Is public WiFi really safe?

INDIANAPOLIS (WISH) - If you use your smartphone, tablet or laptop to log onto the internet through a free wireless hotspot, you could be putting your personal information at risk. I Team 8 uncovered a silent scam that’s allowing criminals in Central Indiana to access your data without you ever knowing they were there.

You can find WiFi hotspots just about anywhere these days--from airports and hotels to coffee shops and restaurants. Consumer Reports recently found 70,000 wireless hotspots up and running across the country, and one new industry study predicts that number will quadruple by 2015. They offer quick, easy and free access to the internet, and usually they deliver.

But, I Team 8 discovered that what might seem like "safe surfing" could actually be putting you at risk. We partnered with digital information security experts from the Indianapolis based Sterlyn Group to expose the new tactics cyber criminals are using to try to steal your personal information and even your identity.

BEHIND THE DIGITAL SHADOWS

Sterlyn Group’s Director of Technical Services Lige Hensley is a new breed of “cyber sleuth,” who’s seen the rapid rise of digital theft up close. Over the last 15 years, he’s been contracted by hundreds of major companies and even the Defense Department to track and prevent security breaches. He goes behind the bits and bytes into a wireless world where your data can be up for grabs to anyone who knows how to find it.

“There were certain hospitals in Indianapolis where--if you pulled up outside with this one tool I have--you could see everything going on inside that ER. “I'm seeing diagnoses, social security numbers, everything. That's been fixed. But, there is a lot out there that’s still not secured,” Hensley told 24-Hour News 8’s Troy Kehoe.

It’s been proven time and time again through a concept called “war-driving.”

“War-driving is just driving around looking for wireless networks that are not properly secured,” he said.

Asked if that was easy to find, Hensley laughed.

“Oh yeah,” he said. “Most big cities have them all over the place. New York is just littered with them, and it’s becoming a big problem.”

Finding security holes in free WiFi hotspots, he promised, wouldn’t be difficult.

“If I wanted to intercept your communications and redirect them to a different place, I could probably do that transparently, and you wouldn't know that I did it,” he said.

FAKE HOTSPOTS

It's all because of a new type of "silent" scam called a fake hotspot, aimed at stealing your private information and maybe even your identity. And it may be closer than you might think.

“Anybody could do this,” Hensley said, as we climbed into the car. “You can just walk into a Starbucks and anybody could do this.”

I Team 8 put that claim to the test, hitting the road with a laptop computer in hand.

“What I've got here is the most basic things. There’s one special tool that is free on the internet. But, this is a basic laptop running Windows 7 right out of the box, and I have a wireless (transmitter) I bought at Walmart like 6 years ago. This is all pretty old school. But, that’s how simple it is,” he said.

We headed downtown, and parked near a Starbucks coffee shop. Within moments, legitimate wireless networks began appearing on Hensley’s computer.

“There are probably 30 of them [showing up] as we just sit here in the parking lot,” he said.

Staying Safe on Public WiFi
5 Tips to Stay Safe- Lifehacker.com
3 Tips from Entrepreneur.com
Protect Yourself at Starbucks - CBS News
Staying Safe on WiFi - Microsoft

Most of them were fairly secure, requiring passwords to log on. But, we found a few that weren’t protected.

Hensley went to work, creating his own wireless signal. We called it “Fast Free Internet,” and it was up and running 42 seconds later.

It’s a simple option on most computers, designed to let users create their own hotspots for use on multiple electronic devices. And, it’s perfectly legal.

“I’m piggy-backing onto whatever existing wireless network is available. So, if you're in a hotel for example, I would connect up to the wireless at the hotel and use their internet,” he said.

But, criminals take the hotspot a step further, Hensley said.

“They trick you into connecting. So, if I’m trying to get to your data, I trick you into connecting to my signal. I might call it fast free internet. I might change a letter or number that makes it look like a real hotspot that’s already there. Once you connect to that, at that point, I'm the choke point for all of your traffic,” he said.

Less than two minutes after our “Fast Free Internet” hotspot popped up, we got our first nibble.

“I'm seeing somebody,” Hensley said. “Somebody's definitely on. I can see them talking to a web page.”

Someone had logged on to our "fake"

hotspot. We didn't look inside their device, but Hensley says criminals with the wrong intentions often do.

