In theory, it’s common knowledge that “there’s no such thing as a free lunch”, but when it comes to practice, some forget about the ‘free lunch’ proverb and prefer another proverbial saying, which employs a ‘free ride’ idiom. In today’s story about free WiFi, you will see that when searching for a ‘free ride’ opportunity with a service provider, you are very likely to inadvertently share your private data, like your social network credentials, with third parties.
There are a number of real-life examples proving you should not be tempted by ‘free lunch’ offers. One of the most recent stories is a case involving free WiFi hotspots supplied to cafes by Smart Wi-Fi, a Russian company based in St. Petersburg. Conscious users managed to record several videos showing how this approach works when a customer logs into the Smart Wi-Fi network, and posted them on YouTube.
The full story is available in this detailed article on Siliconrus.com (it’s written in Russian, so feel free to use an online translator), but we’ll explain the technology: When connecting to a Smart Wi-Fi network, a customer is prompted to authorize via their social network account profile. In this particular case the account would be in VKontakte, which is the most popular social network in Russia.
However, the login and the password are entered not on the vk.com page, but on the Smart Wi-Fi website, through the unencrypted connection, which is the most insecure way of logging in to any site.
“Free” #WiFi in exchange for your social network account #passwordTweet
So when users log in with their VK profile, the vk.com password is supplied to the Smart Wi-Fi provider and, coincidently, to any culprit armed with a laptop and lurking nearby.
As far as Smart Wi-Fi is concerned, there is an article – and the aforementioned videos – which prove that the service stores credentials and uses them to, in one instance, post an ad on the customer’s page on VK.com, and in another instance, to install an app onto a vk.com profile with a very broad scope of permissions, including access to a wide range of personal data and the right to publish updates on behalf of the user.
Whereas in the first case the user is warned about the ad being posted on their ‘wall’, the second action with app installation is made without any notice at all. In order to find out about this app, a user would have to review their list of Vkontakte apps. It goes without saying that the number of users who do this on a regular basis is incredibly low.
— Kaspersky Lab (@kaspersky) October 1, 2014
Webpages which mimic a login page of a social network or an online banking tool are very common. In fact, it is a cornerstone of one widely used scam known as ‘phishing’. This technique uses the creation of fake web pages, which masquerade as legitimate sites, to lure users into entering their credentials which are later abused by cybercriminals – for instance, to enable unsolicited access to private data.
The real news here is use of this practice by a service provider, which is an extremely debatable approach. We doubt that the provider designed this action plan with deliberate malice in mind, but nevertheless the users are still under the threat of having their data stolen.
— Eugene Kaspersky (@e_kaspersky) April 3, 2015
Similarly to all traditional phishing cases, there is one efficient cure: precaution and vigilance. We would advise, as always, to pay attention to the actual web site URL and never enter your user credentials if the URL is different from the address you expected. Also note that all social network websites and online banking services have already migrated to the more secure HTTPS protocol which encrypts the communication, so we would strongly recommend you not enter any passwords on a page which does not have a little padlock sign in the header.
We should note here that the latest Kaspersky Internet Security is capable of detecting insecure WiFi networks and warning a user against connecting to such hotspots.