Is public wifi as dangerous as it made out to be?

Tom NJ · Mar 1, 2022

On a couple of occasions when I needed to access a website using public WIFI, I copied my password that was imbedded in a previously set up long string of random characters, and pasted it in the website. Does this avoid hackers since I didn't type the password? Also, if I access sites from my phone's hot spot, is this safe?

BMWTurboDzl · Mar 1, 2022

alarmguy said:
Interesting thread, Im still hoping someone can answer ALL the questions in the OP.

I dont use public wifi for this reason, if I want to use my laptop I tether to my cell phone.
BUT, never say never, I have used pubic wifi in hotels ect...
SO would be great to see if someone knows all the answers to the OP

Such as, would using a VPN make a difference???
I suspect that would solve any security issues. Please lets not get into the VPN debate, its just a simple question, would a true, good, secure VPN make a connection secure when using public wifi??
I have a lifetime Subscription to a well respected one but rarely use it.

Yes VPN, then "HTTPS Everywhere" and then a software firewall which blocks all programs from launching. You can then authorize the VPN software to connect through the firewall.

The issue with laptops for example is that some information can be visible prior to the VPN making the connection so it's best to prevent the associated software (ex Email) from trying to connect.

For browsing a VPN alone should be adequate.

OR you can use TAILS OS (i.e. TOR Browser) but a lot of sites won't accept an IP from the Tor Network and it's slow.

wag123 · Mar 1, 2022

BMWTurboDzl said:
Yes VPN, then "HTTPS Everywhere" and then a software firewall which blocks all programs from launching. You can then authorize the VPN software to connect through the firewall.

The issue with laptops for example is that some information can be visible prior to the VPN making the connection so it's best to prevent the associated software (ex Email) from trying to connect.

For browsing a VPN alone should be adequate.

OR you can use TAILS OS (i.e. TOR Browser) but a lot of sites won't accept an IP from the Tor Network and it's slow.

In Windows 10 you can configure a VPN to launch at boot, and it will not connect to the Internet without doing this first.

atikovi · Mar 1, 2022

What are the chances a thief will even notice you entering your credit card info among the thousands of others using that wifi channel? How often do you even need to give out that info when you're not shopping at your home computer?

uc50ic4more · Mar 1, 2022

I am a full-stack web developer; responsible from everything from the server administration to a site's front-end interface. Here are some observations after reading through this thread:

1) HTTPS is becoming more and more ubiquitous daily. Traffic between server and client is encrypted and secure by any reasonable standard.
2) Not all sites providing the "S" in HTTPS are good actors; but if they're bad actors it doesn't really matter if you're at home or Starbucks.
3) A malicious WiFi network (or a bad actor who's compromised an otherwise honest WiFi network) can spoof DNS queries, sending you to fraudulent locations instead of the one you intended. This, not HTTPS, is what I worry about.
4) Using a VPN while in public (which will encrypt all traffic, even DNS queries); or at the very least using a DNS server of your choosing (ie. Cloudflare's 1.1.1.1, bypassing the public DNS server, whatever that may be) is probably a smart, just-do-it-and-don't-overthink-it thing to do. I use ProtonVPN (free) for the scant amount of time I need to do something on my phone in public. If my public WiFi use was anything more than scant I'd pay one of the handful of really reputable services a few bucks a month.

If you're pathologically paranoid, more interested in security than you need to be, and enjoy becoming red-faced with rage when trying to get anything purposeful done, someone earlier mentioned TAILS and Tor. Have at 'er.

Owen Lucas · Mar 1, 2022

atikovi said:
What's the connection? Are you suggesting the servers at the airport went berserk and somehow charged your credit card?

Someone probably made a fake Wi-Fi hotspot that looked like AA's. Your traffic is saved, decrypted and if vulnerabilities are found you're in trouble. There are black market tools that make these tasks easier:

WiFi Pineapple

The industry standard WiFi pentest platform has evolved. Equip your red team with the WiFi Pineapple® Mark VII. Newly refined. Enterprise ready.

shop.hak5.org

Tom NJ said:
On a couple of occasions when I needed to access a website using public WIFI, I copied my password that was imbedded in a previously set up long string of random characters, and pasted it in the website. Does this avoid hackers since I didn't type the password? Also, if I access sites from my phone's hot spot, is this safe?

