Support 100 years of independent journalism.

8 January 2014updated 28 Jun 2021 4:46am

A reminder that public Wi-Fi hotspots may not always be what they seem

Sometimes those "Free Public Wi-Fi" networks that smartphones can connect to when out and about are actually fakes, created by scammers.

By Ian Steadman

A funny thing happened to me on the way to the office this morning. I was sitting in a carriage on a District line train, trying to check Twitter, and when I tried to connect to one of Virgin Media’s public Wi-Fi hotspots I was instead bounced over to something called “PDM Wi-Fi”. Then a login screen appeared:

Now, Facebook doesn’t offer “free wifi [sic] with more than 50 Facebook Hospots in London ! [sic]”. I could also pick the hotspot up when the train was sitting in tunnel between stations, and none of London’s underground trains carry Wi-Fi hotspots. In short, it was a fake hotspot, masquerading as a legitimate one.

I didn’t put my Facebook username and password into it to see what would happen, as chances are it was a phishing scam from someone – possibly sitting near me in the same carriage at the time, such was the strength of the signal – looking to get my login details.

Whoever was behind it was broadcasting a bunch of other networks with dodgy names too (I didn’t screengrab, but they included things like “freeBTwifi”). Phishing attacks using public hotspots are no new thing – appearing in public spaces, airport terminals, stations, and so on for years – but this is the first time I’ve seen or heard of one on a moving train.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. A weekly newsletter helping you fit together the pieces of the global economic slowdown. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

Why do it? Well, aside from the passwords, when you access the internet through a public hotspot, you’re giving whoever has access to that hotspot the ability to view what you’re doing, as long as you don’t encrypt your data. This is why tech people get annoyed at Yahoo for taking so long to turn on HTTPS encryption as default for its email service, several years after Google did the same. It’s an unnecessary vulnerability that could be exploited.

Content from our partners
Small businesses can be the backbone of our national recovery
Railways must adapt to how we live now
“I learn something new on every trip"

To keep yourself safe when using public internet hotspots, the first sign that something won’t be right is the type of connection. Ad-hoc networks are where two or more computers connect to each other (you can create one with any smartphone quite easily, if you need to share its web connection with a laptop, for example), and normally show up as different in any list of wireless networks you can connect to. My phisher had disguised his hotspot as a legitimate router, but someone else may not take that step.

There’s also the same sense of scepticism used for spam emails that can be used here. Look at that sign-in page above – something immediately feels wrong, doesn’t it? Quite aside from the grammatical mistakes and the off-centre words on the buttons, it should immediately be suspicious that a hotspot is asking for confidential information from a completely separate service, just as it would be suspicious for a bank to call you and ask for confidential information to prove your identity unprompted.

If you’ve paid attention to the news, as well, a lightbulb should go off as a) Virgin Media’s deal to provide Wi-Fi in Tube stations got a lot of press and cost a lot of money, whereas b) there’s been nothing about a similar deal struck by Facebook.

I’ve contacted TfL to see if they’ve noticed anyone trying to pull this trick before, and will update this piece when they respond.