Hotel Wi Fi Security

[teelack 9,645]

I was just wondering about this issue and really dont have the technical nous.

 

How safe is it to use free wi fi in hotels and where have you?

 

Am at any greater or lesser risk of security breaches say than using an Internet cafe?

 

If there is an issue are there any remedies?

 

The reason that I ask is that in a recent hotel stay all that was required for free wi fi was to put you hotel room in followed by the name and this information was handed out at reception on pieces of paper.

[Grandpollo 366]

It is safe if you use SSL connections or a VPN connection. Those offer practically speaking unbreakable connections.

 

They are using a secure connection with a RADIUS server if they require you to enter a room/name or password when you are connecting. You will see an intercept when you go to browse and you have to authenticate your ID to go on. This is the most common hotel scheme unless they just hand out a password and change it now and then, or never, (which means telling all users the new info) or they don't use security at all. Which is also pretty common.

 

Frankly RADIUS is probably enough (your computer can tell you if it is WPA which is very robust or WEP which is very weak- these are the encryption protocols that are available) because a lot of security issues are pretty theoretical. Yes you can break WEP (easily, in minutes) but are there raving gangs of internet sniffers outside your room or hotel? 99.99% odds against. The loads of drunk punters sharing the space are not doing this hacking in their spare time.

 

For banking you'll always be on an SSL connection and there are web VPN services but the reality is the risk is pretty low in reality vs. the science.

Edited May 7, 2012 by ricktoronto

[s77656769 5]

I tend to prefer VPN to my home VPN server for anything important. That way I take the same risk I take at home, ie very low.

 

While https:// web connections and SSL/TLS connections for email etc are less risky, I prefer not to take the risk unless I have to.

 

I regard hotels and internet cafes as risky if you are using your laptop. Slightly less risky if the WiFi traffic is encrypted with WPA2 so you aren't boradcasting your data to everyone in the local area, but you are still exposed to the hotel/cafe operator who is also in a better position to attack you.

 

The buggest risk is internet cafes/bars where you use their computer. Your are subject to all the boave network risks, and also there could be viruses, trojans, keyloggers on the computer.

 

If you connect your laptop to a network, then any other computer on that network can directly attack your computer. Are you patches/antivirus up to date?

 

Specifically about getting a username/password on a piece of paper, while this at best is also used for the wifi encryption, I guess it is mostly about reducing the amount of bandwidth theft by random people near the location.

 

Unfortunately if you want a secure connection then hotels or cafes aren't good enopugh. You should use a VPN service of some kind, and you are probably also going to have to learn a few new things and pay attention. While the likelyhood of something bad happening is low, it is impossible to predict the possible impact, depends on what information is exposed, and how that information can be combined with other, possibly already public, information.

[Grandpollo 366]

Just keep in mind the ACTUAL probability of someone actively sniffing a hotel wifi with authentication is still not very high. It is more work than benefit really. Since banking and such winds up as SSL on top of the authentication.

 

I have four wireless access points at home with WPA PSK using AES and MAC address filtering (worthless other than for the simplest attempts) and in many years the router logs show literally zero attempts from unrecognized MAC addresses. In a big city.

 

I do agree never use a Internet cafe computer for other than surfing sites that you don't use ID to access. Never due to key logging, caching who knows what they can capture.

[teelack 9,645]

Thanks for the comments guys. There is a bit of jargon here that has gone over my head but all in all it looks reasonably safe and worth taking a laptop rather than using an internet cafe. One more question. If I log onto a site, say my bank, is the site at risk only as long as I have the site open? In other words, if I log on, check, adjust or whatever and log off in the quickest possible time does this reduce my chances or being hacked even more?

[too_mutt 10]

If you log on to your bank, best to do it on your own machine and not a public one.

 

[Grandpollo 366]

The amount of time you spend is irrelevant. For someone to sniff a data stream and figure out and decode a live SSL connection would take tens of millions of computers working for thousands of years.

 

Bank account takeovers or fraud occur when you let someone see your ID and password, which happens mostly from phishing e-mail (fake e-mail that looks like it came from your bank and with a link that takes you to a "bank" website that is not actually theirs), and occasionally with an internet cafe where a device is on the computer that captures each keystroke which are then copied after you're gone.

 

Or foolishly trusting ANYONE with login information.

Edited May 10, 2012 by ricktoronto