Accessibility and Website Information Skip Site Wide Navigation Skip to Content City Seal | HomeCity of San Diego | Home
Search City of San Diego

Preventing Fraud and Identity Theft

Wi-Fi Hacking and Hotspot Dangers

Use of Wi-Fi in coffee shops, libraries, airports, hotels, universities, and other public places pose major security risks. While convenient, they’re often not secure. You’re sharing the network with strangers, and some of them may be interested in your personal information. If the hotspot doesn’t require a password, it’s not secure. If it asks for a password through your browser simply to grant access, or it asks for a Wired Equivalent Privacy (WEP) password, it’s best to treat it as unsecured. You can be confident that a hotspot is secure only if it asks for the Wi-Fi Protected Access (WPA and WPA2) password. WPA2 is the most secure.

Also, unsecure laptops and smart phones make it easy for a hacker to intercept information to and from the web, including passwords and credit or debit card numbers. They are also vulnerable to virus and spyware infections, and to having their contents stolen or destroyed. A hacked laptop or smart phone can also create a security risk for the user’s workplace if it contains a password to the corporate network. Wi-Fi users should take the following steps to reduce these risks:

  • Turn the Wi-Fi on your laptop, PDA, and smart phone off when you aren’t using the network. Otherwise your Wi-Fi card will broadcast your Service Set Identifier (SSID) looking for all networks it was previously connected to. This enables hackers to figure out the key that unscrambles the network password.
  • Use a known service instead of Free Public Wi-Fi or similar risky, unknown signals called ad hoc networks.
  • Check the Wi-Fi security policies of your service provider and install the protections they offer to ensure it’s a known network and not an “evil twin” hacker site pretending to be the legitimate one.
  • Pay attention to warnings that a Secure Sockets Layer (SSL) certificate is not valid. Never accept an invalid certificate on a public wireless network. Log off and look for a trustworthy network. Look for the padlock indicating an SSL connection. Keep your firewall on. And keep your operating system updated.
  • Find out if your company offers a Virtual Private Network (VPN) and learn how to use it. Encrypted VPN sessions offer the highest security for public wireless use.
  • Upgrade your Wi-Fi cards. The older WEP security is easily hacked. The new WPA and WPA2 are much more resistant to attack.
  • Learn to connect securely. Even the vulnerable WEP offers more privacy and protection than an unsecured public connection. It’s not something the average hacker can crack.
  • Only log in or send personal information on website pages that are encrypted. They will have https:// or shttp:// in their addresses and a “lock icon” at the top or bottom of your browser window. You can click on this icon to display information about the website and help you verify that it’s not fraudulent.
  • Use a different password for each account.
  • When you’ve finished using an account, log out. Don’t stay signed in.
  • Pay attention to warnings from your browser if you try to visit a fraudulent website or download a malicious program.
  • Remove all passwords and browsing history after using a shared computer.
  • Disable file-sharing on your laptop.
  • Don’t send any sensitive personal or business information while in a hotspot unless you absolutely have to.
  • Put strong passwords on your wireless network. They should be more than eight characters in length, and contain both capital letters and at least one numeric character. Other advice on creating strong passwords can be found at www.microsoft.com/protect/yourself/password/checker.mspx.
  • In shopping, it’s fine to browse website when you’re out but wait until you are at home to do any online business.

And corporate Information Technology (IT) managers should do the following to protect corporate data from hotspot dangers:

  • Establish and enforce strong authentication policies for devices trying to access corporate networks
  • Require employees to use a corporate VPN and encryption when making connections and exchanging data. Better still, set up computers so that devices automatically connect to the VPN and encrypt data after making sure that the computer or device hasn’t been lost or stolen.
  • Make sure all devices and software applications are configured properly and have the latest patches.
  • Ensure that corporate security policies prevent employees from transferring sensitive data to mobile devices or unauthorized computers.
  • Provide employees with broadcast air cards that require a service plan so they don’t have to use public hotspots for wireless connections.