The Lowdown on Public Wi-Fi

I am writing this from an airplane. Often, when I hop on a plane — particularly for a long flight — I wait for the ascent to 10,000 feet and immediately jump onto public Wi-Fi, just as I do in coffee shops, the dentist’s office, and pretty much anywhere else I can grab a signal. But that was before I spent an hour chatting with Joe Gervais, director of security communications at LifeLock, and part-time hacker (though Gervais points out, he hacks “only for good”). The point of the conversation was to figure out when it’s okay to use public Wi-Fi, when it’s not, and what you can do instead. Here’s what I learned…

What is public Wi-Fi? Any Wi-Fi that’s shared with someone other than yourself and the members of your household. A guest account that’s been set up for visitors to a particular company? Hotel Wi-Fi, free or not? In-flight Wi-Fi? Public, public and public. It doesn’t matter if it’s free or you pay a fee, or if it’s password protected.

Get that? Even if the Wi-Fi network requires a password, that doesn’t mean it’s safe.

What danger does that pose for me? Whenever computers are on a shared network, all the data is flowing over shared “wires.” Every computer on the network can see all the data flowing over that network. The default behavior, Gervais explains, is to ignore data that isn’t meant for your machine. But if you’re technically savvy and so inclined, you can, essentially, flip a switch and see everything. Most of it, he says, is garbage unless you’re a “network geek, a hacker, or attacker.” Then you can learn things that could be used, for example, in targeted phishing attacks.

For example? Say you’re a veteran, and you’re researching PTSD. You go online to search the terms, “PTSD” and “treatment.” Maybe you look up a local treatment center or a Veterans Administration support group. How much information an attacker can glean depends on the kinds of website pages you visit.

If you’re on secure websites (which have “https” in the URL address) vs. insecure ones (which have only “http”), the attacker can see the site itself, but not the page you went to. Visit enough sites, though, and it still might give someone enough information to launch a relevant phishing attack against you.

Even downloading apps on public Wi-Fi is to be avoided. A sophisticated attacker could pose as that app telling you there’s an update and use that via phishing to get you to give up personal information—your financial info, for instance, if you were downloading a bank’s app.

This is getting very scary. You’re telling me. But there a few things you can do to keep yourself safer.

1. Limit your behavior on public Wi-Fi. Don’t do anything on your browser that you wouldn’t do if a stranger was sitting next to you staring at your screen, Gervais says. That means no transacting. It also means not sending emails that contain sensitive information. You’re better off picking up the phone or, if that’s not possible, texting.
2. Use a VPN app. VPNs are virtual private networks and they come in app form for your smartphone and tablet. This creates an encrypted channel, so your online business is protected from prying eyes. Some good ones include WiTopia and F-Secure Freedome. You will find plenty of free ones in the app store, but Gervais cautions: “If you’re not paying for the VPN, you the user, are the product.” Use your hotspot. If you don’t want to go the VPN route, use cellular data on your phone and, for your computer or tablet, connect using the personal hotspot on your phone. Now that many of the cellular carriers are going to unlimited data, you can feel better about using it freely.

Oh, and while you’re at it, make sure your home Wi-Fi network is protected with a strong password. You don’t want neighbors “borrowing” your bandwidth, slowing your internet connection, or — if they’re so inclined — seeing what you’re doing online.

Contributed by LifeLock, which is a partner with the Medical Association. Medical Association members receive a discount on LifeLock memberships. Click to learn more.