There's a Bank of America (BoA) TV ad that shows two young men in an Internet cafe, one using a friend's debit card to purchase a latte, while the debit card owner, sitting beside a wireless laptop logged in to his BoA account, repeatedly hits the refresh button on his Internet browser. The ad illustrates how quickly debit purchases post to your online banking account. Unfortunately, the ad also illustrates a new vector for criminal hackers (crackers): impersonating access points in public wireless hot spots to steal personal information by outpowering the legitimate signals.

Evil twin attacks
Dubbed "evil twin attacks," they occur when a cracker sets up an attack computer as a duplicate public access point in a cafe or airport, mirroring the actual settings but with a much stronger signal. An unsuspecting cafe or airport patron then simply logs in to the stronger but fraudulent signal. The user still connects to the Internet, but through the cracker's system. This allows the cracker to sniff or read any data that the victim is sending via the Internet, such as the login ID and password for an online banking account.

If you're just surfing the Web, looking for sports scores or weather in a foreign city, you aren't risking too much. But if you're logging on from an Internet cafe or airport waiting area to order a present for your wife online, you could find yourself a potential identity theft victim. Not all e-commerce sites are secure.

Not something new
Evil twin attacks, recently mentioned during a conference in Cranfield University in England, are not new. The security company Internet Security Systems first mentioned this practice in a 2002 paper called BaseStation Clone (Evil Twin) Intercept Traffic. Also back in 2002, I wrote about wireless man-in-the-middle attacks, which are a similar concept. The recent media buzz coming out of the Cranfield conference is that these attacks are very similar to e-mail phishing attacks.

	Criminal hackers [are] impersonating access points in public wireless hot spots to steal personal information by outpowering the legitimate signals.

Traditional phishing attacks involve e-mail pretending to be from EarthLink, eBay, PayPal, or even your bank, directing you to a fraudulent Web site where you are then asked to "update" your account info. In these cases, the account info is quite intrusive, requesting personal information such as your mother's maiden name and your social security number. The attacker then uses this information for identity theft.

Evil twin phishing attacks take advantage of people's blind trust in free hot spots. Like clicking an e-mail link and ending up on some cracker's look-alike Web site, the wireless phishing experience is also transparent: most wireless users won't know that they've associated with a cracker's look-alike access point or base station. Meanwhile the attacker is collecting personal data from their Internet session.

Perspective
So what are the chances you could become an evil twin victim? Not that great. Seriously, you stand more of a chance of identity theft from someone standing nearby and reading your ID and password from over your shoulder (particularly in a crowded airport lounge). But the point of this and other wireless advisories is to remind you that practically every public hot spot available today is wide open and unsecured. Always proceed with caution. Just because it's unlikely that someone's sniffing your wireless session doesn't mean that it could never happen.

Prevention
You can take steps to secure your home networks, such as using Wired Equivalent Privacy (WEP) encryption or the new Wi-Fi Protected Access (WPA) standard. You can also use Secure Socket Layer (SSL) sessions, Virtual Private Networks (VPN), and Digital Certificates to keep third parties from sniffing your home wireless sessions.

	Just because it's unlikely that someone's sniffing your wireless session doesn't mean that it could never happen.

But when you're out on the road, what do you do? Given that the fraudulent evil twin signal must be stronger than the legitimate signal, your attacker might be nearby: in a parked car, an apartment above the establishment, or a lounge seat over by the window. I don't recommend approaching every laptop user you happen to see, however.

I know of only one commercial product, Trend Micro PC-cillin Internet Security 2005, that monitors wireless connections, alerting you whenever someone new tries to join your network or your network changes suddenly. That's one reason PC-cillin is our current antivirus Editors' Choice. A good firewall, such as ZoneAlarm Pro, will also alert you to new networks and ask whether you wish to trust them.

Short of software, the only sure way to avoid this nightmare is to abstain from transmitting passwords, financial data, or other sensitive personal information via public wireless networks. And whatever you do, don't imitate what you see on TV.

Do you practice safe wireless Internet habits when using public hot spots? Why or why not? Talk back to me.