You use my hotspot, I'll use your credit card
A recent story on "Evil twin" Wi-Fi networks that spoof legitimate hotspots or corporate networks makes it clear that all public hotspots should immediately implement 802.1x and PEAP authentication. Currently, with most Wi-Fi hotspots, there is no simple way to tell whether or not you are using a legitimate hotspot. If you don't think this is a big deal -- since you're probably using VPN anyway --think again!
Since you probably authenticate with your Wi-Fi hotspot or hotspot aggregator provider on a routine basis with a username/password or you pull out your credit card to pay for temporary hotspot access, you could be in danger of losing your user account or worse --your credit card number. A hacker or criminal could easily put up a fake Web-based authentication server that looks exactly like the real thing for the purpose of stealing your hotspot user account or your credit card number along with the extended code. They could even provide you with real Internet access after you've authenticated with them to make you think that nothing is wrong and you would never know the difference. Next thing you know, you're looking at a massive hotspot usage bill or worse, you're looking at a maxed out credit card. Can this really happen? You better believe it! Now that hotspots are ubiquitous, it's only a matter of time before criminals wise up to this type of exploit.
Hotspots that use 802.1x and PEAP authentication are an excellent solution for this dilemma and hotspot providers like T-Mobile are leading the charge. Because PEAP authentication implements "mutual authentication," where you actually authenticate the server based on a digital certificate before you hand over your user credentials to the server, an "evil twin" hotspot cannot steal your user credentials. It is even less likely that it can steal your credit card -- because you're not using it in the first place. The conventional Wi-Fi hotspot business model is simply too dangerous for anyone to use anymore. Consumers should insist on secure authentication technology.
In order for this solution to work, you will need to properly configure your wireless supplicant (wireless Ethernet client software) to verify the server's digital certificate or else you will still be susceptible to the "evil twin." Corporations can address this by implementing the Windows XP WZC (Wireless Zero Configuration) service at a global level with Windows Active Directory Group Policy or by some other means if they're not a Microsoft shop. Windows XP Service Pack 2 takes this a step further and can be configured to not even prompt the user to accept an alternate signing authority for a digital certificate. Hotspot service providers or aggregators should provide simple-to-use client software that automatically installs in the most secure setting. Whatever method is used, it should never be left to the individual end user to configure proper security settings because there is simply too much room for user error.
Have I convinced you to insist on secure authentication technology? Let me know what you think in TalkBack.