The Latest Trumors, by Beverly Rosenbaum

Beware Wireless Hotspots’ Evil Twins

Just how secure is an Internet connection from a public wireless hotspot?

People using wireless high-speed Internet connections are being warned about fake public hotspots, or access points. The latest threats are being called “Evil Twins,” because they pose as real hotspots but are actually unauthorized base stations. Once unsuspecting users have connected to an Evil Twin access point, identity thieves are able to intercept their sensitive data. Wi-fi is becoming popular as more devices come with wireless capability. Webopaedia ( defines Wi-Fi (wireless fidelity) as a generic term used to define any type of wireless network.

A related “phishing” scam involves sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to trick them into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. This represents a serious threat to mobile workers, because it’s all too easy for hackers to set up a false Web page mimicking a public hot spot in the airport or a local coffee shop. Then a stronger signal than the genuine hot spot AP is generated.

Another scam similar to e-mail phishing is “pharming,” which seeks to obtain personal or private (usually financial) information through domain spoofing. Rather than being spammed with bogus e-mail requests to visit fake Web sites that only appear legitimate, pharming infuses false information into the DNS server, resulting in users’ requests being redirected elsewhere. The browser, however, still shows the correct Web site, which makes pharming more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.

According to a study recently released by Symantec, identity theft features were found in 54 percent of the top 50 malicious codes detected between July and December of 2004, an increase over the 36 percent found during the same period in 2003. The study also reported that computers are increasingly coming under attack from Trojan horses, worms and viruses that attempt to glean users’ cached log-on data and passwords to financial information. Symantec also reported that by the end of December it was blocking an average of more than 33 million phishing attempts a week, up from an average of 9 million a week in mid-July. A senior manager with Symantec Security Response expressed concern that the current technology, still in its infancy, is hard-pressed to combat phishing e-mails and identity threat attacks.

The study also found an increase in the number of flaws in Web applications, which could let attackers get past traditional protections such as firewalls. Vulnerabilities in Web applications accounted for 48 percent of the total number of flaws detected between July and December, up from 39 percent during the first six months of the year.

Exactly how does an “Evil Twin” attack work?

A hacker can simply set up a laptop computer to transmit a signal as a wireless access point. They can use a legitimate-sounding SSID (service set identifier) network name like “tmobile” to fool unsuspecting customers, and simply place the laptop in a backpack at the airport or local coffee shop, where they can read a newspaper and wait for a connection. The signal is closer to the user and stronger than the real access point, so the unwary wireless hotspot surfer connects without noticing any difference. If there’s a login screen similar to the T-Mobile service (only an example), the user must enter their credit card number to get access to the Internet, and the thief acquires that information. As the computer redirects the user to web pages that mimic real banks and other links, the information that the user thinks he’s entering into secure web forms is actually unencrypted. The hacker can even read the user’s email along with them.

It’s very difficult to tell the difference between a legitimate and non-legitimate access point. Although there are several measures in place to help you discern between them, they are easily ignored because they do have security flaws.

1. Web browsers have a pop-up warning to indicate that information being sent is not encrypted. Unfortunately the dialog boxes offer the option to “never show this again.” If you’ve clicked this box just once, you’ll no longer see the warning when you send information through unencrypted channels.

Internet Explorer warnings:



Netscape warnings:




2. Most Web browsers display a small lock icon in the lower right corner of their window to indicate an officially regulated, encrypted Web page. However, if you’re not diligent about looking for it every time you log on to a new page, you may not notice its absence. Additionally, if a hacker changes even one letter in the domain name you are familiar with (for example, replacing a lowercase “L” with a numeral “one” - “1”), they can register that domain name. Then when you’re redirected to that page it can still display the lock icon, and you may never notice the subtle change in domain name. How could an illegitimate site be able to display this lock icon? Because, according to experts at the Massachusetts Institute of Technology, the public certifying authority that gives out digital signatures to legitimate sites can be fooled into giving digital signatures to illegitimate sites.

The Internet Explorer lock icon is only present for secure sites   .               


The Netscape lock icon is present for both secure sites (icon is locked)


or insecure ones (icon is unlocked).


3. Most banks advertise the unencrypted version of their Web pages (https indicates a secure version; but http is easier to remember). So when you log on to that page and click to enter the encrypted version, you’re redirected to a page with a domain name that may be unrelated to the bank's home page. If you don’t recognize the name, you have no way of knowing if you have been redirected to a page operated by the bank or by a hacker.

How can you protect yourself against these attacks?

Don’t allow the distractions of public places to keep you from paying attention. Here are some things to watch:

1. Check your Wi-Fi settings. Many laptops are set to constantly search and log on to the nearest hotspot. This option might seem convenient, but it doesn’t allow you to monitor which hotspots you are logging on to and determine if they are legitimate. Turn off this option to prevent your computer from logging on to a hotspot without your knowledge.

2. Pay attention to pop-up warnings. If you are lucky enough to see these warnings (and they’re not already turned off), make sure you read them carefully before agreeing to send unencrypted information.

3. Use one of your credit cards on the Web only. Open a credit card account that is used solely for the purposes of shopping on the Web, and make sure that you’re able to access account records at any time to monitor the activity. CitiBank credit card accounts offer one-time “virtual account numbers” that can only be used for single transactions, so you don’t actually use your real account information on the Internet.

4. Conduct your private business in private. Avoid checking your bank statements when you’re connected to a public hotspot. If you restrict your public surfing to Web pages you won’t mind a stranger reading along with you, there would be little an “Evil Twin” attacker can do to harm you.

Corporate Wireless Networks at Risk

Companies can protect themselves by turning off the broadcast of their wireless access points and avoid radiating signals beyond the confines of their physical building, to make it less likely that hackers can intercept enterprise traffic from the corporate parking lot. In addition, WEP (Wired Equivalent Privacy) encryption should be turned on -- many companies don't bother to encrypt their traffic at all. Another security measure is to require the traffic to go through a VPN (Virtual Private Network) server, because the hacker will not be able to emulate the VPN connection and all the traffic will be encrypted. The VPN allows only authorized users to access the network and insures that the data cannot be intercepted. A wireless intrusion-detection sensor can also be connected to the system to monitor the traffic that goes by. That would allow detection of any rogue access points, which can either be access points (AP) set up on the corporate network, or the APs of a neighboring company or a public free access provider.

Maintaining a locator service for 61,014 Wi-Fi hotspots in 98 countries, JiWire ( ranked the following as the top 10 wi-fi countries for hotspots: United States (24,265), United Kingdom (9,858), Germany (5,880), France (3,299), Japan (2,488), Switzerland (1,302), Italy (1,273), Canada (1,070), Spain (997), and Australia (903). So it’s definitely a growing trend. Mobile workers who take advantage of the wireless convenience should remain vigilant.

Beverly Rosenbaum, a HAL-PC member, is a 1999 and 2000 Houston Press Club “Excellence in Journalism” award winner. She can be reached at