Published July 12, 2009
The newest trend in Internet fraud is "vacation hacking," a sinister sort of tourist trap.
Cybercriminals are targeting travelers by creating phony Wi-Fi hot spots in airports, in hotels, and even aboard airliners.
Vacationers on their way to fun in the sun, or already there, think they're using designated Wi-Fi access points. But instead, they're signing on to fraudulent networks and hand-delivering everything on their laptops to the crooks.
"More and more people are traveling with Wi-Fi devices like smartphones and laptops," says Marian Merritt, Internet safety advocate at the computer-security giant Symantec. "Airports and airlines and hotels are responding. They're setting up free Wi-Fi networks to lure in customers. Now they're luring in hackers as well."
In 2008, Silicon Valley-based AirTight Networks, a wireless security company, sent a team of "white-hat" hackers — good guys who try to thwart "black hat" hackers — around the world on an international airport study.
They checked the Wi-Fi networks at 27 airports — 20 in the U.S., five in Asia and two in Europe — and the results were not good.
At John F. Kennedy International Airport in New York, the baggage-handling system was being run on an insecure network. At other airports, ticketing systems were similarly exposed.
And everywhere they looked, they found fake Wi-Fi hot spots set up by hackers phishing for suckers — and there were plenty of suckers to be had.
"We found a lot of people using insecure Wi-Fi," says AirTight investigator Rick Farina, "and people engaged in all sort of dangerous activity — checking their e-mail, doing their banking, buying stock. These are not the kinds of thing you want to be doing on public Wi-Fi."
A lot of the problem may be that people let their guard down when they're on vacation.
"Much of the time, people just log in to the first robust network they see," says AirTight spokeswoman Della Lowe. "When we did our airport study, we found only 3 percent of the people were using secure networks."
And according to their study, even the "secure" networks weren't all too safe.
Eighty percent of the private Wi-Fi networks at airports surveyed by Airtight were secured by the aging Wired Equivalent Privacy (WEP) protocol, which was cracked back in 2001.
Almost as many — 77 percent — of the networks they surveyed were actually private, peer-to-peer networks, meaning they weren't official hotspots. Instead, they were running off someone else's computer.
In response to the rise in vacation hacking, some companies are beginning to tighten up security.
When AirTight's Farina alerted American Airlines to vulnerabilities in its system earlier this year, the airline took action.
"I can't tell you what they did," says Farina, "but their Wi-Fi is safer."
JetBlue also says it has taken appropriate steps.
"Phishing is a risk that exists anywhere there are wireless services available, which is pretty much everywhere these days," says JetBlue spokesman Bryan Baldwin.
"At our Terminal 5 at JFK, where we offer free Wi-Fi, we have measures in place to minimize risks for our customers," he said. "We'd prefer not to go into detail about the specifics of those measures, because the details could be used by clever hackers against the defenses."
A spokesman for the Marriott hotel chain would give only a terse statement:
"When it comes to online security, Marriott has worked diligently to protect our guests."
One thing all security experts agree on: When it comes to hackers, the best defense is a good offense.
To this end, the folks at Symantec have created a list of five simple tips for thwarting most attacks.
— Pay attention to your surroundings. Just because you're on vacation doesn't mean you're not in public. Don't look at important documents when sitting in a waiting area for a plane or a train — wait until you're alone and in private for that.
— Beware of "Evil Twins." Some Wi-Fi networks look legitimate but are actually dummy networks created by criminals. Even if they contain the name of your airport, airline or hotel, they will directly link your computer to the hacker's. If you always use the official access keys provided by the establishment, then you should be safe.
— Always assume Wi-Fi connections are being eavesdropped on. Never enter sensitive data — Social Security numbers, bank account information, etc. — when browsing the Web via a Wi-Fi network.
— Set all Bluetooth devices to "hidden," not to "discoverable." Better yet, if you don't use Bluetooth, just shut off the function altogether.
— Keep your security software current and active. Mobile PCs are just as vulnerable to viruses, worms and Trojan horses as are desktops, so make sure you have the latest protection installed.
"In short," says Merritt, "if you don't feel confident in the system security, then just don't use it."