Cybercriminals are targeting travelers by creating phony Wi-Fi hot spots in airports, in hotels, and even aboard airliners.
Vacationers on their way to fun in the sun, or already there, think they’re using designated Wi-Fi access points. But instead, they’re signing on to fraudulent networks and hand-delivering everything on their laptops to the crooks.

In 2008, Silicon Valley-based AirTight Networks, a wireless security company, sent a team of “white-hat” hackers — good guys who try to thwart “black hat” hackers — around the world on an international airport study.

They checked the Wi-Fi networks at 27 airports — 20 in the U.S., five in Asia and two in Europe — and the results were not good.

At John F. Kennedy International Airport in New York, the baggage-handling system was being run on an insecure network. At other airports, ticketing systems were similarly exposed.

And everywhere they looked, they found fake Wi-Fi hot spots set up by hackers phishing for suckers — and there were plenty of suckers to be had.

“We found a lot of people using insecure Wi-Fi,” says AirTight investigator Rick Farina, “and people engaged in all sort of dangerous activity — checking their e-mail, doing their banking, buying stock. These are not the kinds of thing you want to be doing on public Wi-Fi.”

And according to their study, even the “secure” networks weren’t all too safe.

Eighty percent of the private Wi-Fi networks at airports surveyed by Airtight were secured by the aging Wired Equivalent Privacy (WEP) protocol, which was cracked back in 2001.

Almost as many — 77 percent — of the networks they surveyed were actually private, peer-to-peer networks, meaning they weren’t official hotspots. Instead, they were running off someone else’s computer.

In response to the rise in vacation hacking, some companies are beginning to tighten up security.

When AirTight’s Farina alerted American Airlines to vulnerabilities in its system earlier this year, the airline took action.

“I can’t tell you what they did,” says Farina, “but their Wi-Fi is safer.”

JetBlue also says it has taken appropriate steps.

“Phishing is a risk that exists anywhere there are wireless services available, which is pretty much everywhere these days,” says JetBlue spokesman Bryan Baldwin.

“At our Terminal 5 at JFK, where we offer free Wi-Fi, we have measures in place to minimize risks for our customers,” he said. “We’d prefer not to go into detail about the specifics of those measures, because the details could be used by clever hackers against the defenses.”

A spokesman for the Marriott hotel chain would give only a terse statement:
“When it comes to online security, Marriott has worked diligently to protect our guests.”One thing all security experts agree on: When it comes to hackers, the best defense is a good offense.

---

Filed under: Security - @ July 11, 2009 5:13 pm

Tags: hacking