How Hackers Use Public Wi-Fi To Steal Your Information

Written by: Destiny Idika

Reading time:
Published 3 Years Ago On Friday, August 13, 2021
Updated 2 Years Ago On Sunday, April 24, 2022

Public Wi-Fi which can also be referred to as free Wi-Fi are those Hotspots which are accessible to the general public. They can be found in popular public places like airports, coffee shops, malls, restaurants and hotels etc. This free Wi-fi allows you to access the Internet for free.

However, these “hotspots” are so widespread and common that people frequently connect to them without understanding the security risk, threats and vulnerability it exposes them to.  

The following section highlights:

a. Some of the way’s cybercriminals can hack devices on public Wi-Fi, get access to private data, and potentially steal user’s identity and information.

b. How you can protect yourself from public Wi-Fi hacking.


How to Protect Yourself against Man in The Middle Attacks
a. Session hijacking or cookie hijacking: This type of Man-in-the-middle attack relies heavily on obtaining information via packet sniffing.  Let's say you logged into a website and forget to logout. Now, since you are already authenticated by the website’s server and hence generated a session token/cookie. If someone was performing a session hijacking, they could steal that token, use it to trick the server, get access and impersonate you on the website.

Session Cookie/Token contains all the needed information about a user [such as Username, password, roles etc.]. this is stored in a temporary memory location after the user's Authentication.
This form of mechanism allows the user to remain logged-on and have access to a website's resources. The session gets deleted when the user logs out, closes the browser or when it reaches its expiry time. In most cases, The session also get deleted when the user is inactive for some minutes. This is why most applications (like Banks mobile application;) logs you out after some minutes.


How to Protect Against Packet Sniffing

The core concern with public Wi-Fi is the lack of encryption (scrambling of personal data). VPNs scramble your personal information so without the correct key, it can't be read (in most cases). If you regularly use hotspots, a trusted VPN and highly secured VPN is essential. But most cases this type of VPN are not free.

This is an attack that places the attacker in the middle of two hosts. (example: A user and a website.) that think they're communicating directly with each other. The attacker will monitor the information from these hosts and potentially hijack and modify it in transit. In some cases, the uninvited attacker could present their own version of the website and displays it to their victim. Anyone using public Wi-Fi is especially vulnerable to Man-in-the-middle-attack. Because the information transmitted is generally unencrypted.

1. Always ensure that the URL of websites you are visiting contains https instead of just http. example: that additional "S" means "Secure"— this will add some level of encryption to the website and as well as to your information.

2. Don't input any sensitive data such as ATM card details, passwords, Pin etc. on any Public Wifi.


1. For developers, properly use/configure a Json Web Token, a Refresh Token with a Standard encryption method and digital signature in the development phases of web services. This security practice can inarguably mitigate any form of session hijacking.

2. For Users, making use of a trusted VPN will scramble information to and from your device hence shielding you from such attack.

3. make sure you always log out after using a public hotspot.

b. Rogue access point attack: A rogue AP is an access point that is installed on a secured network without the knowledge of the network administrator. Let’s assume that a certain office is making use of a wireless router alongside a secured wired network to create a simple wireless network. This can actually be pretty dangerous, and could grant unauthorized access to the secured network. However, an attacker can just stand outside the building and hop onto this wireless network router and use it as an entry point to gain access to the secured network.

c. Evil twin: It's similar to the rogue AP example but has a small but important difference. The premise of an evil twin attack is for you to connect to a network that is identical to yours. This identical network is the network's evil twin and is controlled by the attacker. Once a user connects to it, they will be able to monitor his traffic. Example: a legitimate public Wi-fi may bear the name DESTROTECH-Wi-Fi which maybe Encrypted. An Attacker could create an Identical/Unencrypted version of the legitimate Wi-fi Hotspot with the same name as DESTROTECH-Wi-Fi”. Once a victim connects to the fake Wi-Fi Hotspot, they could be handing over all their private information, merely because they were tricked into joining the wrong network; thus, giving the attacker full control over their data and identities. It's fairly easy to set up a fake Access Point (AP), and is well worth the effort for cybercriminals. Is worthwhile to know that hackers can use any device with internet capabilities, including a smartphone, to set up an Access Point with the same name as a genuine hotspot. Any transmitted data sent after joining a fake network is going to be harvested by a hacker.

Be suspicious if you see two similarly-named network connections. You should also consider using a data scrambling trusted Virtual Private Network (VPN). This establishes a level of encryption between the end-user and a website, so potential intercepted data is unreadable by a hacker since he doesn’t have access to the decryption key.

Packet-Sniffing is a method that enables a hacker to acquire airborne information then analyze it at their own speed. Packet sniffing is relatively simple, and not even illegal in some cases. IT departments do this regularly, ensuring safe practices are maintained, faults are found, and company policies are adhered to. But it's also useful for cybercriminals.

Hackers can obtain an abundance of data then scan through it at their leisure for important information like passwords, Debit card information etc.

You need to rely on strong encryption such as a trusted VPN and make sure you only visit sites that have HTTPS in its link.

The need for a top business owner or organization to have a professional, scalable, Fast, Optimized,Efficient, Very Secured web application (website) can never be over emphasized.
However, With this great tool (Web Application) Business Owners will definitely and Undoubtedly solidify their online presence, improve their Search Engine ranking, eliminate the likelihood of Missing out on search engine queries / results by prospective clients whom may search for a business like theirs on search engines like Bing and google, stay toe to toe with Compititors who already have a web application etc.
Read Now Top 15 Reasosns why you need a website for your Business
You don’t need to do all of these alone, We got you covered!! Contact us now your satisfaction is always our priority. price definitely won't be a problem.

Thanks for reading

Differences between Local POS (Offline) and Cloud-Based / Internet-Based POS (Online) and Their working principle

What does Analog Computer Mean