It doesn't matter how you enter the data, it's the fact the data can be intercepted in transmission. Unless you have a keylogger in your system that transmits everything you type and cut & paste. Accessing from your phones hotspot is much safer than public Wi-Fi, just make sure you have a good password because there are Wi-Fi cracking tools there.

Ultimately, if there is a will there is a way. Could be a new zero-day exploit or some piece of soft/firmware that was not updated on your rig that is now vulnerable. I prefer not to use computers at the hotel or the airport at all unless there is an integrated modem or it's tethered by cable. There are people in public places that are specifically sniffing out systems to rob you digitally. IIRC Barcelona airport and tourist hotspots is the capital of Wi-Fi hacking. Be very cautious if you have to login to any app or enter credit card info.

atikovi · Mar 1, 2022

Wouldn't it be pretty hard to conceal that pineapple thing at the airport? Maybe if you're sitting on the toilet for hours. And how you sift through hours of data from thousands of uses to score a few credit card numbers among the thousands of ordinary webchats or messages?

SwampSurvivor · Mar 1, 2022

A trusted VPN isn't a bad idea. But I'm not going to pay money to have my traffic run over someone else' network; I don't trust any of these VPN companies to not sniff my data more than the people on the open wifi.

I can VPN directly to home if needed. But most pretty much everything is already using some sort of encryption so you don't have to worry.

brianl703 · Mar 1, 2022

atikovi said:
Wouldn't it be pretty hard to conceal that pineapple thing at the airport? Maybe if you're sitting on the toilet for hours. And how you sift through hours of data from thousands of uses to score a few credit card numbers among the thousands of ordinary webchats or messages?

It's far easier to install a skimmer in a gas pump if what you're after is credit card numbers...

alarmguy · Mar 2, 2022

atikovi said:
What are the chances a thief will even notice you entering your credit card info among the thousands of others using that wifi channel? How often do you even need to give out that info when you're not shopping at your home computer?

Oh, last thing I care about is credit card information. Not even a concern, in some. years I have had some big fraud on some. No big deal and people should care less about credit card fraud. Your not responsible even though the media doesnt tell you that past the sensational headlines.
Fraud on your card, tell the credit card company, actually if you access your account online, you just click on the charge, say its not yours and your done. Charge removed.

Its why in the forum many times I tell people dont use debit cards and use credit cards. Debit cards are linked to your personal bank accounts, credit cards are not. Depending on your bank you MAY have to prove a debit purchase is not yours, with a credit card they would have to prove the charge IS yours. Big difference.

WIth that said, no one wants a hacker to be combing your laptop computer for personal information, banking, work place and investing information. Credit card information that a hacker might get is irrelevant to me and chances are that information was stolen from an employee at a restaurant you were eating dinner at, not your computer.

Pablo · Mar 2, 2022

alarmguy said:
Oh, last thing I care about is credit card information. Not even a concern, in some. years I have had some big fraud on some. No big deal and people should care less about credit card fraud. Your not responsible even though the media doesnt tell you that past the sensational headlines.

You sir are full of crap. Don't treat fraud like the big boys do. Somebody pays if thief gets goods. It's NOT the cc company, or the bank.

Item ships, small seller loses. Every time.

Buyers pay increased prices eventually.

Generally your posts are factual and true. This is not one of them.

ARCOgraphite · Mar 2, 2022

Never been compromised until I was at a out of state hospital, used their wifi. My email was compromised within minutes and had to go through all of that rigmarole to get up and running again during a medical crisis. No fun, no fun at all.

OVERKILL · Mar 2, 2022

uc50ic4more said:
I am a full-stack web developer; responsible from everything from the server administration to a site's front-end interface. Here are some observations after reading through this thread:

1) HTTPS is becoming more and more ubiquitous daily. Traffic between server and client is encrypted and secure by any reasonable standard.
2) Not all sites providing the "S" in HTTPS are good actors; but if they're bad actors it doesn't really matter if you're at home or Starbucks.
3) A malicious WiFi network (or a bad actor who's compromised an otherwise honest WiFi network) can spoof DNS queries, sending you to fraudulent locations instead of the one you intended. This, not HTTPS, is what I worry about.
4) Using a VPN while in public (which will encrypt all traffic, even DNS queries); or at the very least using a DNS server of your choosing (ie. Cloudflare's 1.1.1.1, bypassing the public DNS server, whatever that may be) is probably a smart, just-do-it-and-don't-overthink-it thing to do. I use ProtonVPN (free) for the scant amount of time I need to do something on my phone in public. If my public WiFi use was anything more than scant I'd pay one of the handful of really reputable services a few bucks a month.

