I’ve returned to the same coffee shop where I was a few months ago, where I noticed my email had been hijacked/hacked. This time, I’m using my phone, but the last time, when I noticed the hack, I was using my computer and doing email over an open-internet, free Wi-Fi network.
Do you think that could be the source of the problem or just a coincidence? I’m still afraid to do email from here.
It definitely could have been. Unfortunately, it’s hard to say for sure; it could have been something else.
As we can’t really diagnose the past, let’s look ahead instead.
It can be safe to send and receive email, or even other tasks, in a coffee shop or other location providing unsecured or “open” Wi-Fi. In fact, I do it all the time.
But to ensure your safety, you do have to follow some very important practices.
Become a Patron of Ask Leo! and go ad-free!
Open Wi-Fi hotspot connections can be monitored by anyone within range. To use one securely:
- Make sure your operating system’s firewall is on. (It probably is.)
- Make sure your desktop email is configured to use encrypted connections.
- Make sure your online email provider and any other online/cloud services use https.
- Consider using a VPN if this is something you do often.
- Consider using your mobile connection.
- Remember physical security while you’re at it.
The open Wi-Fi problem
The problem with open Wi-Fi hotspots is that the connection between your computer and the wireless access point nearby is not encrypted. That means any data you don’t encrypt some other way is transmitted in the clear, and anyone within range can eavesdrop and see it. Encryption prevents that.
Important: know if it is encrypted or not. If you connect to a hotspot and the operating system on your machine requires a password for it to work — say with a password provided by the barista or hotel clerk — that’s not an “open” Wi-Fi hotspot, and you may be OK. When you’re required to provide a password before you can connect, then the Wi-Fi access point is using some form of encrypted connection.
On the other hand, if you can connect without a password, and your browser immediately takes you to a webpage that says “Enter a password” (as in a hotel) or “Check to accept our terms” (as in many other open hotspots) it is not encrypted and it is not secure. It is an open Wi-Fi hotspot.
Turn on the firewall
Fortunately, firewalls are “on” by default in most operating systems.
However, when you’re at home, you may use your router as your firewall, and keep any software firewall on your machine disabled. That works well, as the router stops network-based attacks before they ever reach your computer… while you’re at home.
But when you’re on an open Wi-Fi hotspot or connected directly to the internet via other means, that software firewall is critical.
Make sure your firewall is enabled before connecting to an open Wi-Fi hotspot. Various network-based threats could be present on an untrusted connection, and it’s the firewall’s job to protect you from that.
Secure your desktop email program
If you use a desktop email program, such as Microsoft Office’s Outlook, Thunderbird, or others, you must make certain it is configured to use SSL/secure connections for sending and downloading email.
When you configure each account in your email program, you need to:
- Configure your POP3 or IMAP server for accessing your email using SSL, TLS, or SSL/TLS security options, and usually a different port number.
- Configure your SMTP server for sending email using SSL, TLS, or SSL/TLS security options, and usually a different port number.
How you configure these settings depends on the email program you use. The specific settings depend on the email service.
Once configured with the proper settings, you can feel secure downloading and sending mail using an open Wi-Fi hotspot.
Secure your web-based email
If you use a web-based email service like Gmail, Outlook.com, Yahoo, or others via your browser, you must make sure it uses an httpS connection. Fortunately, most all major email services now rely on https.
In years past, accessing email using a plain http connection might well have been the source of many open Wi-Fi-related hacks: usernames and passwords are visible to any hackers in range who cared to look. Https prevents that.
Secure all your other online accounts
Any and all web-based (aka “cloud”) services that require you to log in with a username and password should either be used only with https from start to finish or be avoided completely while you’re using an open Wi-Fi hotspot.
With more and more services provided online, this is getting to be a larger problem. Fortunately, most are aware of the issue and are using https properly.
Using the cloud is a great way to manage your digital life from wherever you may be, but security remains key. Using https is critical when you’re out and about.
