Sitting in a coffee shop on free Wi-Fi could be exposing you to cybercrime. Picture:
Sitting in a coffee shop on free Wi-Fi could be exposing you to cybercrime. Picture:

Theft of sensitive information from cafe patrons surfing the internet at a free Wi-Fi hotspot is easy for cyber criminals, whether you are a wealthy entrepreneur or a server.

Surfing the net for general information such as tourist sites while you are travelling or for what's on at your local cinema poses no threat, but activities such as online banking, checking investments online and shopping online should be avoided at public Wi-Fi hotspots.

Even logging into an e-mail web account such as Gmail means fraudsters can pick up your login details and use them later.

Jim Green, a security expert from IT security company GNL Cyber, says when you use a Wi-Fi hotspot, the data travelling to and from your device is being carried on radio frequencies that can be intercepted by anyone with a Wi-Fi-enabled device that has interception software on it.

In what is known as a "man-in-the-middle" attack, the attacker sets up their own Wi-Fi access point with the same name (or SSID) as the free Wi-Fi hotspot and causes the victim's device to connect to their device where the attacker can intercept and manipulate your data messages, upload malware to your device or misrepresent your identity on the internet.

Dominic White, the chief technical officer at cyber security company SensePost, says public Wi-Fi networks that require a password to access the internet are marginally more secure.

However, the reality is that for a public Wi-Fi hotspot (where anyone can find out the password) the difference is negligible, as attackers only need to put in a little more effort to gain access to the communications unencrypted.

Also, several hotspots prompt you for a password through a webpage when you first connect (something called a captive portal), and most users don't understand that this isn't the same thing as a connection-level password, he says.

"By harvesting login credentials to sites that the victim is using, the attacker can then access the victim's accounts in his own time," Green warns.

With your bank details, the fraudster can raid your account.

To prevent you from receiving a bank notification that a transaction has taken place on your account, criminals launch a smishing attack - they send so many missed calls or SMSes to your cellphone that you eventually switch it off, says Danny Myburgh, MD of digital forensic lab Cyanre. As soon as your phone goes over to voicemail, the criminals know you have switched off your phone and then they step in and transfer money out.

Banks offer their clients the option of receiving an authentication SMS for logins into their bank accounts and PINs sent via SMS for loading a new beneficiary in order to make a payment.

If you do have such measures on your bank account, Myburgh says, fraudsters may attempt a cellphone SIM card swap to gain access to the SMS verifications and PINs. If they succeed you will not receive any messages as they go to another number set up by the criminals.

Once the fraudster has your bank account details, they log into your account, register a beneficiary and transfer money into an account set up at a bank using false details or 'rent' a bank customer's account. The cash is then withdrawn from that false or rented bank account at an ATM, he says.

According to Myburgh, while some criminals target large organisations to go after the big money and spend time and money researching the business to find opportunities in a targeted attack, the average salary earner and pensioner are at risk, too.

Myburgh says his business is aware of cases where the amounts stolen from individuals were as low as R500.

And if you think you don't have enough money in your account for most of the month, criminals review your history and lie in wait for your salary to appear in your account, when they swoop in, he says.

Typically, it takes 28 days from the time a fraudster compromises an account to the point they transfer money out, he says.

In this time, they watch your transactions, set up a beneficiary, possibly apply for online credit (such as an overdraft), raise account payment limits and check whether you have a home loan facility linked to your current account, he says.

Once you have taken steps to ensure your Wi-Fi connection is secure, you still need to practise safe browsing on the internet.

Checking on a website's security certificates can help, but to truly understand what you're doing requires security expertise most users don't have, White says.

A digital certificate is an electronic "passport" that allows a person, computer or organisation to exchange information securely over the internet using the public key infrastructure provided by a trusted, designated authority and made available to everyone through a publicly accessible repository or directory.

Instead, as an internet user, you should be on the lookout for certificate errors (see "How to safeguard yourself" alongside), which browser creators have put a lot of effort into over the last few years.

Green agrees, saying that checking on a website certificate will reduce your chances of being intercepted, but it will not guarantee that your connection is secure.

For sensitive activities such as internet banking, Green's preference is to avoid using public Wi-Fi hotspots altogether or use a Mi-Fi device (a portable router that has its own SIM card) to provide your own portable hotspot connected directly to the cellular network for more sensitive transactions.

But even using your own Wi-Fi router in your home or office, which has been properly set up with a password, could be vulnerable, according to Kalyani Pillay, CEO of the South African Banking Risk Information Centre. She says an attack on the Wi-Fi-protected access protocol that secures Wi-Fi connections was discovered in 2016.

It is called KRACK, which stands for Key Reinstallation Attack.

She says any device that uses Wi-Fi may be vulnerable to KRACK, which bypasses the security protocol that is used by most routers and devices that can communicate with the internet.

KRACK compromises the authentication handshake - which is like a secret greeting - between your device and the modem or router which confirms that the user is allowed to legitimately access it. Once the Wi-Fi security handshake is broken, attackers can gain access to personal and confidential information should you be sending or using it online.

On the upside, though, Green says since the discovery of KRACK, device manufacturers have been working on new versions of software to overcome the vulnerability it exploits.

To safeguard yourself, you should regularly update the software for your laptop, tablet, phone or router in line with recommendations from the device manufacturer. This applies to all devices including Wi-Fi access points and devices, Green says.

How to safeguard yourself

Advice from cybersecurity experts is to regard all public Wi-Fi access points as untrusted and to take every precaution possible to ensure sensitive information such as your bank details do not land in the hands of cybercriminals.

Danny Myburgh, MD of digital forensic lab Cyanre, says you need to be vigilant, use all the security features available and take care not to be negligent with your bank details.

Advice from Jim Green, a security expert at GNL Cyber, is that if you need to make a secure transaction connection to, for example, do a banking transaction while on the road, first make sure you are not connected to a Wi-Fi hotspot by turning off Wi-Fi access on your device.

Then connect directly through your cellular phone data network and use your bank's mobile banking application for better security.

If you are at an internet cafe, for example, and have to do a bank transaction and are not able to use your bank's mobile banking app for some reason, turn your phone into a mobile hotspot and link your laptop to it for internet banking transactions, or even link your phone to your laptop with a USB cable.

This way you will not be communicating via the public hotspot and cannot fall prey to a man-in-the-middle attack, Green says.