sites; they’re the ones designated HTTPS instead of HTTP. The pros warn to never set your notebook’s wireless radio to search and automatically connect to the hotspot with the strongest signal. To lessen the potential damage if you encounter an evil twin, use one credit card to make all your online purchases. That way you can easily identify an oddball purchase and quickly cancel it in the event of an identity breach. Better yet, use a debit card that has a fairly low amount of cash.

In other words, the best defense against being a cyberspace victim is a good offense.

Home Copyright & Legal Notice Privacy Policy Site Map Contact Us