BOSTON (CBS) – We constantly hear that using free public Wi-Fi is a serious risk when it comes to our personal information, but when faced with a choice of using up data or getting hooked up with free Wi-Fi, most people take the gamble.
So what is the reality of the risk?
“The risk for the public networks is because they are out there and open and unencrypted,” explained hacking expert Steve Walker. “An attacker can join just as easily as you can.”
That is exactly what we did, with Walker’s help.
“I can see all the different networks out there, all the different clients, and which one do I want to look like?” Walker explained while typing away on his laptop.
Wicked Free Wi-Fi is available on the Boston Common. Walker created his own imposter version with a laptop and a small device anyone can buy online. Anyone closer to his signal than the one the city is blasting out will only see the fake Wicked Free Wi-Fi option. If your device connected to the real system in the past, it could even automatically join this rogue Wi-Fi network.
Walker’s fake network had the exact same name as the real network. While the name is the same, the login page is different. On Walker’s fake Wi-Fi he created two phishing links to Facebook and Gmail. Click on those links, and Walker could see your password as you type it.
Sure enough when we tested it, he saw WBZ’s Christina Hager typing C-H-A-G-E-R as her email password. (Don’t worry, that’s not her real password.) If that had been a fake business website, instead of email, Walker would have easily seen Christina enter her credit card information if she attempted to buy something.
Even if you don’t click on phishing links once you are connected to an imposter Wi-Fi, the hacker can see your every online move. Walker knew instantly when Christina opened the Google home page. This vulnerability can be exposed through any free and open Wi-Fi at coffee shops, stores, airports, hotels – anywhere.
“There’s always a risk when you join any type of public Wi-Fi,” explained cyber defense expert Peter Tran.
If you do join a public network, Tran recommends turning off any file sharing apps. For iPhone users this means Airdrop.
“If you’re going to be on public Wi-Fi, make sure you’re not working with sensitive data or things you normally would not want to share with everybody,” Tran warned.
Before typing in credit card numbers or passwords, look at the address bar and make sure you see a lock icon next to the URL. This means the website is secure. On Walker’s fake Google page the address bar did not have that lock. Instead of Google.com as the URL, there was only a series of numbers. That’s a big red flag.
It all adds up to the reason for the advice we hear over and over again, according to Tran. “If you don’t have to get on public Wi-Fi, don’t do it.”