[TinFoilHatMan]

It’s pretty simple, isn’t it?

Too many times I’ve seen people who connect to their local hot spot, at the coffee shop, log into their bank, and conduct important personal business.
Now, don’t get me wrong, I’m all for the convenience of ubiquitous wireless internet access. I think that there’s nothing quite as cool as looking something up in google while sipping on my grande-latté-2-pumps-of-vanilla, but online banking credentials have a definite value in the eyes of unscrupulous criminals, and when they are flying through the air, anyone with the necessary knowledge can snatch them.
Admittedly, my paranoia knob "security dial" is set pretty high. Perhaps this is as a direct result of working in the security field. Let me elaborate and provide a concrete example in the process. A common ploy, one that is not that technically difficult to achieve, is to *** at a location that has public wireless access with a laptop that has been configured to act as a wireless router, and relay the traffic to the legitimate wireless router. This is often referred as a rogue access point.

Say for example that this location is a coffee shop. In this fictitious example, we’ll call the wireless router: Coffee_Free. The malicious criminal would then create a Coffee_free2 router, and simply wait for unsuspecting patrons of the coffee shop to connect to his laptop. He would then intercept all their traffic. Once you have intercepted the traffic generated during a banking transaction, you can dissect it at your leisure, and extract the information needed to acquire said banking credentials. The rogue access point is even more effective if the wifi web access at the coffee shop is a paid service, as the rogue access is free, and will probably attract more patrons than the legitimate one!

http://blogs.paretologic.com/malware...08/03/rap1.png
Remember, this method of stealing credentials applies for any web based exchange that involves some form of authentication. Is your favorite instant messenger automatically logging you on? Your credentials are involved in that process. Checking your g-mail? That information is intercepted too...

On the subject of e-mail credentials, don’t think that just because it’s a web based email, it does not hold value to criminals. If they own your email, they can get access to any other services where you used that email address to register. The g-mail search features makes finding this information even easier. Users also have the bad habit of using the same password for several different services. A skillful attacker will attempt logging in other services using the same credentials in a bid to gain further information. We have even seen black hat tools in the wild that help automate this process...

So what should the average user take from this? Don’t bank over public WiFi.
There’s no point in looking for a dodgy looking fellow with a “got root” t-shirt, rubbing his hands together with glee at the very far end of the coffee shop either. His laptop is in his car, in the trunk. It’s parked beside the coffee shop, and he’s gone shopping.
Possibly with your money.
Don’t bank over public WiFi.