An article over at medium gives excellent insight into the real dangers of open public WiFi. After reading this article you will never use a public WiFi hotspot again!
You should read the full article but here are some highlights:
A small device is all it takes to setup a fake WiFi hotspot
Wouter removes his laptop from his backpack, puts the black device on the table, and hides it under a menu. A waitress passes by and we ask for two coffees and the password for the WiFi network. Meanwhile, Wouter switches on his laptop and device, launches some programs, and soon the screen starts to fill with green text lines. It gradually becomes clear that Wouter’s device is connecting to the laptops, smartphones, and tablets of cafe visitors.
The waitress serves us our coffee and hands us the WiFi password. After Slotboom is connected, he is able to provide all the visitors with an internet connection and to redirect all internet traffic through his little device.
Easy to attract victims
We see more and more visitors log on to our fictitious network. The siren song of the little black device appears to be irresistible. Already 20 smartphones and laptops are ours. If he wanted to, Slotboom could now completely ruin the lives of the people connected: He can retrieve their passwords, steal their identity, and plunder their bank accounts. Later today, he will show me how. I have given him permission to hack me in order to demonstrate what he is capable of, though it could be done to anyone with a smartphone in search of a network, or a laptop connecting to a WiFi network.
Every move you make can be tracked
We can now see some of the actual internet traffic of those around us. We see that someone with a MacBook is browsing the site Nu.nl. We can see that many devices are sending documents using WeTransfer, some are connecting to Dropbox, and some show activity on Tumblr. We see that someone has just logged on to FourSquare. The name of this person is also shown, and, after googling his name, we recognize him as the person sitting just a few feet away from us.
Stealing passwords are extremely easy
We visit yet another cafe. My last request to Slotboom is to show me what he would do if he wanted to really harm me. He asks me to go to Live.com (the Microsoft email site) and enter a random username and password. A few seconds later, the information I just typed appears on his screen. “Now I have the login details of your email account,” Slotboom says. “The first thing I would do is change the password of your account and indicate to other services you use that I have forgotten my password. Most people use the same email account for all services. And those new passwords will then be sent to your mailbox, which means I will have them at my disposal as well.” We do the same for Facebook: Slotboom is able to intercept the login name and password I entered with relative ease.
Another trick that Slotboom uses is to divert my internet traffic. For example, whenever I try to access the webpage of my bank, he has instructed his program to re-direct me to a page he owns: a cloned site that appears to be identical to the trusted site, but is in fact completely controlled by Slotboom. Hackers call this DNS spoofing. The information I entered on the site is stored on the server owned by Slotboom. Within 20 minutes he’s obtained the login details, including passwords for my Live.com, SNS Bank, Facebook, and DigiD accounts.
You may have heard that open public WiFi hotspots are dangerous but did you realize how easy it is to setup a fake hotspot? The amount of information and potential crimes that can be committed is truly frightening. Don’t connect to a public WiFi hotspot without security protections such as VPN software to encrypt the traffic. Even then, use extreme caution!