Support 100 years of independent journalism.

8 January 2014updated 28 Jun 2021 4:46am

A reminder that public Wi-Fi hotspots may not always be what they seem

Sometimes those "Free Public Wi-Fi" networks that smartphones can connect to when out and about are actually fakes, created by scammers.

By Ian Steadman

A funny thing happened to me on the way to the office this morning. I was sitting in a carriage on a District line train, trying to check Twitter, and when I tried to connect to one of Virgin Media’s public Wi-Fi hotspots I was instead bounced over to something called “PDM Wi-Fi”. Then a login screen appeared:
 

Now, Facebook doesn’t offer “free wifi [sic] with more than 50 Facebook Hospots in London ! [sic]”. I could also pick the hotspot up when the train was sitting in tunnel between stations, and none of London’s underground trains carry Wi-Fi hotspots. In short, it was a fake hotspot, masquerading as a legitimate one.

I didn’t put my Facebook username and password into it to see what would happen, as chances are it was a phishing scam from someone – possibly sitting near me in the same carriage at the time, such was the strength of the signal – looking to get my login details.

Whoever was behind it was broadcasting a bunch of other networks with dodgy names too (I didn’t screengrab, but they included things like “freeBTwifi”). Phishing attacks using public hotspots are no new thing – appearing in public spaces, airport terminals, stations, and so on for years – but this is the first time I’ve seen or heard of one on a moving train.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

Why do it? Well, aside from the passwords, when you access the internet through a public hotspot, you’re giving whoever has access to that hotspot the ability to view what you’re doing, as long as you don’t encrypt your data. This is why tech people get annoyed at Yahoo for taking so long to turn on HTTPS encryption as default for its email service, several years after Google did the same. It’s an unnecessary vulnerability that could be exploited.

To keep yourself safe when using public internet hotspots, the first sign that something won’t be right is the type of connection. Ad-hoc networks are where two or more computers connect to each other (you can create one with any smartphone quite easily, if you need to share its web connection with a laptop, for example), and normally show up as different in any list of wireless networks you can connect to. My phisher had disguised his hotspot as a legitimate router, but someone else may not take that step.

There’s also the same sense of scepticism used for spam emails that can be used here. Look at that sign-in page above – something immediately feels wrong, doesn’t it? Quite aside from the grammatical mistakes and the off-centre words on the buttons, it should immediately be suspicious that a hotspot is asking for confidential information from a completely separate service, just as it would be suspicious for a bank to call you and ask for confidential information to prove your identity unprompted.

If you’ve paid attention to the news, as well, a lightbulb should go off as a) Virgin Media’s deal to provide Wi-Fi in Tube stations got a lot of press and cost a lot of money, whereas b) there’s been nothing about a similar deal struck by Facebook.

I’ve contacted TfL to see if they’ve noticed anyone trying to pull this trick before, and will update this piece when they respond.