Lewis' Blog Tales from the trenches of information technology

21Jul/130

Scammers target travelers using hotel Wi-Fi | Fox News Video

Download PDF

I'm not embedding the video stream here, only because I have not requested permission from Fox. Clicking through the link below will take you to the 2-minute piece, however:

Scammers target travelers using hotel Wi-Fi | Fox News Video

I have a couple issues with the segment, which caught my eye a few minutes ago:

While I can understand the danger of associating with an unknown WLAN, and as (according to Brenda Buttner's statement, sourcing "security experts" - a ubiquitous source, so take it at face value) 38% of all credit card fraud involves the hotel industry (a statistic which I personally find dubious at best, but for the sake of argument, we'll run with it 1), it might make sense to put this piece under the broad banner of travelers being at risk using hotel Wi-Fi, there is, in my opinion at least, a much greater underlying problem at play.

As is all too often the case, the real culprit is human nature. People are somehow (in my experience) overly-trusting of what the "herd" seems to believe is safe. It's the "sheeple" syndrome. Conversely, some people (thankfully, a minority in relation to the entire world population) are inherently evil. This makes for a dangerous combination, particularly in terms of information Technology, because someone wishing to do harm need only hang out a shingle and wait for the lemmings to come along.

This piece in question focuses on Wi-Fi, but this should in no way be some indication that the wired hotel network is "safe," that cellular or WWAN signals anywhere are "secure," or that any means of electronic or analog communications can be guaranteed to be completely private 2.

The guest, Adam Levin, former Director of the New Jersey Division of Consumer Affairs and co-founder and chairman of both Credit.com and Identity Theft 911, but obviously no networking intelligencia 3, suggests using a VPN. Well, the problem with this is that per the overall thrust of the piece, establishing the VPN would likely either fail or would possibly do nothing to secure non-VPN-destined traffic, anyway 4. This is a fundamental problem with pieces like these: the host - and the guest(s) - typically have no idea of the underlying subject matter and the ramifications of their suggestions.

There is an impression given that somehow, a hotel guest should inquire as to the "name" of the hotel network (a reference to inquiring as to the hotel's true SSID). However, this is of little use, because not only would the hotel likely provide this information to practically anyone inquiring, but as SSIDs are not copyrighted or trademarked in any way (not that thieves would be concerned with breaking copyright law!), anyone could simply deploy a WLAN with the same SSID as the official hotel WLAN. The typically poor wireless performance, due to weak signal, poor deployment strategies, etc. of so many hotels would lead someone to grab (as the piece rightly points out) the most powerful signal. Seeing a good signal with the expected SSID, however, should not lead someone to believe that he or she is indeed connecting to the expected network.

At no point does the segment mention that when accessing, for example, the hotel's website (cited in the piece, presumably for the guest to access his or her hotel folio, thus exposing possibly sensitive information), the user should check for an SSL connection and then look further to examine the certificate of the site, which would be a good first step in ensuring security (but by no means the end of the line). Common sense needs to prevail: if logging onto the hotel site to check on charges, and one is asked for a credit card number which should already be on file, one should stop and evaluate why the site might be asking for such information 5.

Not discussed in the piece, but which should be integral to the conversation, is the use of clear text logon credentials for email systems and the like, as well as unencrypted email transmissions themselves. Forget web traffic (yes, I am aware that providers like Gmail, Verizon, AOL, and Yahoo! have pushed the market more toward webmail than client-based email, though handheld and tablet devices still typically use whatever email client is bundled with the operating system): in my experience, most of the time, end-users don't even know whether their connections are IMAP vs POP3, let alone whether their authentication is secure or their transmissions are encrypted. This, of course, has no bearing on whether one is at a hotel, sitting at home, walking on the street, or riding a bus.

  1. Lies, damned lies, and statistics.
  2. An ethernet connection, on its way from the demarc, can be routed through a hostile network, and all traffic filtered and examined. It's not rocket science; it only requires physical access, and anyone with IT chops, coveralls, and decent social engineering skills should be able to pull off such an exploit. At the beginning of the Fiber Age, fiber tapping was almost unheard of; now it's practically easier than using a vampire tap on thick ethernet.
  3. I despise the term "technologist."
  4. Consider a WLAN with no true internet access but only mimicking the hotel website: a VPN connection would fail to reach the far end point. The other possibility is a rogue WLAN which actually does pass traffic through to the internet, but a VPN which allows split tunneling would still permit non-VPN-destined traffic to pass unencrypted, providing no security - for that unencrypted traffic - whatsoever.
  5. This is the same common sense approach which should be employed when anyone asks for personally identifiable information, such as a Social Security Number, i.e., why does the requesting person need that information?
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.