Canadian Underwriter
News

Wireless Working, Part II: Why cyber criminals love free WiFi


January 29, 2018   by Greg Meckbach, Associate Editor


Print this page Share

Free WiFi offered at coffee shops, hotels and airports should pique the interest of brokers – and not just because brokers and their clients can work remotely in these locations for free.

The technology does not come risk-free.

WiFi technology has for decades let computers talk to each other using radio waves instead of Ethernet cables. The technology allows airports, coffee shops, hotels and other businesses set up “hot spots” so customers can connect to the Internet without having to use the cellular data plans.

In Part I of this series, Dave Millar, business executive, security at IBM Canada, warned that when WiFi is used to let home users connect to their Internet router without wires, those networks are often not setup with information security in mind. Free WiFi hot spots are often even less secure.

In part III of this series, experts explain what brokers need to do to manage cyber risk when using WiFi to setup networks at work.

Normally, there is no encryption at a public hot spot such as a coffee shop, said Timothy Zimmerman, research vice president Gartner Inc., a research firm based in Stamford, Connecticut.

This is somewhat analogous to police departments using unencrypted radios to talk to each other. Just like a person with a police scanner can listen to police radio traffic, a hacker with a WiFi-equipped computer could in some instances send and receive information between other computers. For example, weak WiFi encryption is one reason why the parent company of Winners and HomeSense fell victim in 2005 to a data breach that compromised customer records.

When a public WiFi hot spot is an open network, meaning there is no special encryption, a hacker could potentially “listen to all the data that is being transmitted,” said Christian Gilby, director of product marketing for Hewlett Packard Enterprise Company’s Aruba unit. So anything an employee transmits using a public WiFi hot spot “is potentially vulnerable to somebody capturing that data,” he warned.

This could leave corporate users vulnerable to what is known as a “man-in-the-middle attack,” said Millar.

For example, when open access points are used, a knowledgeable hacker with his or her own WiFi-enabled computer could pretend that his or her computer is the WiFi access point to which a user is trying to gain access. This raises the risk that the user working in the coffee shop will log into the wrong network. Instead of logging into the corporate network, they are logging into the hacker’s machine, which has “spoofed” the correct network. Consequently, the user who thinks he or she is connecting to the wireless access point of “Jim’s coffee shop,” for example, is actually connected to the hacker’s computer, which is purporting to be an access point owned by Jim’s coffee shop.

In contrast to public WiFi hot spots, a corporate computer network that uses WiFi often comes with a security technology known as WiFi Protected Access (WPA), first introduced in 2003.

TJX Companies – the corporate parent of Winners – was still using  “Wired Equivalent Privacy,” or WEP, on some of its WiFi networks at the time it experienced its data breach in 2005.

Zimmerman recommends companies whose employees are working from public hot spots use a  virtual private network (VPN), which is intended to make data look like gibberish to someone who intercepts that data.