It's something that everybody does — logging on to the Internet while waiting for a delayed flight at an airport, or accessing the Web via a public wireless hot spot in a coffee shop. The problem comes when casual surfing turns to digital banking. There are easily available tools that crooks can use to intercept communications in public Wi-Fi venues, many of which can circumvent traditional encryption techniques, creating a security nightmare for banks.
"Unsecured Wi-Fi hotspots are a hacker's dream, I can't think of another way to put it," says Phil Blank, a senior research analyst at Javelin Strategy and Research. "If you are in an airport or a public spot, even with SSL — secure socket layer encryption, which protects most consumer Web banking traffic — that doesn't necessarily protect you. There are tools and techniques that allow hackers to exploit systems."
Wireless hacking falls into the most frustrating category of electronic crimes confronting banks, since financial institutions don't control public wireless networks or own the users' PCs, tablets or mobile devices. And remote access banking is maturing and becoming part of customer expectation, so limiting access is not an attractive option. There are emerging tools to combat the problem, such as virtual private networks and improved detection techniques, but wireless hacking stands to remain a vexing problem for some time.
"For banks it's really a challenge on the consumer banking side to protect from this type of crime," Blank says.
"On the commercial side, you can be more prescriptive. A bank can say, 'If you want to do wire transfers online, here are the procedures and parameters.' A lot of financial institutions have already said, 'If you don't have certain types of software installed, we won't let you do commercial banking with us,'" Blank says. "With consumers, it's harder to do this, but it's a trend we will see moving down the road."
Root Cause
The origin of the threat can be found in the technology that supports Wi-Fi networks.
Moisés José Gonçalves dos Santos, risk manager at Redecard, a Brazilian-based card payments processor, says typical access points, such as wireless routers, laptops, tablets and smartphones, are basically radio transmitters and/or receivers, meaning they will broadcast and receive information built into airwaves spread in every direction and available to anyone within the range of a Wi-Fi antenna.
"Because of that, anyone carrying a capable Wi-Fi device within range could retrieve information and if it is not protected, they can read it. That is why many different encryption algorithms — such as WEP, WPA and WPA2 — were developed," dos Santos says.
In regard to public Wi-Fi networks, usually available at airports, restaurants, malls and hotels, dos Santos says that before a user gets in, it is normal for him or her to get challenged with some sort of agreement process to gain network access and "as easily as a well-intentioned person can get in, someone with less than ethical motivations could join in as well."
Dos Santos says since every device on a network can exchange data with the servers in the same network, "we are back to a context where, technically, everyone in that network could also retrieve data being transmitted from and to different nodes. A very old vulnerability would allow a bad guy to hijack the victim's IP address and start intercepting data addressed to the victim's device as if it were sent to him, in what is called IP spoofing."
Other new threats include HTTP session hijacking, or "sidejacking."
"Since it is quite common to see websites protecting our passwords by encrypting the initial login," and it's rare to find websites that encrypt every piece of information exchanged between client and server, "we get left with a small point of vulnerability, the cookie, a plain text file sent from the Web server to a client containing session-related data so he could be greeted upon return or even re-login automatically in some cases," dos Santos says.
One of the scariest hacking tools is called Firesheep, which can be used to hack into a user's social media session. The crook installs Firesheep, then double clicks on social media sessions that are already in progress in a public Wi-Fi network. Once the real user logs off of the social media site, the hacker is still logged on - as the real user.
Traditional protections, such as the SSL encryption typically used to protect online banking sessions, are less effective in public Wi-Fi networks. A crook in a public WiFi network, where original access is more open, can more easily set up a program that intercepts the public/private key exchange that is part of the encryption technique, creating a "man in the middle" who can monitor a banking session.
Virtual Prevention
Preventative technology has been slow to develop, particularly for non-laptop devices like smartphones and tablets.
"In general, mobile devices are behind the curve in terms of security and antivirus technology. There haven't been enough attacks yet to warrant" large-scale development of preventative technology, says Aaron MacPherson, practice director for IDC Financial Insights. "But that's going to come soon. Mobile devices are a big enough market that fraudsters will start to hit the channel. There will be major breaches that will spur more interest in security software."
Dos Santos says one way to prevent most current Wi-Fi threats is to use a virtual private network (VPN) or traffic tunneling while connected to public wireless networks. "Basically, before connecting to the Internet and accessing your preferred Internet bank website, you will connect to a specific server" — either controlled by you at home, or hired as a service from a trusted provider — establish a full end-to-end encrypted connection and relay on that server to connect to the desired website. That way you can rest assured that everything you send and receive through the wireless network you just connected is properly ciphered and out of an attacker's grasp. VPN authentication schemes and ciphering protocols used are light years ahead of common HTTPS/SSL connections, making it virtually impossible for an attacker to succeed on a MITM attack also," dos Santos says.
Dos Santos also recommends deploying detection techniques to locate attackers. Banks typically store characteristics of good connections that are then linked to a customer's profile. That allows the bank to look upon the user's next request for connection and take action if something is different than what the real user usually does. "For example, if customer A usually logs in from a Wi-Fi network provided by a New York ISP and all of a sudden a connection to A's account appears from an ISP registered in Boston, that would generate an alert. The institution, following its policy, could reach out to customer A to verify if he or she is indeed in Boston and accept or decline the connection based on the answer."
Dos Santos also says hackers usually fail to mimic the real user's behavior, mainly because the crook has different interests than the real user. "To give you an example, on a usual hijacked access the attacker will request different transactions, amounts or destination," dos Santos says.
Blank says another good idea is to encourage users to access mobile banking via 3G or 4G networks. While not impenetrable, these networks are harder for hackers to access because the coding of the networks themselves requires more sophisticated workaround coding on behalf of the hackers — making it more likely that hacker will move on to lower-hanging fruit.
