<a href="http://www.eweek.com/article2/0,1759,1752906,00.asp?kc=EWRSS03129TX1K0000605">http://www.eweek.com/article2/0,1759,1752906,00.asp?kc=EWRSS03129TX1K0000605</a><br /><br /><i>"The Evil Twin is essentially a wireless version of a phishing scam—users think they're connecting to a genuine hot spot but are actually connecting to a malicious server, which can then extract information such as bank details. The attack can be carried out by anyone with the right equipment in the vicinity of a legitimate base station, according to Dr. Phil Nobles, wireless Internet and cybercrime expert at the U.K.'s Cranfield University."</i><br /><br />Ugh. :? It is rapidly approaching the point where I am wondering if it is worth getting online. :(

Hi, this is you bank.
We have heard of "Internet" phishing "Scams" and as such we need to verify your account information to be sure you are a "True" customer and not a "Scamerr". Please to send an email to us at "[email protected] with your web username, password, first and last name, and also your social security number and credit card number and expiration date. This is for security validation purposes only and will not be shared with other parties.
Please reply soon.

Unfortunately there are thousands of people who would assume that would be genuine, when we all know (don't we?) that such a thing would be utterly fake.

As for the hotspot ... this guy is just demonstrating a possibility, right? In other words he is taking the time to show all the nasty elements what they need to strt investigating, rather than showing us what they are already getting up to ... ?

Besides. What sane person uses thinkgs like Wallet or whatever to store bank details etc on their laptop or PPC? Aren't they ASKING for trouble?

This has been happening for a long time now and both Engadget and Slashdot covered this last week. How do you avoid getting duped? At home, never....ever broadcast your BSSID. Then you'll never have to worry. Same goes at work. Also, use bluespot or other gateways at work. Those go along way to helping keep things from getting out of hand.

I am getting frustrated going on line. I've had two systems completely crash because of some virus, trojan, spyware crap. I'm going to have to go back to "sneaker net". Probably one home PC to use and a separate, non-networked PC to surf...

This is a bit more sophisticated than phishing via email. By providing a fake access portal that looks exactly like the expected one you could easily lull users into thinking they were working through the real site. The fake site could then redirect all activities to real sites, while harvesting any interesting info, such as bank numbers, passwords, etc.

This is akin to the old UNIX fake-login scheme from my college days (~20 years ago) where someone would run an app that appeared to be a login screen and then walk away. Unsuspecting users would then try to log in, allowing the app to harvest their username/password. The app could then give the new user an "unrecognized password" error and auto log out the original user, leaving the new user with a valid password. The new user would figure that he typed in his password wrong and try again, never wiser that his account had been compromised.

The more things change...

This has been happening for a long time now and both Engadget and Slashdot covered this last week. How do you avoid getting duped? At home, never....ever broadcast your BSSID. Then you'll never have to worry. Same goes at work. Also, use bluespot or other gateways at work. Those go along way to helping keep things from getting out of hand.

Also, never assume a public access point is secure.

I'm not sure how this scam works. You log into a fake wireless network, and then they search the files on your computer?

Doesn't seem like it would be very effective with a PPC, since the server can't access the PPC without Active Sync.

Or you log into a fake wireless network and they actually act as an Internet gateway and log all your entry information as you browse?

It only seems like this would work if you access your bank's site with the PPC, assuming it's actually hooked up to the Internet. Maybe it would be a good practice not to access sensitive information on public hotspots.

Or you log into a fake wireless network and they actually act as an Internet gateway and log all your entry information as you browse?


That's it.


It only seems like this would work if you access your bank's site with the PPC, assuming it's actually hooked up to the Internet. Maybe it would be a good practice not to access sensitive information on public hotspots.

Exactly. Or order anything off the internet with a credit card.

How difficult would it be for the tech geek setting up the public hotspot for one of the coffee shops/bookstores/etc to simply eavesdrop on the internet traffic between the WiFi AP and the internet connection?

As most of the above posters have said, you simply should't trust a public internet source for banking, credit card purchases, or sensitive email.

This is crazy. It would be nice if we could do authentication to these hotspots purly by some sort of private key / public key scheme. You have your bank's verified public key (Which you get through a CD that they send you or you pick up at the bank) and you use it to encrypt your traffic. First time you send something to the bank, you submit your public key, so they can send you encrypted information as well.

Sounds like a good idea in theory, but a pain to setup.

Am I daft?

How is a man in the middle attack like this going to eavesdrop on passwords sent over an SSL or VPN connection?

I don't see the risk.

Am I daft?

How is a man in the middle attack like this going to eavesdrop on passwords sent over an SSL or VPN connection?

I don't see the risk.

I was going to ask essentially the same thing. How secure is the 128b SSL you get with an https connection?

Am I daft?

How is a man in the middle attack like this going to eavesdrop on passwords sent over an SSL or VPN connection?

I don't see the risk.

Over an SSL or VPN connection you are probably safe, which is probably why Boingo uses its own VPN for each connection and T-mobile has/is increasing its security. That being said, Cox's webmail does not use a secured webpage for mail viewing. And since people tend to hate having a lot of passwords if you get someone's webmail password and user name and then follow them to the bank website you can try the same info to see if you can log in.

