Here are six steps you can take to protect yourself when using free Wi-Fi while you are out and about.
As you've probably noticed, we're quite keen on free Wi-Fi as a way of keeping costs down when travelling or just moving around town.
But there are a few things you should do to minimise the risk of someone stealing your data, especially your usernames and passwords.
Here are six steps you can take to protect yourself when using free Wi-Fi:
1. Take care to connect to the network that you intended to use
If you allow your computer or other device to connect automatically, there's a risk of falling victim to an 'evil twin' - an access point masquerading as the one you intended to use.
Depending on what hardware you're using, you may need to tell it forget the hotspot each time you use it (eg, Android) or not to remember hotspots in the first place (eg, OS X), though the latter is inconvenient if you frequently connect to trusted and secured networks.
When you connect manually, don't just any on any network that appears to be open - find out the name of the 'official' network from venue staff.
If you see more than one network with that name, avoid using any of them and draw the staff's attention to the situation. Otherwise you may be connecting to an evil twin or another hotspot set up just to attract the unwary.
If you're using Windows, always select 'Public network' when connecting to a free Wi-Fi system. This setting is designed to stop other users on the network from being able to 'see' your computer, but it also makes sense to use the Network and Sharing Center to turn off public folder sharing and file and printer sharing for the Public profile.
On a Mac, open the Sharing system preference and switch off all the sharing options before connecting to an untrusted network - but make a note of which were previously enabled so you can restore the setup once you've disconnected.
You might need these sharing features when you're connected to a home or office network but you are unlikely to need them in a cafe or while staying at a hotel, and disabling them reduces the opportunities for intrusion.
While we're talking about settings, your notebook's firewall is on, isn't it?
On Windows, open the Windows Firewall control panel and make sure it is either active or that a third-party firewall (probably one that came as part of a security suite such as Norton Internet Security or McAfee Internet Security) is taking care of business.
On OS X, look in the Firewall tab of the Security & Privacy system preference.
2. Use HTTPS wherever possible
The HTTPS protocol encrypts the traffic between your browser and the remote server.
Most web browsers display a padlock to show when HTTPS is in use, but it's also worth checking the site's certificate by clicking on the padlock to make sure you are where you intended to be, as it is possible for intercepted traffic to be diverted to fake servers.
Eavesdropping might not seem to be a problem if your network usage is innocuous, but think about what you're doing. You probably don't care if someone can see if you're looking for recommendations about nearby restaurants when you're visiting a city, but even seemingly harmless activities can reveal something about you if enough data can be assembled.
Paul Ducklin, Asia Pacific head of technology at security vendor Sophos says "if I do anything that reveals any personal or business preferences - a place I might like to eat at; where I live; background research for a work project - I'll give it [free Wi-Fi] a miss and use my own NextG Wi-Fi hotspot with WPA-2 and a password of my choice."
Furthermore, Ducklin warns "there is also the problem that there may be applications on your computer or mobile device that 'call home' without using HTTPS and thus reveal data, albeit only modest amounts". This article has more about this.
The more concerned you are about such leakage, the more careful you should be about the apps you install and the networks you connect to.
HTTPS is particularly important with sites where you need to log on with a username and password, as it is very easy to capture this information from HTTP traffic.
And where a site only uses HTTPS for the login page, it's easy for bad guys to 'steal' the connection details from an unencrypted page in order to masquerade as you.
How big a deal that is depends on the nature of the site, but this is why Google, Twitter and some other services have switched to using HTTPS everywhere.
3. Use SSL or TLS to protect your email
If you're using an email client rather than webmail to access your email accounts, using SSL or TLS is the equivalent of using HTTPS instead of HTTP: it encrypts the traffic between the email program and the server, making it much harder for anyone to steal your login details or messages.
The iOS Mail app defaults to using SSL, and the Android Email app defaults to SSL when used with a Gmail account, but it's worth checking the client's account settings to ensure that SSL is being used.
In the OS X Mail application, for example, open Preferences, select the Accounts pane and then the Advanced tab, and tick the "Use SSL" checkbox.
4. Use a VPN
A VPN (virtual private network) encrypts all network traffic, making life difficult for any eavesdroppers.
The traffic goes to another system where it is decrypted and forwarded to the intended destination.
You can run your own VPN server, perhaps on a desktop computer back in your office (Ducklin demonstrates a free DIY method of setting up a secure 'tunnel' here, but it's not for the technically faint-hearted).
Or you can use a commercial VPN, but then you're putting your trust in its operator, so be careful who you deal with.
If you do use a VPN and experience connection problems when using an open Wi-Fi network even though it works fine from your own network, it could be something as simple as the hotspot blocking certain ports used by the VPN or it could be a sign that your communications are being tampered with in some way, so caution is advisable - ie. don't use that network!
5. Avoid using untrusted networks for important transactions
Even though internet banking uses HTTPS, the potential losses are significant if someone does manage to intercept your credentials. So it's wiser to save such use for more secure connections.
You should always check for a HTTPS connection and examine the certificate before making a credit card transaction, but take extra care to do so if you feel you really must use an free Wi-Fi network for online shopping.
Assuming you are using HTTPS there is perhaps more chance of your card details being stolen from a site that held them - for example, read here and here.
6. Don't update your software at a Wi-Fi hotspot
While we're usually encouraged to keep our operating systems and other software up to date by applying patches promptly, earlier this year the US Internet Crime Complaint Center (affiliated with the FBI) warned that attackers had found a way of presenting what appeared to be "a routine update to a legitimate software product" via a hotel Wi-Fi network.
Many users have already learned to be cautious about pop-up windows that offer software. That technique has been widely used by the 'fake antivirus' industry (often the window claims malware has been detected on the computer and offers a paid 'solution' that really is malware).
It was also used to spread early versions of the Flashback malware that appeared in the second half of 2011 - this asked users to install a bogus update to Adobe's Flash Player.