If you're pathologically paranoid, more interested in security than you need to be, and enjoy becoming red-faced with rage when trying to get anything purposeful done, someone earlier mentioned TAILS and Tor. Have at 'er.

Excellent post.

Years ago when SSL/TLS wasn't as prevalent and client isolation wasn't being implemented on public equipment (there are still examples where that isn't the case, but they are getting fewer) sniffing traffic for potentially valuable information was quite easy. With POP/IMAP mail, that was another source of an "in", as a lot of providers were sending L&P in plain text.

As @brianl703 noted, probably the most prevalent source for CC info getting skimmed is gas stations, and this is far easier and far more effective than trying to sniff traffic.

An interesting example that I have personal knowledge of (a friend of mine was impacted by it) was the public WiFi at a hospital in Quebec. DNS queries were being redirected (good 'ol MITM) and information phished. I wasn't involved in the investigation, so I don't know if it was a spoofed network or if somebody was actually running a rogue DHCP server on the network, but it was extremely frustrating for those involved who had their bank login information phished.

I always just fire up my work VPN (Cisco AnyConnect-based) if I'm in a situation where I'm forced to use public WiFi (can't use my phone's hotspot).

brianl703 · Mar 2, 2022

OVERKILL said:
An interesting example that I have personal knowledge of (a friend of mine was impacted by it) was the public WiFi at a hospital in Quebec. DNS queries were being redirected (good 'ol MITM) and information phished. I wasn't involved in the investigation, so I don't know if it was a spoofed network or if somebody was actually running a rogue DHCP server on the network, but it was extremely frustrating for those involved who had their bank login information phished.

I'd expect the browser would pop up an error like "ERR_CERT_AUTHORITY_INVALID" if they're doing what I think they're doing.

OVERKILL · Mar 2, 2022

brianl703 said:
I'd expect the browser would pop up an error like "ERR_CERT_AUTHORITY_INVALID" if they're doing what I think they're doing.

Apparently it didn't.... which is interesting.

brianl703 · Mar 2, 2022

OVERKILL said:
Apparently it didn't.... which is interesting.

May depend on the browser and version, too. Older browsers, as I recall, really didn't give you much, if, any warning that the site was using a self-signed cert.

OVERKILL · Mar 2, 2022

brianl703 said:
May depend on the browser and version, too. Older browsers, as I recall, really didn't give you much, if, any warning that the site was using a self-signed cert.

This was about 2 years ago and on an iPhone, likely using Safari.

brianl703 · Mar 2, 2022

OVERKILL said:
This was about 2 years ago and on an iPhone, likely using Safari.

All I can tell you is that both Chrome and Firefox complain every time I visit my cablemodem's web page.

OVERKILL · Mar 2, 2022

brianl703 said:
All I can tell you is that both Chrome and Firefox complain every time I visit my cablemodem's web page.

Yes, I think this was reasonably sophisticated with the rogue DNS server sending clients to spoofed websites that had valid certificates to phish information.

brianl703 · Mar 2, 2022

OVERKILL said:
Yes, I think this was reasonably sophisticated with the rogue DNS server sending clients to spoofed websites that had valid certificates to phish information.

Then you have to wonder how they got valid certificates...

I wonder if Google or Chrome would detect that the certificate has changed since the last time you visited the site and warn you.

Is public wifi as dangerous as it made out to be?

Tom NJ

BMWTurboDzl

wag123

atikovi

uc50ic4more

Owen Lucas

$100 Site Donor 2023

WiFi Pineapple

atikovi

SwampSurvivor

brianl703

alarmguy

Pablo

ARCOgraphite

OVERKILL

$100 Site Donor 2021

brianl703

OVERKILL

$100 Site Donor 2021

brianl703

OVERKILL

$100 Site Donor 2021

brianl703

OVERKILL

$100 Site Donor 2021

brianl703

Similar threads