Public Wi-Fi: Proceed with Caution

By Leila Sharma | Last Updated: February 15, 2022

Cover Image

Best Practices and Behavior to Avoid When Using Public Wi-Fi

Public Wi-Fi networks are available almost everywhere you go. Although it’s convenient to use public Wi-Fi in an airport, hotel, gym, library, or local business, remember that public Wi-Fi networks are often exploited by malicious actors seeking access to your sensitive data. For this reason, it’s critical that you remain aware of common Wi-Fi scam tactics and the best practices for safely connecting to and using public Wi-Fi.

Wi-Fi scam tactics often involve eavesdropping or “snooping” on network traffic. In an attack type known as “Evil Twin,” malicious actors lure you into connecting to their Wi-Fi network by setting up non-password-protected hotspots with the same or similar sounding names as the Wi-Fi hotspots of known and trusted entities. They can then spy on those duped into connecting. Evil Twin hotspots may have stronger signals than their legitimate counterparts, making connection more of a temptation.

Malicious actors will also connect to legitimate, public Wi-Fi networks for which they’ve obtained the password as a way to spy on network traffic. In this type of attack, known as a Man-in-the-Middle (“MitM”) attack, malicious actors are positioning themselves between you and the Wi-Fi hotspot and are intercepting data being accessed or sent from your device, which may include email messages, phone calls, credit cards, banking details, and other types of sensitive information. To minimize this threat, do not access your personal accounts, enter credentials, perform transactions, transmit data, or shop online while using public Wi-Fi.”

In addition to Evil Twin and MitM attacks, scammers can use public Wi-Fi networks to infect your devices with malware by exploiting vulnerabilities in unpatched applications or operating systems. This is one of many reasons why it’s important to regularly update and patch the software on your devices. If you’re planning to travel, perform all updates on a secure, trusted network prior to your departure, as updates performed on public Wi-Fi may infect your devices with malware. In 2014, Kaspersky Labs uncovered a scheme dubbed “Dark Hotel” which targeted CEOs and other high-value victims connecting to the public Wi-Fi networks of their luxury hotels in Asia at the time. The devices of targeted individuals became infected with malware and sensitive information on their devices was stolen when they downloaded software updates. In some cases, the malware infection did not become apparent for several months as it remained inactive until remotely accessed.

The following are supplemental recommendations and best practices you can refer to when using public Wi-Fi:

  • Whenever feasible, use your device’s data plan and avoid the security risks associated with public Wi-Fi use.
  • The address bar of any website that requests sensitive data like a password or credit card number should show “https://” or Secure Sockets Layer (SSL) and a green padlock icon. However, up to 50% of all phishing sites now use these visual cues, so it’s important to preview links before clicking them or visit sites by typing in a trusted URL.
  • Think before you connect. If a Wi-Fi password is publicly displayed, the network is not secure and should be viewed as an open network. Always obtain Wi-Fi passwords from a trusted source, such as an employee of the business or entity, and confirm the name of the network.
  • Use of a virtual private network (VPN), or a network within a network, whenever you’re using public Wi-Fi will encrypt everything you do while on public Wi-Fi. When using a VPN, scammers on the same network can only see that someone is using a VPN and are unable to detect what anyone using a VPN is doing. For information on NYU VPN, which provides secure access to NYU-NET from off-campus locations, see www.nyu.edu/it/vpn.
  • Use multi-factor authentication (“MFA”) for a second layer of protection on available accounts. After entering your username and password, MFA requires you to authenticate your login via a device that you previously registered. This added layer of security protects you from credential compromise because even if your credentials are stolen, a malicious actor is not in possession of your registered device(s) and cannot complete the authentication process without it or them. For more information about MFA at NYU, see www.nyu.edu/it/mfa.
  • Turn off Wi-Fi and Bluetooth when not in use, and set your device to ask before it connects to open networks.
  • Use your computer’s built-in firewalls, available on both Windows and Mac OS, which will protect you from compromised devices connected to the same network.
  • Use unique and strong (12+ character) passwords or passphrases for each account. See “Under Lock and Passphrase” for password and password manager recommendations. Using unique passwords for each of your accounts protects other accounts in the event that one gets compromised, as scammers will try to use the obtained password on a variety of sites.
  • Once you have finished using a network or account, be sure to log out.
  • Avoid using public devices, as they may be infected with malware or spyware. When the use of public Wi-Fi is necessary, connect to it using your own devices and the above best practices, if at all possible. If you must access a personal account on a public device, change the password as soon as possible afterwards from an owned device on a trusted network.

Additional Resources