Troels Oerting, head of the European Cybercrime Center at Europol, told Click (the BBC's technology show) people should not send personal data across networks they cannot trust. That effectively includes any public Wi-Fi hotspot. "We have seen an increase in the misuse of Wi-Fi, in order to steal information, identity or passwords and money from the users who use public or insecure Wi-Fi connections," he said.
He was particularly warning about hotspots set up by criminals to masquerade as legitimate hotspots. It's not a new technique, but seems to be on the increase. "Cybercriminals with nefarious intentions can set up a rogue wireless hotspot and give it an official sounding name, such as ‘Airport_Official’, to attract the unaware. They can then scan all requests, entered passwords, and even direct people to malicious sites. Businesses are particularly vulnerable to these types of attacks due to an ever more mobile workforce," explains Carl Leonard, senior security research manager EMEA at Websense.
The problem is that mobility has become a way of life. People wish to access the internet from anywhere, at any time for any purpose. Sean Sullivan, security advisor at F-Secure, understands the issues better than most. "Does insecurity stop me from using open hotspots? Nope," he admits. "I use free Wi-Fi all the time. And I don't plan on changing that particular habit anytime soon. But I know it's not secure – free Wi-Fi hotspots are typically available in public places. That's public as in not private."
His solution is not to attempt to restrict people's use of public Wi-Fi, but to protect it. "If you want to use an open Wi-Fi hotspot to search for the latest sports scores – go for it. But if you want to check your bank balance, read your email, have a private chat with your friends – get yourself a VPN service.”
Kaspersky Lab's senior security researcher David Emm takes a similar view. "When surrounded by others in the comfortable environment of your favorite coffee shop, the eagerness to check in with friends on Facebook, purchase that great new track you just heard on the radio or even send a last minute work e-mail often overpowers the sense of caution," he says. But again, his solution is not to prevent the practice, but to take personal control and secure it. He offers four steps for protection.
Firstly, he says, "Use only trusted and secure Wi-Fi networks if you’re going to do anything confidential;" that is, anything that involves a username and password, or confidential data. Secondly, if you have to log into a particular website, "look for ‘https’, the unbroken padlock symbol and check the security certificate."
Thirdly, he says, "Secure your computer with a reputable Internet security product;" and fourthly, do this for all your devices, desktop, laptop and mobile." These four steps, he suggests, "can greatly reduce the risk of attack."