The Evil Twin

How the evil twin is the newest dangerous thing people do on the Internet that doesn’t seem dangerous at all: Internet ScamBusters #129

Today we’re going to do something quite different — something we haven’t done in well over a year — that we think you’ll find very valuable.

Today’s topic is: 7 Dangerous Things You Do on the Internet That Don’t Seem Dangerous at All.

We’ve done an exclusive interview with an expert, Anne P. Mitchell, Esq. You’ll discover that this interview includes a lot of very surprising information.

In fact, this interview was so jam-packed that we decided to divide it into two ScamBusters issues.

So, let’s get started…

The Evil Twin – The Newest Dangerous Thing People Do on the Internet That Doesn’t Seem Dangerous at All

We all do lots of things on the Internet without giving them much thought. And unfortunately as you’ll see, that can be a big mistake.

In this issue and the next, we’re going to talk about 7 things that don’t seem dangerous, but can cause real problems.

Today our guest is Anne P. Mitchell, Esq. Anne is a Professor of Internet Law at Lincoln Law School of San Jose, and the President and CEO of the Institute for Spam and Internet Public Policy. You can find her sharing her wisdom and wit (and she’s very funny) at the immensely popular Aunty Spam site.

Audri: Welcome, Anne! I really appreciate your taking the time to talk with me today — this is a really great topic that I think will benefit ScamBusters subscribers a lot.

Anne: Thank you, Audri! It’s absolutely my pleasure!

Audri: Let me begin by asking: what do you believe is the newest, most dangerous thing people often do on the Internet that doesn’t seem dangerous at all?

Anne: Believe it or not, Audri, it’s using public wifi hotspots. Well, not so much the hotspots themselves, Audri, but the inadvertent use of evil twin hotspots.

Note: Click here for the answer to ‘what is wifi?’ and what’s a ‘wifi hotspot?’

Audri: A lot of our readers don’t know what an evil twin is. Can you explain?

Anne: Sure. Simply put, an “evil twin hotspot” is a hotspot that mimics a legitimate public wifi hotspot, such as those to which you may have access at your local Starbucks or bookstore.

However, it is really an Internet gateway which has been set up by a hacker hoping to trick you into connecting to the Internet through them.

When you access the Internet through this “hotspot,” the hacker is logging everything you do and type, including your passwords and other sensitive information.

Audri: What exactly are the dangers of evil twins?

Anne: Once having trapped your sensitive information, such as account numbers, user names, and passwords, and knowing at which websites you entered that information, the person behind the evil twin hotspot can gain full access to bank accounts, credit card accounts, email — anywhere that you went on the Internet while connected through their evil twin.

Audri: I think our subscribers can definitely see the dangers here! Can you give us an example?

Anne: Yes. Just last week I was sitting in my local Starbucks, where they offer wifi hotspots from T-Mobile. In order to log into a T-Mobile hotspot, you must have an account with T-Mobile, for which you must pay.

Even though I don’t use the T-Mobile hotspots, I always check (with my laptop) to see what wifi hotspots are available at any given location because, well, that’s part of my beat.

Sure enough, users at that Starbucks who opened their laptops and searched for a local wifi Internet connection were presented with the option of “T-Mobile Hotspot,” as they should be, but were also presented with a second option, called “Free Wifi from Team WiFi,” which I am 99% certain was an evil twin (and indeed Starbucks confirmed that there was no special offer going on which would have otherwise explained that second hotspot).

Now, notice a few things about this second, uninvited hotspot. First, it uses the term “free wifi.” Who wouldn’t want to use that, especially compared to the T-Mobile hotspot, where you have to pay?

Second, though, note the friendly and familiar sounding “Team WiFi.” By using familiar terms for their evil twin, along with telling people it is free, they are making it very easy for an unsuspecting user to go ahead and click and connect to that evil twin. In fact, users may just think that it’s a special offer from the T-Mobile Hotspot people.

Sure enough, Audri, this evil twin caught some people. As the gentleman who was sitting next to me got up to leave, after being on his computer for quite some time, I asked him whether he had logged in to the Internet while he was there.

When he said that he had, I asked him whether he was a T-Mobile user. “Oh no,” he replied, “they have a free wifi hotspot set up here.”

I advised him that it was almost certainly an evil twin, and that if he had done anything online while logged in through that “free” hotspot which might have compromised any sensitive information, he should take immediate measures to remedy the situation, such as changing any passwords he had sent while logged in.

At this point your readers may be wondering why I didn’t alert the authorities. And this is why user education is so very important.

There really was nobody for me to effectively alert. I could have called the police, but they would not have had the resources to even figure out where this evil twin was located, let alone to figure out who and how it was being done. The best thing I could do at that point was to let people know not to use that hotspot.

Audri: That’s a really important point, and in fact, one of the reasons we started ScamBusters. Often, understanding the principles behind scams is about the only real protection you have.

