After six days of non-stop travelling around the British countryside by train for a Hackathon event, I spent my last day walking along the wintry cold streets of London, eventually leading me to my final destination on my way back home: Heathrow airport.
When I stepped foot into one of the busiest airports in Europe, my mind was rambling through various things and ideas I had to prepare for the next day. The moment I noticed the departure board announce that my flight was going to be delayed, I immediately thought, “what am I going to do here for four hours?”. As I headed down the hall to the terminal along with dozens of other passengers, almost all of the shops and restaurants in the departures lounge had closed.
I asked a passenger sitting across from me, how the free Wi-Fi option measures up. “Is it any good?” He replied in a heavy British accent. “Let me put it like this: I wouldn’t be relying on it if I wanted to do serious work.” Nonetheless, who would pay for premium, when free is available? I thought to myself.
So, I came up with an idea! Why not check it out myself, through a little experiment, how many travellers would pay for premium Wi-Fi and how secure is a public network, when internet users exchange sensitive information, credit card number, confidential documents possibly. Man in the middle attack was my plan of attack. This specific method works on the basis of the attacker secretly relaying/ altering the communication between two parties (internet provider and the user), who believe they are directly communicating with each other.
One example of man-in-the-middle attacks, in which the attacker makes independent internet hot spot connections with the victim and relays messages between them to make them believe they are connected directly over a private connection, when in fact the entire conversation is controlled by the attacker. Anyone can imagine that relevant messages passing between the victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle. That was the plan in my case.
First of all, I cloned Heathrows’ “Access the Internet” site, changing a few things on the welcome screen of the page such as, increase the price from 4 pounds to 8 pounds, reduce free internet time from four hours to 1 hour, . Then I had to implement the payment integration form, allowing potential victims to easily process their credit cards. I simply used my phone as a hot-spot, changed the SSID name to make it similar to the free one the airport emitted in the area and sat back to wait for the first person to join the “free network”.
It took no less than half an hour for someone to connect on my hot-spot and use the standard Wi-Fi free. I had to randomly disconnect few of the active connections on my personal hotspot just to avoid overcharging my phone bill. After one hour, I had my first visitor willing to pay for premium Wi-Fi network and, as simple as that, I had compromised the first credit card. This fake, private hot-spot emitted for at least three hours and gathered approximately 18 credit cards from unsuspecting travellers. And that was it. Afterwards I dropped the connection and erased the data from my computer.
It’s kind of scary how easily I could get the credit card number in a solid format ready for any payment on the web or even sell it in the dark web. A self-described hacker affiliated with the Anonymous post on random darknet site: it is simpler and quicker to buy credit card numbers from villains who hack computers, set up phoney online stores selling non-existent goods at bargain prices, “scan” the numbers from ATMs, rather steal them at restaurants or official documents.
It is important to remember how easily someone can create a counterfeit hot-spot and gain access to valuable information. Care must be taken to avoid using public Wi-Fi on your phone, tablet or computer to check your email, your bank account balance, or any other site that contains or requires your personal data. In most cases, using Internet security software could save you from a lot of trouble, however this case is a little different.
How an End-User Can Prevent This
- The simple act of viewing the certificate provided by internet browser before the connection established and clicking “No” instead of “Yes” would have prevented this from happening.
- Take the time to read and understand all security messages you receive. Don’t just randomly click yes out of convenience.
- Try to always use the encrypted version of websites (i.e., make sure the URL starts with HTTPS). One way to do this is to install a browser plugin like “HTTPS Everywhere,” which seeks out HTTPS connections on any website you visit and tries to enforce it at all times.
How a Corporation Can Prevent This
- Educate the end-user to security alerts and how to react to it.
- Utilize One Time Passwords, such as RSA Tokens, to prevent the reuse of sniffed credentials, credit card numbers.
- Use a VPN, creating an encrypted tunnel between your computer and a third-party, preventing snoopers from intercepting the information.
The main purpose of this article is to educate and create awareness for users which is relatively easy to do in a public Wi-Fi hotspot environment. It could also easily happen on a home Wi-Fi network, if that Wi-Fi network isn’t properly configured and allows a hacker to connect to that home network. An educated end-user and sound security practices by corporations can protect your valuable data.
The views reflected in this article are the author’s and do not necessarily reflect the views of the global KPMG organization or its member firms.
Cyber Security Supervisor Consultant at KPMG
If you have a war story your would like us to publish then you can get in touch with us via the contact us section at the top of this website
Latest posts by William Fieldhouse (see all)
- Connecting to Airport WiFi is Safe, Right?…..Wrong - December 5, 2017
- Your HP Wireless mouse can be Spoofed; Be careful - May 18, 2017
- E.U. Fines Facebook $122 Million for misleading information about WhatsApp acquisition - May 18, 2017