“I can see anything that goes over the air through this internet connection. Anything you're doing through fast free internet, to a degree I can see. If you go to your banking website and it's encrypted, I can't see it as easily. But, I can tell that you went. And, with other tools, there's a chance I could dig into it,” he said.

That means financial information, stock trades, usernames and passwords could all be at risk when you’re connected through a fake WiFi signal.

“Some sites are more secure than others, but on a lot of them, it’s just a matter of time,” Hensley said. “If you go to Yahoo [email] for example, I probably can't see your password, but I can probably see the messages themselves. The trick is in getting you to connect to me.”

I Team 8 used a smartphone for proof.

PUTTING THE SCAM TO THE TEST

Hensley set up a new signal called “fast internet,” and we connected to it, typed in a web address, and hit “go.”

“You’re on wishtv.com,” he said seconds later.

We went to another site.

“I see Twitter, AP Broadcast, Facebook,” he said. “Your phone is connecting to all of these.”

It sounded innocent enough.

What could he do by simply knowing what sites we’d visited or applications we’d clicked on?

“Well, not that much by itself,” he admitted. “With this simple setup, I can’t always break in [to find data]. But, I can actually go back and see what you saw. And, if I knew that you, say—went to your bank’s website every morning, or every week to check on your direct deposit--then I could be a lot more dangerous. Let’s say it’s bank.com. With a little prep work, I could give you my version of bank.com, and when you click the login button, you're no longer going to your bank. Now, you're going to my bank. When you put in your username and password, now I have your username and password.”

Asked how long that breach might take, Hensley thought for a moment.

“For somebody that knew what they were doing? Less than an hour,” he said.

Turns out, criminals may have been out “fishing” for that information even at that very moment.

ALREADY HAPPENING?

While we sat parked in the car near Lucas Oil Stadium, Hensley ran across a WiFi hotspot simply labeled "hotel."

“Is that really a hotel, or is it somebody trying to make you think it’s a hotel? Usually, they have their name attached, and they may require you to authenticate it as well,” Hensley said.

Asked if the signal could be a fake, Hensley nodded.

“Oh, it very well could be. I mean, hotel? Really? I would be very surprised if that's actually a hotel’s [WiFi signal,]” he said.

A few minutes later, the signal disappeared.

DIAGNOSING DIGITAL DANGERS

For security experts like Sterlyn Group President Mark Clausman, it's no surprise.

“20 years ago, it used to be pick-pocketers. Now it's this. They can do all of this remotely. They don’t have to bump into you now,” he said.

That’s created additional dangers, Clausman says.

“It used to be that hackers would leave a trail. Now, we’re asking the questions--do they even know if they're being hacked? Do they even know if they're being compromised? [The answer is no] most of the time,” he said.

It’s all because of the increasing mobility of digital information.

“Wherever you go, there’s WiFi now. It's mobile. Everything that you used to have on your laptop is right here,” he said, holding up his Blackberry.

And the fakes can come in many forms.

Back at the WISH-TV studios, Hensley created a fake hotspot called "WISH-TV WiFi.” At least--that's what it looked like.

"That's an L,” he said, grinning. “The letter I in WISH is an L. You don’t really notice it unless you’re looking for it. So, I could send everyone at WISH-TV an email from this from your I.T. Department and say--hey I'm working on the server. I need your password to test things out. How many of your people do you think would reply to me?”

Pausing, he answered his own question.

“The answer is about 30 percent,” he said. “30 percent on average reply with their password. That’s access to a lot of people’s information all at once.”

There’s another potential pitfall too: automatic connections.

As we sat in a conference room, data from cell phones, laptops and tablet computers was flying all around us. Hensley was watching some of them connect to his fake signal without ever hitting a single key.

“Computers talk all the time. It's not just when you log into Facebook or check your email. Those are all communications going on constantly behind the scenes that you never know are happening. Your computer right now is talking to places all over the country and you have no idea that it's happening. And, it doesn't take long to pick up on it, because a lot of devices just automatically connect,” he said.

Then, pausing, he looked up from the screen.

“It’s really kind of scary how much information you can get on someone in just a few minutes,” he said.

PROTECTING YOUR INFORMATION

We