You use my hotspot, I'll use your credit card

You use my hotspot, I'll use your credit card

Summary: A recent story on "Evil twin" Wi-Fi networks that spoof legitimate hotspots or corporate networks makes it clear that all public hotspots should immediately implement 802.1x and PEAP authentication.


A recent story on "Evil twin" Wi-Fi networks that spoof legitimate hotspots or corporate networks makes it clear that all public hotspots should immediately implement 802.1x and PEAP authentication. Currently, with most Wi-Fi hotspots, there is no simple way to tell whether or not you are using a legitimate hotspot. If you don't think this is a big deal -- since you're probably using VPN anyway --think again!

Since you probably authenticate with your Wi-Fi hotspot or hotspot aggregator provider on a routine basis with a username/password or you pull out your credit card to pay for temporary hotspot access, you could be in danger of losing your user account or worse --your credit card number. A hacker or criminal could easily put up a fake Web-based authentication server that looks exactly like the real thing for the purpose of stealing your hotspot user account or your credit card number along with the extended code. They could even provide you with real Internet access after you've authenticated with them to make you think that nothing is wrong and you would never know the difference. Next thing you know, you're looking at a massive hotspot usage bill or worse, you're looking at a maxed out credit card. Can this really happen? You better believe it! Now that hotspots are ubiquitous, it's only a matter of time before criminals wise up to this type of exploit.

Hotspots that use 802.1x and PEAP authentication are an excellent solution for this dilemma and hotspot providers like T-Mobile are leading the charge. Because PEAP authentication implements "mutual authentication," where you actually authenticate the server based on a digital certificate before you hand over your user credentials to the server, an "evil twin" hotspot cannot steal your user credentials. It is even less likely that it can steal your credit card -- because you're not using it in the first place. The conventional Wi-Fi hotspot business model is simply too dangerous for anyone to use anymore. Consumers should insist on secure authentication technology.

In order for this solution to work, you will need to properly configure your wireless supplicant (wireless Ethernet client software) to verify the server's digital certificate or else you will still be susceptible to the "evil twin." Corporations can address this by implementing the Windows XP WZC (Wireless Zero Configuration) service at a global level with Windows Active Directory Group Policy or by some other means if they're not a Microsoft shop. Windows XP Service Pack 2 takes this a step further and can be configured to not even prompt the user to accept an alternate signing authority for a digital certificate. Hotspot service providers or aggregators should provide simple-to-use client software that automatically installs in the most secure setting. Whatever method is used, it should never be left to the individual end user to configure proper security settings because there is simply too much room for user error.

Have I convinced you to insist on secure authentication technology? Let me know what you think in TalkBack.

Topic: Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It worked

    You've got me thinking - how would I know I'm attached to the right hotspot? I would insist on the best security practices being implemented - absolutely.

    However, based on my very limited knowledge of wireless networking, wouldn't you detect the legit hotspot along with the bogus hotspot, and then have to choose before connecting? This would seem to me to be a much less dangerous situation, in that you would be given a chance to question the situation rather than blindly connecting to the first resource that popped up?
    • No, you can't tell


      You will not be able to tell. For example: If you used hotspot "ABC" on a regular bases and signed in via web login, an evil twin "ABC" could pop up with a higher signal strength which pulls you over to it. That evil twin hotspot would ask you to log in and record your username/password. It would also give you the option to pay for temporary daily access with a credit card along with the expiration and extended code on the back of the card. Once you provide either the password or credit card, the fake hotspot could provide you with real internet access. You would never know the difference. Even though when you hand out your credit card information, it is suppose to be a secure HTTPS sign-in. But how many people actually bother to look at the little lock in the corner or even know they're suppose to?

      With 802.1x/PEAP enabled hotspots, your wireless client could automatically reject the evil twin with no user intervention. You wouldn?t even need to associate with that evil twin.
      • How about this...

        I think everyone who invests in a WI-Fi network, whether it is home-based, or otherwise, should have some sort of training before they are allowed to purchase it. Regular wired routers/hub are not included in this requirement. It just seems to me that the bad guys are trying very hard to outsmart you all - and suffice it to say, they are doing a really good job. STOP OUTSOURCING OUR GOOD PROGRAMMERS and ENGINEERS - PAY THEM WHAT THEY ARE WORTH and they may just stay. Anyways, gun owners should have training before they are permitted to carry, and so should Wi-Fi, since all of this determines your own future. Just my 2 cents. I have a Wi-Fi at home with 3 firewalls and all the bells and whistles, but I tell my family - DO NOT GIVE INFORMATION OVER THE INTERNET. If they do NOT have an 800 number - don't buy there. IF THERE IS NO SECURITY CERTIFICATE AND AN 800 NUMBER - forget it. The Internet at our home is simply for fun and entertainment and not taken seriously - meaning - NO INFORMATION IS GIVEN OUT via the NET. If you have to create a login and password - don't bother. Move on. UNTIL IT IS SAFE (nothing is today), then just don't do it.
        Research, reading, and entertainment is all it is worth. DO NOT BUY/PURCHASE/SIGN-UP ON THE INTERNET!!!(duh)
        Half the problem is EDUCATION. Educate the masses on this technology stuff! Get it on the airwaves and you'd better do it quickly, Microsoft, Linksys, and all the others who want our money so badly. there's going to be a lawsuit on 1 of these - mark my words - because the consumer lost their identity and was never warned sufficiently.
        Uniontown, OH
        • You shouldn't have to be a geek

          First of all, all the education in the world won't do you any good if the underlying technology is insecure. If a technology makes zero effort to authenticate the infrastructure, what good is education? I'm very educated but I won't use WEP? Why, because no education in the world is going to keep you from getting cracked.

          Second, you shouldn't have to be a techno elite to be able to use a computer. It's time for the geeks to get over it, people will never become like you. Even if they are technically savvy, they would still be foolish to use a hotspot that doesn't implement 802.1x and PEAP authentication.
  • anonymous access using hotspots

    sometimes i simply do ntpo care about who and how use my account. let's say i pay some monthly fee for inlimited access. why should i care about passwords, etc. ?
    another application when i buy access to the hotspot together with train ticket, for example.
    or when i buy coupon with 8 digits number valid for 24 hours.
    hotspots today are the only way to post 100% anonymously on the message board what do you think about this guy or that or download "Eyes on the Prize" movie
    take care