How Much is ‘Free’ WiFi Costing You?

Would you give away your birthday? Your travel details? Your home address? Your phone number?
Well, a couple of weeks ago, a security researcher in the UK was looking around online when he came across yet another company that had joined the 100 million club.
That’s the name we jokingly coined in 2013 when Adobe suffered a breach that exposed 150,000,000 encrypted password records in one go.mDespite the encryption – which Adobe hadn’t gone about in the right way – a significant minority of the passwords in the list could be figured out. (Adobe had stored the password hints in plaintext, and lots of users had just repeated their passwords in the hint field, as absurd as that sounds.)

BIG BREACH SOCIETY

Back then, we rather naively assumed that membership of this notional “100 million club” would remain rare. But the low cost and ready availability of cloud storage has made it easier than ever for just about anyone to leak as many records as they care to share.
And that’s what seemed to have happened in the case that Jeremiah Fowler of Security Discovery stumbled upon in mid-February 2020.The 146 million records’ worth of data didn’t include deeply sensitive details, instead, Fowler could see what looked like travel details.
He quickly tracked the source back through domain names in the data to a company that turns out to operate ‘free’ Wi-Fi’ hotspots, including at a number of train stations in England.

The company reacted quickly to Fowler’s report by sealing off the data it had accidentally exposed in the cloud – though it didn’t tell Fowler, leaving him to worry that his report wouldn’t get looked at until the following week).
So, why would anyone want to worry about 146,000,000 database entries relating to free Wi-Fi users connecting to a free Wi-Fi service?
The problem is, of course, that – in the UK at least – ‘free’ Wi-Fi seems to divide into two categories.
There’s ‘free if you come into the coffee shop and buy something, here’s the password, help yourself, no need to register, and why not try the carrot cake while you’re at it’.
And there’s the ‘free in return for a bunch of personal data that will help us market to you in a way that makes your retail/station/airport experience so much more enjoyable‘.
The problem with the second sort of ‘free’ Wi-Fi is that the company that’s giving you the ‘free’ service can only make money out of it – by which we mean they can only make you pay for it – if they can track who you are and what you do when you connect.
That’s why Fowler found all sorts of scammer-friendly information logged in the records of the database he came across, including names, email addresses, age ranges and device data of users of the service.
As Fowler remarks: In this case anyone with an internet connection could see what station the user was at, a time stamp, ads they may have seen, the postcode where they live and much more. Every little piece of information is essentially a puzzle piece that can be used to paint a bigger picture of the user.
So, just how much personal data should you give away in return for ‘free’ Wi-Fi? In an era of affordable mobile data – especially in the UK, where pay-as-you-go SIM cards are cheap and can be bought easily at just about any supermarket checkout – do you even need free-as-in-paid-for-indirectly Wi-Fi at all?

WHAT TO DO?

Here’s an idea: decide how much your various items of personal data are worth to you, and then stick to your valuation whenever you hit an online sign-up page.
For example, in our opinion, your age in general and your birthday in particular – still treated as a factor of identification by many organizations – is worth too much to hand over in return for free Wi-Fi, even though many Wi-Fi services seem to want it.
If a company demands data that you think is worth more to them than you are getting in return, our advice is simple: “Stay away.”
After all, if they don’t value your data as highly as you do, there’s not much incentive for them to look after your data with the zeal you might expect.
Incidentally, it seems that in this case, the Wi-Fi provider did offer a “don’t want to give you that data” option during sign-up, and that would have been the wise choice.
Remember: you don’t have to fill in optional fields in web signup forms, and life is a lot simpler if you leave them blank. After all, if you don’t hand over data in the first place, there’s no way the company at the other end can ever lose it in a data breach.
Need help keeping your data secure? Give Ashton a call at 216 397-4080.

Published with permission of Sophos Naked Security