Your window

— in Switzerland



BUY
Why do I need a
VPN? Why choose
VPNSwiss? Testimonials Frequently Asked
Questions


Millions at risk from wi-fi online fraudsters

05.12.2009 12:45

Millions at risk from wi-fi online fraudsters: Cybercriminals are turning to wireless technology to steal bank details

Many internet users are at risk of having their personal details stolen and thousands of pounds plundered from their online bank accounts as internet fraudsters increasingly target unsecured wireless networks, security experts warn.

Research by moneysupermarket.com indicates that one wireless customer in five has not, or does not know whether he or she has, protected the network with a password. A quarter of wireless users do not even realise that strangers can log on to an unsecured network.

Last month the internet provider TalkTalk estimated that seven million home wireless connections are left open to hijackers. Stealing a wireless connection — “piggybacking” or “leeching” — is not a new problem. But moneysupermarket.com’s research estimates that four million Britons have accessed the internet on a neighbour’s wireless connection without his or her knowledge.

Tom Beale, a digital security expert at Vigilante Bespoke, believes the problem is growing. He says: “As it becomes more of the norm to get wireless at home, or wireless-enabled mobiles such as the iPhone, there is a greater number of people regularly using wireless technology without fully understanding the importance of securing a network.

“Many consumers trust their internet service provider to configure their router and ensure that it is safe, but help desks often give bad advice. Default security settings on routers are not always good enough, either. Consumers should have WPA2 (wi-fi protected access), the highest level of security that wireless routers support. Some routers come with WEP, which can be cracked by a schoolboy in seconds.”

WEP, or wired equivalent privacy, was replaced with WAP2 in 2004 after serious weaknesses were found in it by researchers, but some wireless equipment has not been updated.

James Parker, broadband expert at moneysupermarket.com, says the consequences of having your wireless hijacked can be severe: “It’s bad enough that your neighbours can use your internet connection freely, but this becomes far more threatening if someone uses your connection for criminal or improper activity. This could be accessing your internet connection to download obscene material, gathering personal information to defraud you or stealing your identity.”

When improper activities are carried out through your wireless router, they are traceable only to your home address. This may mean that you are subject to a fine or cut off by your internet provider for going over a download limit; prosecuted for illegally downloading music, films or more unsavoury material; or, as one Times reader discovered the hard way, unable to prove that you have had your details stolen.

Michael Black, 21, had his laptop stolen from outside his block of flats in Reading. Several days later the thief accessed his wireless connection on the laptop. The thief managed to access Mr Black’s internet banking and transferred £14,000 from his Nationwide savings account to his current account, then to a gambling website.

Mr Black says: “I reported the fraud to Nationwide immediately, but was told that, because someone gained access to my internet banking, I must have written down my security details or told them to someone. This is simply not the case; I have always kept them secret and safe.

“Unfortunately, as the thief has used my personal details to log on to my bank on my laptop through my wireless, there is no way I can prove it wasn’t me. The police say it is impossible to find the perpetrator; Nationwide do not seem to see the seriousness of this issue and are refusing to refund me.”

Although the thief could have been a neighbour, it is also possible that he or she could have accessed the wireless some distance away from the flat.

An attacker who accesses your wireless network can monitor all internet traffic through your router — potentially snooping on every website that you visit, e-mail that you send or user name and password that you type. By monitoring internet activity and a wireless user’s web browser and internet history, it is easy for a cybercriminal to collect personal information about the user: from answers to security questions to credit card numbers, passport numbers or payroll details. Hackers can even watch users book flights or hotels online, recording when a wireless user is likely to have an empty house.

It is more difficult to access internet-banking passwords by monitoring internet usage, as banks have a higher level of encryption than regular websites. However, hackers have developed techniques to bypass even the most secure sites. David Whitelegg, an IT security expert who writes a regular blog to help consumers to avoid digital fraud, explains: “By attacking a wireless router from inside a wi-fi network, hackers can redirect the wireless user invisibly to fake websites.

“It is possible to monitor which bank website you use, then adjust the domain name on the wi-fi router, so the next time the user visits his or her bank website the computer sends them to a fake bank site, which has the correct URL in the address bar. In doing this, the bad guys could harvest your bank account website log-on credentials without your knowledge.”

Fraudsters who steal bank account details in this way often build up a knowledge profile of their target too, then sell these details on an online black market. Mr Whitelegg says: “I have seen cyber-fraudsters selling complete profiles of UK individuals, along with their online bank account user name and password — including one that stated the victim’s pet’s name.”

Case study: ‘You don’t know who is watching online’

Keen to see how easy it is to snoop on someone else’s internet activity, I agree to meet the “ethical hackers” Oliver Crofton and Tom Beale in a coffee shop in the City of London.

The pair, who work for Vigilante Bespoke, a digital security company, have brought a Samsung Netbook, a £250 laptop from PC World.

Mr Beale, who has made some minor technical alterations to the machine, begins by scanning the area for wireless connections. About 40 networks pop up on his screen, including the public wi-fi in the coffee shop. Next to each network we can see its level of security. Many are not protected by a password, many more have WEP security, which he could bypass.

Some of the unprotected networks are BT Business wireless being used in offices near by; if they were not so ethical, the pair could read all the employees’ e-mails. We can also see ten devices being used in the coffee shop, including my iPhone. With my permission they access it, and as I type in hsbc.com on the phone’s internet, hsbc.com appears on their computer screen.

Mr Crofton says: “You wouldn’t have a conversation about your finances with your bank manager in the middle of Sainsbury’s so don’t carry out private activity over public wireless. You don’t know who is listening online.”

Source: The Times, Dec. 4th 2009

Write a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.
 


← Man-in-the-middle attacks
Mobile computing security leads to spending on intrusion prevention systems →