From the "No-Duh" filesource: NY Post
It's no soap opera — if you're a WiFi user, you may have an "evil twin."
And this twin is ready to steal your credit card information and break into your bank account.
"Evil twin" is the latest buzz term for a wireless threat to laptop users who access the Internet through hotspots that can be found in many public spaces, including coffee shops, bookstores and airports.
Though the attack isn't new, researchers at Cranfield University in the United Kingdom recently demonstrated how easily hackers can intercept user names and passwords and use them to gain access to e-mail and bank accounts.
"It's not hard to do," said Dr. Phil Nobles, a wireless Internet and cybercrime expert at Cranfield. "You need to be a little technically knowledgeable to do it. But all you need is an ordinary laptop with a wireless card."
"Access point phishing" — as it is technically known — involves hackers setting up their laptops to emit false hotspots. After luring a victim, the "phisher" can attack in several ways, the most obvious being with worms and viruses that can be sent to a user's laptop.
A phisher can also create a Web page that resembles a pay-for-service hotspot, similar to what T-Mobile has in participating Starbucks. The page asks users for their credit-card information in exchange for Internet access.
In addition, a phisher can masquerade as a legitimate hotspot provider and ask for a login name and password, in turn charging up the user's existing hotspot account.
Another type of attack places the phisher in between a user and another server. Nobles said he helped carry out two such demonstrations.
"In one of them, we captured someone's e-mail login information," he said. "But in the second example, we intercepted online banking details. That was the more shocking one for people."
Nobles added that the latter threat is especially acute, as hotspots have begun proliferating roughly around the same time as online banking has spread.
But falling prey to an evil twin isn't just a problem for personal users. Spencer Parker, a director of technical services for Atlanta-based WiFi security company AirDefense, noted. When a business's "mobile work force" returns to the office, a WiFi-enabled laptop that is plugged back into the company network poses a serious threat to the business.
If the wireless card isn't shut down before the laptop rejoins the network via an ethernet cable, Parker said, a phisher may be able to access a company's database and protected systems.
"It's hard to detect whether or not this is happening," Nobles added. "A user may never even know whether he's connected to a legitimate hotspot or to an evil twin."
Technical solutions to avoid evil twin attacks do exist. Blocking worms, for instance, is as simple as turning on a personal firewall. Software, such as AirDefense's free downloadable Personal Lite product, sounds an alarm when a potential phisher is detected.
There are even more basic precautions WiFi users should take to avoid being hacked. Paul Stamp, an analyst at Forrester Research, said the simplest way is to always make sure a Web connection is secure by looking for a lock icon in the Web browser.
"A phisher can still look at your encrypted data, but if it's encrypted well enough, it's not worth their time to try and decode it."
