home

Fraud Threat to Wireless Hot Spot Users

Watch out for where you go and what you do on the Internet when using a wireless conection at a hot spot. This is London reports on a fraud scheme called "the evil twin" in which a phony base station that latches on to your laptop.

In essence, users think they have logged on to a wireless hotspot connection when in fact they've been tricked to connect to the attacker's unauthorised base station. The latter jams the connection to a legitimate base station by sending a stronger signal within close proximity to the wireless client - thereby turning itself into an 'evil twin'.

Cybercriminals don't have to be that clever to carry out such an attack. Because wireless networks are based on radio signals they can be easily detected by unauthorised users tuning into the same frequency.'

Unwitting web users are invited to log into the attacker's server with bogus login prompts, tempting them to give away sensitive information such as user names and passwords.

< Lawyer For Guantanamo Detainee Speaks Out | Air America Radio Scores Big Gains....Listen Today >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft


  • Display: Sort:
    Re: Fraud Threat to Wireless Hot Spot Users (none / 0) (#1)
    by Talkleft Visitor on Thu Jan 20, 2005 at 10:52:58 AM EST
    I would urge anyone using wireless to fully acquaint yourself with the specifics. From my house I can access three of my neighbors networks. Only one has been secured, whereas the other two are wide open for me to use and poke around there connected computers. Financials, family photos, and who knows what else; it’s all flying around in the air willy nilly, unprotected. Further, they haven’t bothered to change the default IP or admin password enabling me to do whatever I please to their routers. They are fortunate I couldn’t care less; it’s more of a hassle when I’m trying to connect to my network. You learned to drive before you got behind the wheel, same should apply to your computer. Even if you think you are secure, try googling airsnort. It has been claimed to crack 128 bit WAP in less than an hour for poorly chosen keys. My father found a wireless network in his neighborhood that had its SSID changed to ‘you’ve been hacked’. Don’t let this be you folks.

    Re: Fraud Threat to Wireless Hot Spot Users (none / 0) (#2)
    by pigwiggle on Thu Jan 20, 2005 at 10:53:28 AM EST
    Uh, yah. That was me.

    Re: Fraud Threat to Wireless Hot Spot Users (none / 0) (#3)
    by Ray Radlein on Thu Jan 20, 2005 at 03:38:03 PM EST
    This is simply a variation of an old security hole in cell phones which has been around for ages. The problem is, for it to work, it has to act just like a regular hot spot; but the internet is phenomenological: Pretend that you're a hot spot, and you are. It has to pass traffic through to the internet, and vice versa. ALl of which means that, as an attack, it's only as effective as the encryption on your data is ineffective. But, frankly, that's already the case with wireless, as pigwiggle points out: If your connection isn't secure, attackers don't need fancy fake hot spots to steal your mojo.

    Re: Fraud Threat to Wireless Hot Spot Users (none / 0) (#4)
    by Sailor on Thu Jan 20, 2005 at 05:52:13 PM EST
    It's called a 'Man in the middle' attack. See the coverage in slashdot.org to have an idea of how concerned you should be. My personal advice is that if you are outside your home/work firewall and don't see that the padlock in the status bar is closed before you use your PW to get or send mail, don't do it. And never conduct banking or any CC purchase wirelessly.

    Re: Fraud Threat to Wireless Hot Spot Users (none / 0) (#5)
    by pigwiggle on Thu Jan 20, 2005 at 06:33:20 PM EST
    So the issue is really the security of the encryption used. Since the FBI threw a fit and limited us all to 128 bit, we should be wondering how secure this is. My nerd friends and I spent lunch taking this over. We figure with 250 PC of current speed it would take a week. I have the computers, but how am I going to know if you have more than $18.45 in your checking account?

    Re: Fraud Threat to Wireless Hot Spot Users (none / 0) (#6)
    by Ray Radlein on Fri Jan 21, 2005 at 12:11:57 AM EST
    A properly secured key can be sniffed through random packet collection after about a million captures, IIRC. So whether that takes a week or a month depends on how often your machine comes within range of the sniffer in question. If your key is cycled every few days, you are pretty much completely safe at the moment.