In recent years, the number of publicly available Wi-Fi hotspots has increased significantly. We have reached a point in time where public Wi-Fi in coffee shops, restaurants and hotels has moved beyond ‘nice to have’ to ‘expected’ and choices of destination are often being decided by Wi-Fi availability over and above the quality of food, drink and accommodation. With this increased availability, including other areas such as public libraries, airports, railway stations and on board public transport, so are the risks increased; something not widely understood.
My first suggestion is to avoid public Wi-Fi altogether and connect using 3G, 4G or 5G when it arrives to avoid all the security issues with public Wi-Fi. With this approach, the security which needs consideration is the telecommunications’ provider; one provider, not 100s or 1000s of different connection points in places you might never visit again. That said, it is not always an option for any number of reasons:
- Not all tablets have SIM card capability and sold as Wi-Fi only
- Roaming charges outside of the European Union can be too cost-prohibitive, resulting in a financial need to use Wi-Fi. However, if this is a frequently travelled destination or a long duration abroad, the option is available to use a foreign SIM card. Again, this is only as secure the confidence you have in the foreign telecommunications provider. Still, it will mean vetting one business rather than thinking or worrying about every Wi-Fi provider you connect with while out and about.
- Not many laptops have SIM card slots as standard; however, USB attachable mobile broadband is available and works in much the same way. Alternatively, set up mobile telephones and tablets as remote hotspots to route internet traffic.
If public Wi-Fi is the only option available, the following suggestions will strengthen your security posture and reduce risks.
Use a Virtual Private Network (VPN)
A VPN establishes an encrypted connection to an Internet server. Communication with the Internet is through this server instead of directly through public Wi-Fi.
The public Wi-Fi router will only see the encrypted connection between your PC, tablet or telephone and the VPN server. Encryption doesn’t stop interception of traffic, but considering the effort required to decrypt the data against the reward which may be available from doing so, unless a specific person is a target for particular reasons, an attacker is likely to choose an easier target.
If you were to log in to your bank, for example, the request is encrypted and sent to the VPN server. The public Wi-Fi only sees the encrypted connection. The VPN server connects to the bank. The bank, at this point, sees the VPN server, including the IP address of the VPN, not the IP address from your device. Up to the moment when you need to login to specific services, the VPN allows you to browse the Internet anonymously.
In addition to improved security, there are other motivations for using a VPN such as gaining access to region-specific websites. Many websites check the IP address of the incoming connection, and present content based on the geographical location of visitors. Using a VPN can bypass these checks if the VPN server is in the same place as the site you want to visit.
Many sites have geographical restrictions for legal reasons such as the broadcasting of licensed content. The BBC requires a TV licence for streaming of live content; therefore restricts access to IP addresses known to be within the UK. Likewise, with Amazon Prime, films and television programmes are available under licence for specific regions and apply restrictions to streamed content.
Consequently, because VPNs can bypass geographical restrictions, to comply with contractual requirements, extra measures often need to be taken to block access such as checking IP address ranges against known VPN services and blocking access. Some services will ask for the VPN to be disabled, but such requests are not always reasonable, and if you have invested in a VPN service, you should think twice if a website asks you to disable it.
For improved security, some websites check previously used IP addresses with the IP address used for the current connection to prevent unauthorised access. In practice, this means that using a VPN could result in a significant increase in identity checks such as emailing confirmation codes or one-time-use passwords. Although this might feel frustrating, this process does work as a form of two-factor authentication. With the VPN service, the servers could be in many different countries, and the server used can fluctuate quite often. From the perspective of your bank or other online services, the connection will show as coming from different countries and could easily be interpreted as potential unauthorised access.
The key is not to let the change in behaviour of websites you are visiting distract you from the fact that the VPN is there for your personal safety and security, and not to entertain the idea that you should need to disable it. If you were told by a website or piece of software, to disable your anti-virus software to use their service, you would not follow their instructions. Treat your VPN service in the same way!
Businesses that allow remote and home working provide their staff with VPN access as a means of connecting to the company network and protecting corporate data, which often includes customer data.
VPN services are not expensive. Some services are available free of charge. However, a key consideration is the trustworthiness of the VPN provider. With a VPN, you are choosing to explicitly route all your internet traffic through specific servers belonging to the VPN service provider; therefore, the provider must be trustworthy. Some of the leading brands in anti-malware offer VPN services, but when searching the Internet, there are 1000s of services available, most of which will be unknown to you. It is easy to assume that any VPN will do, but this could not be further from the truth.