My understanding is though you don't need to fake being an access point, you can just harvest the data as it goes through the air and then play it back on your computer.

Of course, given enough time and data, any security can be cracked.

Henry

I would say that any time you transmit information wirelessly, whether it be your cordless phone at home, your cell, or your wifi pda, that information is open to interception and decryption. There is no unbeatable encrytion sceme, just ones that haven't yet been defeated.

I would recommend not ordering anything online via a wifi connection, including giving your credit card number just to get wifi access. In most urban areas, there are a thousand free hot spots that you can use instead of starbucks or B&amp;N.

In other words, if you broadcast your credit card number wirelessly, you're just tempting fate to do something about it. :)

I just wanted to point out that using SSL over WiFi is no less or more secure than using SSL over the public Internet. Anyone with a packet sniffer anywhere along the way, wired or wireless can intercept your data, and eventually decrypt it. For 40 bit SSL it took somebody with 120 workstations eight days to crack in 1995. I'm not sure what the current brute force search time is for 128 bit SSL, but I think you are *reasonably* safe.

(It's far more likely people will lose their personal information by responding to a phishing scheme or by having it stolen from a corporate database -- Just ask T-Mobile customers!).

I was thinking they were acting as the usual pay portal and when you enter your credit card info for access, they would keep that information. I thought I was safe because I will not use those pay portals, but now I see I'm more vulnerable than I thought.

Although, I don't really use wireless portals, free or otherwise. In San Francisco there are so many people with wireless home networks who don't know how to, or that they should, encrypt their networks so I can get on line just about anywhere in the city. This is where I see my vulnerability so I'll have to watch what I do when not at home or work...

Thanks for the headsup!

How many BILLIONS were spent this past holiday season on Internet sales. Come on retailers, it's time to step up to the plate and do something about this. Maybe a team of mercenaries or a pack of wolves.

Aha ! :D

I just knew this day would come! That's why I never leave home without my handy-dandy RF prophylactic-dome. It looks a little like that "cone of silence" (or was it "dome of silence") from the old "Get Smart" series, except it's made of copper foil instead of plexiglass -- that way, I can fold it up and hang it on my utility-belt.

Anytime I feel the urge to "wi-fi", I unfurl my RF-dome from the left side of my belt, pull out my mini-wifi-router from the right side of belt, unhook my mini-ADSL modem from the backside of my belt, and go looking for a phonejack. I know many of you may think that this seems like a tedious process, but hey, at least I can then surf with peace-of-mind, knowing that no packet sniffer can read my pocketpcthoughts postings until I'm good and ready...My only remaining issue is that the only spot left for my PDA is dangling off the front of my utility belt (which causes pain if I have to run anywhere)...I wonder how Batman solved this...hmmm

Does PIE even support SSL?

Well, I think this goes a little beyond just eavesdropping in on your WiFi traffic. It's more like a phishing scam. When you connect to the "evil" access point, the hacker controls the DHCP info you are passed, including a "bad" DNS server. When you go to www.YOURBANK.com, you are first directed to the hackers webserver with fake YOURBANK website, SSL included, you enter your username and password, then you are fowarded on to the readl YOURBANK website.

- Aaron

Does PIE even support SSL?
Always has. Pocket PC 2000 supported 40bit SSL and you could download SP1 and get 128bit. All 2002 PPCs supported 128bit except for Toshiba and MS had a download for those devices too. 2003/SE all support 128bit SSL out of the box assuming you are buying it in a country that the US allows exporting 128bit encryption to, which is most of them.

Go to an SSL page and in PIE select Properties. It'll tell you the encryption level.

Well, I think this goes a little beyond just eavesdropping in on your WiFi traffic. It's more like a phishing scam. When you connect to the "evil" access point, the hacker controls the DHCP info you are passed, including a "bad" DNS server. When you go to www.YOURBANK.com, you are first directed to the hackers webserver with fake YOURBANK website, SSL included, you enter your username and password, then you are fowarded on to the readl YOURBANK website.

- Aaron

Possible, but the "evil" access point's SSL certificate would have to be trusted (issued by Verisign or one of it's competitors) or the surfer gets an invalid certificate warning in IE 6.

Well, I think this goes a little beyond just eavesdropping in on your WiFi traffic. It's more like a phishing scam. When you connect to the "evil" access point, the hacker controls the DHCP info you are passed, including a "bad" DNS server. When you go to www.YOURBANK.com, you are first directed to the hackers webserver with fake YOURBANK website, SSL included, you enter your username and password, then you are fowarded on to the readl YOURBANK website.

- Aaron

Possible, but the "evil" access point's SSL certificate would have to be trusted (issued by Verisign or one of it's competitors) or the surfer gets an invalid certificate warning in IE 6.
Something an average user would click through anyway....

In all, given a reasonable level of precaution, I'd say we'd be safe. Basically it's a time to benefit ratio, is using this scam going to benefit a bad guy enough versus another? key point beng demonstrated by how SSL is hard (not impossible) to decrypt and if the were smart enough to do that then they choose juicier targets...T-Mobile database.....