A reminder that public Wi-Fi hotspots may not always be what they seem

Sometimes those "Free Public Wi-Fi" networks that smartphones can connect to when out and about are actually fakes, created by scammers.

A funny thing happened to me on the way to the office this morning. I was sitting in a carriage on a District line train, trying to check Twitter, and when I tried to connect to one of Virgin Media’s public Wi-Fi hotspots I was instead bounced over to something called “PDM Wi-Fi”. Then a login screen appeared:

Now, Facebook doesn’t offer “free wifi [sic] with more than 50 Facebook Hospots in London ! [sic]”. I could also pick the hotspot up when the train was sitting in tunnel between stations, and none of London’s underground trains carry Wi-Fi hotspots. In short, it was a fake hotspot, masquerading as a legitimate one.

I didn’t put my Facebook username and password into it to see what would happen, as chances are it was a phishing scam from someone - possibly sitting near me in the same carriage at the time, such was the strength of the signal - looking to get my login details.

Whoever was behind it was broadcasting a bunch of other networks with dodgy names too (I didn’t screengrab, but they included things like “freeBTwifi”). Phishing attacks using public hotspots are no new thing - appearing in public spaces, airport terminals, stations, and so on for years - but this is the first time I’ve seen or heard of one on a moving train.

Why do it? Well, aside from the passwords, when you access the internet through a public hotspot, you're giving whoever has access to that hotspot the ability to view what you're doing, as long as you don't encrypt your data. This is why tech people get annoyed at Yahoo for taking so long to turn on HTTPS encryption as default for its email service, several years after Google did the same. It's an unnecessary vulnerability that could be exploited.

To keep yourself safe when using public internet hotspots, the first sign that something won’t be right is the type of connection. Ad-hoc networks are where two or more computers connect to each other (you can create one with any smartphone quite easily, if you need to share its web connection with a laptop, for example), and normally show up as different in any list of wireless networks you can connect to. My phisher had disguised his hotspot as a legitimate router, but someone else may not take that step.

There’s also the same sense of scepticism used for spam emails that can be used here. Look at that sign-in page above - something immediately feels wrong, doesn’t it? Quite aside from the grammatical mistakes and the off-centre words on the buttons, it should immediately be suspicious that a hotspot is asking for confidential information from a completely separate service, just as it would be suspicious for a bank to call you and ask for confidential information to prove your identity unprompted.

If you’ve paid attention to the news, as well, a lightbulb should go off as a) Virgin Media’s deal to provide Wi-Fi in Tube stations got a lot of press and cost a lot of money, whereas b) there’s been nothing about a similar deal struck by Facebook.

I’ve contacted TfL to see if they’ve noticed anyone trying to pull this trick before, and will update this piece when they respond.

Ian Steadman is a staff science and technology writer at the New Statesman. He is on Twitter as @iansteadman.

Show Hide image

We're hiring! Join the New Statesman as an editorial assistant

The NS is looking for a new recruit.

The New Statesman is hiring an editorial assistant, who will work across the website and magazine to help the office run smoothly. The ideal candidate will have excellent language skills, a passion for journalism, and the ability to work quickly and confidently under pressure.

The job is a broad one – you will need to understand the requirements of both halves of the magazine (politics and culture) as well as having an interest in the technical requirements of magazine and website production. Experience with podcasts and social media would be helpful.

The right person will have omnivorous reading habits and the ability to assimilate new topics at speed. You will be expected to help out with administration tasks around the office, so you must be willing to take direction and get involved with unglamorous tasks. There will be opportunities to write, but this will not form the main part of the job. (Our current editorial assistant is now moving on to a writing post.)

This is a full-time paid job, which would suit a recent graduate or someone who is looking for an entry into journalism. On the job training and help with career development will be offered.

Please apply with an email to Stephen Bush (Stephen. Bush @ newstatesman.co.uk) with the subject line ‘Editorial Assistant application’.  

In your covering letter, please include a 300-word analysis of the strengths and weaknesses of the New Statesman. Please also include 500 words on what you consider to be the most interesting trend in British politics, and your CV as a Word document. 

The deadline for applications is noon on Monday 12th October.