Minimising Public WiFi Risk

For those of us living itinerant lives, constant connectivity while moving within and in-between countries is a necessity. We love our Free WiFi. Among friends and colleagues we discuss and recommend the relative merits of cafes and restaurants partially according to how reliable is their free WiFi. Whether adding the finishing touches to the final written pieces of the contract just completed, transferring funds in between accounts to pay bills or onward flight tickets, emailing back and forth on a piece of work or a contact yet to be gained, or simply remaining in touch with family and friends, near constant email connectivity is essential to the modern professional within the Humanitarian and Development sectors.

But another truism is that most of this work is rarely conducted at ‘home’. Indeed, for those of us who base in places like Bali and Thailand, our office while ‘in between contracts’ is an obliging café where we do our work. These home base locations, or temporary ports of call may have poor 4G or 3G connectivity. While in transit in hotels and airports we are grateful to find a free WiFi connection somewhere. It may not be fast, but it is enough to get stuff done.

But it is safe?

The Harvard Business Review have been the most recent in a long line of articles advising us against the use of public WiFi. I have summarised and expanded on their points below. They are right to warn us. They quote a Verizon cyber security report describing how ‘Man in the Middle’ and ‘Evil Twin’ attacks have been identified in an increasing number of hotels and public places, especially in Asia. These are useful to extract login and password data, steal information from laptops and other devices, and/or lay the ground work for a far more elaborate and costly identity theft.

What Can We Do About It?

Because I live in Indonesia where there is relatively cheap internet packages available on pre-paid phones, I minimise the risk of public WiFi access by not using it and tethering my phone instead. And when I must connect to a public WiFi connection, I do so via a VPN. I would recommend a paid one. I use Zen, but there are many more on the market, Please see here a recent review of Zen that compares it to others currently on the market. Please note I am not endorsing this product. But if it is simple enough for me to use then anyone can.

Another must is an easy to use Password Manager. Personally I use KeepAss (think, ‘Keep your arse safe’) and the password hygiene greatly reduces the risk of Man in the Middle and Evil Twin attacks. But there are many others on the market. Do your research to ensure the database is encrypted and it can be easily backed up to a USB and printed hardcopy (for secure storage elsewhere). Remember, in a man in the middle attack the thief is logging your key strokes to get your login and password details. If the password is an easy to remember one you use everywhere, like the name of your first pet, with Upper and Lower, numbers (eg, ‘Blacky123’) and the username is your email address you can be guaranteed that this combo will be tested on banks, Facebook, LinkedIn and other places where your identity and personal information can be hijacked. But if your password is Pj67$tHyfg&90dessTmb* it is clear in the mind of the thief that this is not a password you use for every site you access; you are using a password manager and there is no point attempting to apply that username/password combo on other sites.

How do these tools manage Risk? The VPN or WiFi avoidance method (ie, by tethering to your phone’s internet connection) greatly reduces the likelihood of being compromised by a thief. However, if compromised, the password manager will ensure that whatever Username/Password combo you use for the compromised site is not repeated for other sites thus containing the breach.

Other basic and easy to implement precautions include switching off your Bluetooth and WiFi when not in use so they do not randomly connect to a network without you noticing, and using two-factor identification for sensitive sites like email and banking sites.

To summarise the tips given by the Harvard Business Review to both reduce both the likelihood and impact of this threat:

  • Avoidance. Don’t use public Wi-Fi to shop online, log in to your financial institution, or access other sensitive sites.
  • Mask. Use a Virtual Private Network, or VPN, to create a network-within-a-network, keeping everything you do encrypted
  • Complicate. Implement two-factor authentication when logging into sensitive sites, so even if malicious individuals have the passwords to your bank, social media, or email, they won’t be able to log in
  • Verify. Only visit websites with HTTPS encryption when in public places, as opposed to lesser-protected HTTP addresses
  • Switch Off. Turn off the automatic Wi-Fi connectivity feature on your phone, so it won’t automatically seek out hotspots
  • Pay Attention. Monitor your Bluetooth connection when in public places to ensure others are not intercepting your transfer of data
  • Avoid. Buy an unlimited data plan for your device and stop using public Wi-Fi altogether
  • Obscure. Use a password manager, and get into the habit of changing passwords regularly

This is not rocket science. Merely the 21st century version of locking valuables away in the hotel safe, not carrying all your cash and cards in the one place, not visibly flaunting wealth, and not changing cash on the black market.

If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.