According to Javelin Strategy & Research's 2019 Identity Fraud Study, 14.4 million Americans were victims of identity fraud in 2018. While this was down from the year prior, those victims in 2018 bore a heavier financial burden. Moreover, mobile phone account takeovers almost doubled from 2017 to 2018.
Protecting against fraudsters and other security threats is particularly important when using public Wi-Fi hotspots because these networks generally lack appropriate security safeguards. Public Wi-Fi can be convenient and help mitigate data charges, but those who use hotspots should understand the risks and know how to properly protect themselves from fraud and identity theft.
Warning Signs
Some public Wi-Fi networks are more secure than others, while some might even be fake networks designed and set up by scammers for the sole purpose of stealing your personal information. If a public network has a generic name like "Free Public Wi-Fi," then there's a chance it might be one of these networks. Typically, coffee shops, airports, hotels, and libraries have distinct network names. These networks are still susceptible to scammers, but those that have password prompts are more secure than those without. Public Wi-Fi networks are also usually free, so be wary of those that ask you to pay for the connection, as this might signal a fraudulent network operated by a scammer seeking your credit card information.
Types of Attacks
In order to be fully aware of the security threats associated with public Wi-Fi, it's important to know some of the common ways fraudsters can steal your information and identity. In addition to establishing fake networks known as the Evil Twin technique, one of the most common techniques is a man-in-the-middle (MITM) attack. MITM attacks involve a third party intercepting communications between a server and client via a compromised router. A scammer facilitating a MITM attack can easily gain access to your private messages, as well as usernames and passwords. Leave a website immediately if you're using public Wi-Fi and receive a notification that it might not be authentic.
Another common and relatively simple type of public Wi-Fi attack is known as packet sniffing. Scammers can analyze and steal your data on unencrypted networks via free—and even legal—software like Wireshark. Many people use this software to analyze web traffic, but cyber criminals have been able to exploit it to obtain data, including usernames and passwords, from your web session.
"When we started we had to get approval and the legal team in Maryland checked whether it's okay to sniff and couldn’t find any law preventing you from sniffing," notes University of Maryland professor David Maimon. "Banners before you log in to public WiFi, where you agree terms of use, sometimes specifically mention you’re not allowed to sniff and that makes it illegal, but if there’s no banner then it's not illegal at all."
Don't Automatically Connect to Networks
If you're planning to use public Wi-Fi, there are a number of precautions you can take to protect your information from being stolen. However, if you aren't careful, that information can be stolen without you even knowing you're connected to a network. Mobile phones generally offer the option to automatically connect to nearby Wi-Fi hotspots. Without turning off this option in your phone's settings, you can be connected to an unsecured network without even knowing it.
Use a Virtual Private Network
Whether on a mobile phone or laptop, consider using a virtual private network (VPN). These can effectively protect any information you share on websites, even on unsecured networks. VPNs act as a virtual tunnel and safeguard all information against prospective hackers. There are hundreds of VPN apps, but it's important to do sufficient research before downloading one because some might share information with third parties for ad-related purposes or fail to use encryption.
Avoid Websites That Aren't Fully Encrypted
Encrypted websites are safe to use on public Wi-Fi networks. The process of encryption involves scrambling information sent over the internet into code that is inaccessible to potential hackers. Thus, you can safely share information over banking sites and social media platforms so long as they are encrypted. Websites that are encrypted will have "https" at the beginning of their web address as opposed to "http." You should check the address on every page of a website since some only use encryption on the sign-in page.
Unlike websites, mobile apps do not have an indicator that alerts the user as to whether or not they are encrypted. The FTC suggests using the company's mobile website as opposed to its app if you must share information over an unsecured network.
Consider Browser Plug-ins
Many websites aren't encrypted, but fortunately there are plug-ins or add-ons that prompt browsers to use encryption on prominent, high-traffic websites that aren't otherwise encrypted. HTTPS-Everywhere and Force-TLS, for instance, are free Firefox browser add-ons. You should still look for "https" in the address bar to determine if the site is secure.
The best overall protection
Despite this posts focus on the identity theft risks from public wifi, as always, the best protection is to own a comprehensive identity theft protection that offers restoration services and which covers all major types of ID theft—driver’s license, credit, social security number, medical, character or “criminal”, and synthetic. There are only a small handful of plans that offer true restoration services, but they are well worth it, and relatively inexpensive.