Investing over public Wi-Fi: why you should never place orders on a public network

Perhaps you did a quick check of your investments at the library. Or you placed a purchase order from the hotel at a resort. What harm could it do? Unfortunately, public Wi-Fi networks really aren’t secure at all. What’s more, hackers consider investors especially appealing targets.

A weekday morning. You are in a co-working space, work laptop open before you, a cup of coffee to hand. The markets just opened and a share you have been following for some time is looking more attractive than ever. You connect to the space’s Wi-Fi network, log in and place an order. Five seconds all told. And done.

What you don’t know is that someone at a nearby desk has set up a fake network with a name identical to the real one. Your laptop connected automatically. Your login details were intercepted. Your account has been compromised.

From airports to hospitals

This is no science fiction. It is a method of attack used daily wherever people are likely to be connecting to public networks, in places such as train stations, airports, hotels, cafés, libraries, tourist attractions, hospitals, supermarkets, waiting rooms, the gym, swimming pools, holiday parks and museums. More than half of internet users admit to entering personal information on public networks, and 45% even do so for financial transactions (source). That is worrisome information.

What makes public Wi-Fi so dangerous

A public Wi-Fi network is a shared network by definition. It connects dozens, even hundreds of strangers at a time. What many people don’t realise is that data travelling over such networks is not always encrypted. Someone with access to the right knowledge and tools can intercept and analyse all the traffic on a public network. We call this ‘packet sniffing’: the interception of digital packets travelling back and forth between your device and the internet.

Man in the middle

The most dangerous technique used on public networks is the man-in-the-middle attack (MITM). An attacker positions themselves digitally between your device and the Internet. Everything you send or receive, including passwords, login details and transaction confirmations, goes through them. You don’t notice a thing. Your banking app works the same as always and pages load smoothly. Still, every keystroke is recorded.

MITM attacks account for 19% of successful cyber attacks (source). What makes these so treacherous is that even when you visit an apparently safe website starting with https, attackers can use ‘SSL stripping’ to bypass the encryption and intercept your data after all.

Fake network that looks real

Besides ‘listening in’ on existing networks, criminals can also set up their own fake version. This is an ‘evil twin’ attack. Using a small device available for a few hundred euros, they create a Wi-Fi network with exactly the same name as the legitimate network for that location.

Your device cannot distinguish the fake connection from the real one. It automatically connects to the strongest signal, which is often the attacker’s false network (source).Once connected, a login page appears that looks convincingly like the real provider’s page. Then you enter your details and the attacker grabs them.

Why investors are particularly vulnerable

Cybercriminals will generally be interested in any hacked bank account. Investment accounts are potentially even more lucrative. Anyone with access to your investment platform who knows your passwords can act on your behalf and cause extensive financial mayhem.

Furthermore, trading is often subject to time pressure. When shares change course suddenly, that pressure means people pay less attention. Criminals know this. They take care to set up their fake networks precisely where and when people are likely to be acting in a rush. There are currently an estimated 950 million public Wi-Fi hotspots globally (source).As the numbers of hotspots increase, so do the attackers.

What can you do?

1. Never place orders over public Wi-Fi

The simplest and most effective measure is not doing it. Wait until you are home or on a trusted network. A missed order is always preferable to a hacked investment account.

2. Use mobile data instead

Switch to your phone’s 4G or 5G network instead of connecting to public Wi-Fi. The data used to make a stock market transaction is negligible.

3. If you can’t avoid public Wi-Fi, use a VPN

A VPN (Virtual Private Network) encrypts your internet traffic, even on insecure networks. If someone intercepts your data after all, all they will see is unreadable encrypted data. Use a paid VPN from a reputable provider; free VPNs often don’t offer much real protection and may actually be selling your data.

4. Disable automatic connections

Your phone, tablet and laptop remember which networks you used before and connect to them automatically. That’s exactly how evil twin attacks work: your device connects to a fake network with the same name as one you used previously. Turn off ‘Connect automatically’ in your device settings.

5. Enable two-step authentication

Even if an attacker gets hold of your login details, two-step authentication adds another layer of protection. A second verification step via your phone or authenticator app makes it much harder for criminals to actually log in, even if they know your password.

6. Check the network address

Are you using public Wi-Fi after all and need to do something that can’t wait? Always check the URL of the website you are visiting. Be sure to enter the address yourself and never click on links in emails or messages that redirect to your investment platform.

7. Always log out afterward

Close the session as soon as you are done, especially on public networks. An active session is an open invitation to attackers who have intercepted your connection.

8. The golden rule of security: don’t be rushed

It can be understandably tempting to act quickly in response to price movements. However, the risk of harm due to unsafe actions on a public network is greater than you’d think.

TIP

Use the Keytrade Bank app on your phone in combination with mobile data. That way you can combine the convenience of investing on the go with a secure connection and needn’t rely on public networks.

Stay safe online with Keytrade Bank

At Keytrade Bank, security is a priority. If your personal bank details have been listed on a suspicious website, your personal details have been shared with an unknown person over the phone, or you’ve spotted an unknown payment that you didn’t make yourself, you can call us 24/7 on +32 (0)2 679 90 00.