Use a VPN
This one is for the road warriors — the folks who are always traveling and online the entire time, often hopping from coffee shop to coffee shop in search of an internet connection as they go.
A VPN, or Virtual Private Network, is a service that sets up a securely encrypted ‘tunnel’ to the internet and routes all of your internet traffic through it. Https or not, SSL/secure email configuration or not, all of your traffic is securely tunneled, and no one sharing that open Wi-Fi hotspot can see a thing.
This service typically involves a recurring fee.1 As I said, they’re great for road warriors, but probably overkill for the rest of us, as long as we follow the other security steps described above.
Use different passwords
That way, should one account be compromised by some stroke of misfortune, hackers won’t automatically gain access to your other accounts.
Remember, even when you use an open Wi-Fi hotspot properly, a hacker can still see the sites you’re visiting, even though they cannot see what you are sending to and from that site. That means they’ll know exactly what sites to target next.
Consider not using free Wi-Fi at all
As I said, it can be safe to use open Wi-Fi, but it’s also easy for it to become unsafe.
One common and solid alternative is to use your phone instead.
While it is technically possible, a mobile/cellular network connection is significantly less likely to be hacked. In fact, I use this solution heavily when I travel.
Most mobile carriers offer one or more of the following options:
- Use your mobile device. Many phones or other mobile devices, such as iPhones, iPads, Android-based phones, and others are quite capable email and web-surfing devices, and typically do so via the mobile network. (Some also use Wi-Fi, so be certain you’re using the mobile broadband connection for this option to avoid the very security issues we’re discussing.)
- Tether your phone. Tethering means you connect your phone to your computer — usually by a USB cable, but in some cases, via a Bluetooth connection — and the phone acts as a modem, providing a mobile broadband internet connection.
- Use a dedicated mobile modem. These are USB devices that attach to your computer and act as a modem to provide a mobile broadband internet connection, much like tethering your phone.
- Use a mobile hotspot. In lieu of tethering, many phones now have the ability to act as Wi-Fi hotspots themselves. There are also dedicated devices, such as the MiFi, that are simple dedicated hotspots. Either way, the device connects to the mobile broadband network and provides a Wi-Fi hotspot accessible to one or more devices within range. When used in this manner, these devices act as routers and must be configured securely, including a WPA2 password, so as not to be another open Wi-Fi hotspot susceptible to hacking.
I travel with a MiFi and have a phone capable of acting as a hotspot as a backup. I find this to be the most flexible option for the way I travel and use my computer.
Don’t forget physical security
Laptops are convenient because they’re portable. And because they’re portable, they’re also easily stolen.
Unfortunately, it only takes a few seconds for an unattended laptop to disappear. I never leave mine alone: even if I need to make a quick trip to the restroom, the laptop comes with me. There’s just no way of knowing that everyone around me is trustworthy.
In that same vein, I also prepare in case my laptop does get swiped. Specifically, that means:
- My hard drive is encrypted.
- My sensitive data is stored in folders encrypted using BoxCryptor. Those folders are not mounted unless I need something.
- LastPass, my password management software, is set to require a password re-prompt after a certain amount of inactivity.
- I have two-factor authentication enabled on as many accounts as support it, including LastPass.
- I have tracking/remote wiping software installed.
Computer theft and recovery is a larger topic that’s only tangential to using open Wi-Fi hotspots. Clearly, though, if you are a frequent user of assorted open hotspots in your community or when you travel, a little attention to theft prevention and recovery is worthwhile.
Security and convenience are always at odds
As you can see, it’s easy to get this stuff wrong, since doing it securely takes a little planning and forethought.
But it’s important. If you’re not doing things securely, that guy in the corner with his laptop open could be watching all your internet traffic on the Wi-Fi connection, including your account username and password as they fly by.
And when that happens, you can get hacked.
Fortunately, with a little knowledge and preparation, it’s relatively easy to be safe.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: In fact, I’d avoid free VPNs, as they run a higher risk of tracking or exposing your information in other ways.