For example, it’s not enough to know that Team WiFi (specifically) may be an evil twin. This name probably already has changed by the time you read this. But by understanding this evil twin scam, subscribers can be careful and make sure they don’t compromise their personal information.

Moving on: can you explain in a non-technical way how evil twins work?

Anne: Basically someone sits nearby with either a laptop hidden in a backpack or under a coat — or they may even be sitting there with the laptop in front of them, pretending to work.

But that laptop is really set up as an Internet server which has been programmed to announce itself as a public Internet access point.

This is essentially how legitimate wifi hotspots are set up as well. The difference is that the evil twin has additional software on it that is designed to capture all of the data from the Internet traffic that goes through it.

If you send unencrypted text, the hacker will be able to simply read it.

But even if you send something that is encrypted, such as a password, it isn’t very hard for the hacker to figure that password out.

Audri: How?

Anne: First of all, some hacking software can install a virus that actually records keystrokes. Second, there is plenty of software out there designed to crack many types of passwords.

In fact, Aunty Spam wrote just last month about a website where you can plug in an encrypted password, and it will decrypt it for you.

That sort of encrypted password is exactly what the evil twin will capture.

Audri: So what that means is that you’re not completely safe if you use encrypted passwords.

How widespread is this problem?

Anne: Nobody really knows for sure, but I can tell you that I hear about instances every week. In one recent infamous case, someone walked into an IT conference in England and walked around with a live evil twin in their backpack, and caught several people. At a conference full of Internet security experts!

Audri: Wow!

Here’s a related question we got this week: can you tell us what is “email sniffing”?

Anne: Email sniffing also involves interception of data, but it is typically a situation where one person is sending and receiving email on a network, and another person on that same network is intercepting the email data.

Audri: How can our subscribers keep their email safe from sniffing?

Anne: For the average user, the safest thing to do is to use a secure webmail service. For example, both Hotmail and Gmail services use a secure protocol.

For users who must access their work email while on the road, and because there are so many different enterprise email systems, the user should work with their IT department to ensure the most secure access.

Audri: How can you know if you’re connected to an evil twin?

Anne: Well, of course, that’s the lion’s share of the problem. You can’t, really.

The best defense is a good offense, meaning take precautions to ensure that you don’t connect to an evil twin in the first place.

Audri: “The best defense is a good offense” is one of my favorite sayings. 🙂

Is this a serious enough problem that some people should simply not use wifi? If so, who?

Anne: People who don’t feel competent to identify the wifi spots they know and trust, or to distinguish other hotspots from those trusted few, should probably think twice before connecting.

If it’s so important that you can’t wait until you get home or back to the office to check from your regular connection, then it’s probably too important to risk sending across an un-secure and potentially malicious wifi connection.

Audri: Let me ask you two questions on related topics: Is there anything you can do to protect yourself when you’re not at home or are traveling? What about people who live in large cities — how big an issue is this for them? What should they do?

Anne: By definition, this is an issue which is most likely to arise when you are not at your home or office (unless your workplace offers free public wifi!).

It’s extremely unlikely that someone is going to create an evil twin of your home wifi.

People in big cities may be more likely to encounter evil twins than, say, people out in rural areas, but only because of numbers, not because rural hackers are any less sophisticated!

Audri: Are there any rules of thumb that could help our subscribers protect themselves?

Anne: As to how best to protect yourself, first and foremost, check your wifi settings on your laptop!

Is your computer set to search and automatically log on to the nearest wifi hotspot? If so, that’s a recipe for disaster. Change that setting!

Audri: I bet most people didn’t know that, Anne.

Anne: Second, whenever possible avoid sending sensitive information from public wifi locations. The more important the information is, the less chance you should take with it.

If you really must conduct financial business from public wifi spots, such as if you are on the road a lot, either use a credit card with a special limited line of credit, or use a debit card in which you keep only as much money as you are willing to lose if someone compromises your data.

Finally, really scrutinize the sites through and to which you connect. If something doesn’t look or “feel” right, it probably isn’t.

And make sure that any page to which you connect and through which you have to transmit any sensitive data really is a secure page (look for the little key at the bottom of your browser or whatever your browser uses to indicate “secure”).

Audri: This is great advice. Is that what you do every time you connect to a public hotspot?

Anne: <laugh>…no, I actually avoid all of these problems by connecting my laptop to the Internet through my cell phone.

Many cell providers now have unlimited Internet access rate plans, and with the higher speed cell data networks, while it’s not as fast as a wifi hotspot, it’s plenty fast, and they haven’t been cracked yet.

Audri: Can you summarize what action steps should our subscribers take so they don’t become vulnerable (or become less vulnerable)?

Anne: Yes. Be careful. Be cautious. Be wary. And be aware.

Audri: Thanks so much, Anne! I think we’ll stop here and finish this interview in next week’s issue. I really appreciate you sharing your advice on the problem of the evil twin hotspot with our subscribers. Stay tuned…