Believe it or not, it is actually easier to hack into the accounts of others today then it was ten years ago. Sophisticated software can do anything these days. Several months ago I became aware of a plugin for the Firefox browser that can grab personal data from other people sharing the same Wifi connection. I did some testing and found out that it is very much true and not at all on a small level. You could be sitting in a hotel room on Wifi and someone on the complete oposite side of the hotel could grab your personal information. It’s even easier on smaller networks. Let me explain how it works.
This is going to sound weird, but websites work just like nightclubs. To get in you enter through a specific door. The person running the door (the bouncer) checks your ID. Once you are verified as being over 21 you get a stamp on your hand. That stamp allows you access, sometimes in and out access to the building. When I was young, I remember going to our local theme park where they did a very similar thing. As broke kids we would often pool our money together, one person would pay, get stamped, then come back out where we would do our best to transfer the stamp to each others hands. Give me a break, we were kids.
Websites use what is called a cookie rather then a stamp. When you log into a website, your browser is given a cookie. That cookie tells your browser that this particular computer can stay logged in so long as it remains at the current IP address and will remain active until the user clicks “logout” or the cookie expires.
Websites use two protocols, HTTP and HTTPS. You have probably seen both of these before. Most financial institutions or websites that deal with your financial information work on HTTPS which is “pretty” safe. HTTPS secures your information by encrypting it before it leaves your computer. If it is intercepted somewhere in between it would be hard to read because of the encryption. HTTP however is not encrypted at all. Using characters from Arrested Development as an example, HTTPS is like hiring ICE as a private detective and HTTP is like hiring Gene Parmesan. Notice that both are not that bright, however one is better than the other (in case you were wondering, Arrested Development is amazing, you need to watch all three seasons and morn it’s cancellation).
Most Wifi networks are not guarded. At home you are for the most part safe. It would take someone who really knows what they are doing to access your home network with out knowing your password. In public settings such as a hotel or a coffee shop it is very easy to access the cookies that are being given to another computer. This would be the equivalent to the nightclub doorman copying down the drivers license number of each person at the door and allowing others to see his notes.
There is a plugin for Firefox called Firesheep and it is dangerous. Firesheep automates the process of looking for cookies that are being passed across the network. This is very much the same as automating the process of checking hands for stamps at the door and giving it access to replicate that stamp whenever it wants. Firesheep will grab the cookie as it is being passed through the air and store it. You can then visit the website that cookie was created for, such as Paypal, Facebook, Twitter or any other website, click on the cookie in Firesheep and you are logged in as that person. You will not know their actual password but having access to the cookie will give you access to the website they logged into for as long as that cookie is valid.
THIS IS SUPER DANGEROUS!
Let me break this down into a real world example.
Example: Jane is sitting in Gnarbucks Coffee Shop with her laptop enjoying a Vente Carmel Frapp she will later regret when she can’t fit into her True Religion jeans she just bought. Because Gnarbucks has free Wifi she decides to use it to access the web. She goes to login to her bank though their website to see if the $300 pair of jeans had posted to her account yet. She goes to paybuddy.com where she enters her username and password.
Unbeknownst to her, Jack, who thinks he is cool drinking a tall half-skinny half-1 percent extra hot split quad shot (two shots decaf, two shots regular) latte with whip (what a douche). He has his Acer laptop with him which he always reminds people of how little he paid for it. He is connected to Gnarbucks free wifi, has Firefox open and Firesheep installed. He just got done posting LOLCAT pictures all over Marcie’s Facebook wall. He was able to access her Facebook account when she logged into Facebook while at Gnarbucks from her laptop. Jack notices that someone has logged into their PayBuddy account, his curiosity peaks and he decides to take a look. From what he can see it looks like Jane has some money in there. Because PayBuddy is a 100% online bank, he can see all of her personal information. He copies her name, address and phone number and opens his own “fake” PayBuddy account using a Yahoo email address he set up to look like hers. With his new PayBuddy account he also opens up a eLame Auction account, creates some fake products and sells them. With the products sold, he accepts payment for them, uses the PayBuddy account to order some stuff off of Amazon and closes the PayBuddy account a few days later.
Who do you think will get the phone call about all of this mess? Jane will! It probably won’t be hard for the bank to figure out that it is all fake but it will be a hassle. Jane may have to fill out some paperwork, she may even get emails from upset eLame customers.
This is even more common and much easier to do on Social Networks because Social Networks hired a blind person to watch their door (ie. HTTP). You also want to beware of chat messages, wall posts and links that are shared with you on social networks that don’t appear to be from the person sending them. I always ask the person if they are sending that to me or if they are hacked before I click on it. These “bots” are getting smarter and can even respond to simple questions in chat messages.
The good thing about all of this is that it is not really possible for a person to get your Social Security Number unless you have it stored in one of these accounts. Most online accounts do not store your SSN. However, smart people can get creative and figure something out, just like Jack did. Keep in mind that everything with a login is possibly at risk when you use public internet connections.
How To Protect Yourself From Firesheep Users and Other Hackers
First of all, forget using a browser such as Internet Explorer. If you are using IE you need to stop. I don’t care how cool Microsoft says it is, STOP! Use Firefox or Google Chrome. If you are using Firefox you can install a free plugin called Force-TLS which forces websites to run in HTTPS mode. For Google Chrome, get KB SSL Enforcer. Remember that this is not 100% safe, just safer. It will block Firesheep and other similar software from being able to read your login information.
The ultimate fix would be to simply just not use your computer to do anything important in a public wifi setting. This is impossible even for myself. I use my iPhone or Android Phone as the internet connection for my laptop. This assures that I am the only one connected to that network and specific IP address. If you have a smart phone that allows for internet tethering I suggest you use it.
I hope this helps you thwart unknown attempts are your personal data. The problem is that you don’t know your information is at risk until it’s to late. You may get lucky and wind up with a few unwanted LOLCAT pictures on your Facebook but it’s best to take precautionary measures whenever possible.
Should I find better solutions or more up to date information I will update this post.
Mentions: Thanks @CalebSexton for the link to the douchiest coffee drink order ever.