Suppose you install a VPN service belonging to fraudsters for example. In that case, all Internet traffic travels through servers belonging to fraudsters, something far worse than the risk that someone might intercept communication over public Wi-Fi.
It is your responsibility to do your research and choose a service provider that you can trust and depend on for services. I wrote an article last year called ‘The Website Credibility Test’, but dependability and credibility are often very subjective, and the emphasis in this article was to help people decide for themselves.
Regardless of how you connect to the Internet, whether it is public Wi-Fi, 3G/4G, or from home, using a VPN is still a good idea. Without a VPN, there are always extra measures to improve your safety and security online. Here are more suggestions, and why they are essential.
Use HTTPS instead of HTTP
Accounts which require you to logon should be using HTTPS:// (Hypertext Transfer Protocol Secure) as the protocol in their web address, and not just HTTP://. HTTPS:// encrypts traffic between your browser and the website that you are using. Regardless of where you are and how you are connecting to the Internet, only use login credentials on a website with HTTPS.
- Logging in on an HTTP website can expose your logon credentials. With the same logon credential used in multiple places, accessing low importance sites with public Wi-Fi can facilitate access to high importance sites.
- The options to always use HTTPS is available in browsers or available as an add-on component. If you use HTTP where HTTPS is available, the browser will change the connection automatically to HTTPS.
Other thoughts for consideration
So far, we have considered not using public Wi-Fi, using a VPN, and making sure that secure connections use HTTPS instead of HTTP. There are more things to help protect yourself online, and plenty of reasons why it is essential to do so.
- Malicious Wi-Fi – not all public Wi-Fi is legitimate. Suppose the first thing you do when visiting a coffee shop, restaurant or any other location is to look for the free Wi-Fi. How do you know that the network you are selecting is a legitimate service offered by the establishment you are visiting. If in doubt, ask a member of staff for the Wi-Fi details to make sure you are connecting to the right network. Anyone could create a mobile hotspot called ‘Coffee Shop Free Wi-Fi’ and make it look official.
- Free Wi-Fi without login details – if you can connect to Wi-Fi without a network ID and password, the connection is most definitely unencrypted
- Free Wi-Fi with auto site connection – when you have selected your Wi-Fi and open your browser, you are redirected to a specific page rather than your usual default page. These pages often open automatically and often ask for registration, but not all of them are legitimate. Some are there for the sole purpose of capturing personal information.
- Free Wi-Fi which requires extra software – Software installations are never necessary to use Wi-Fi. If a Wi-Fi connection redirects you to a webpage to download and install software, reject the idea altogether.
- Popup adverts on free Wi-Fi – advertisements delivered through free Wi-Fi often manipulate users into downloading malware. For example, special offers relevant to the current location, such as a 20% discount on duty-free goods through free airport Wi-Fi. If you believe the Wi-Fi service is genuine, you will not suspect an electronic attack.
- Something free needs a credit card – there are so many sites which offer something free, then ask for credit card details. If the intention is to provide you with something free of charge, your credit card is not required. If a credit card is required, it means their ulterior motive is to charge you for something. You should never need a credit card to connect to Wi-Fi – anywhere.
- Turn off file-sharing when connected to a public network
- Disable Wi-Fi in public places if access is not required
- Protect your devices with anti-malware
There is no such thing as 100% safety or 100% security, and although one option is never to connect to public Wi-Fi, ever this is far from practical, and there will always be times when it becomes necessary. The next alternative is to be selective over how you use your devices while connected to public Wi-Fi, such as:
- Not accessing bank accounts
- Not entering credit card details
- Not accessing social media accounts or email accounts
These options are not always practical and are activities people expect to be able to do safely and securely.
To conclude, here are three suggestions:
- Use 3G/4G to access the Internet instead of relying on public Wi-Fi
- Use a VPN configured to connect to the Internet; adding an extra layer of security even over 3G/4G and acts as a backstop in any dead spots where Wi-Fi is needed.
- Be mindful of how you are using the Internet in public and avoid anything which is out of the ordinary or deviates from standard established practices
Robert is an information security professional with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through Telegram.