“How secure is my wifi network?” Has the question crossed your mind that someone out there is just waiting to access your private data and are you prepared to secure your privacy?

Hackers: I want to know your passwords

There are WiFi hotspots in hotels, airports, Starbucks and now even some Mamak shops. Some of these WiFi network are purposely set up with a sign saying “Free Public Wi-Fi” to steal private data or to infect your computer without ever actually connecting you to the Internet. What can consumers do to ensure that their privacy is protected?

“It only takes 15 minutes to hack in to a WEP encrypted WiFi network and less than a hour if it is using WPA2 encryption” said iTrain's Certified Ethical Hacker, Carlyle Thaw.

iTrain is a certified IT training centre in Malaysia, offering a wide range of courses in IT.

Using an open source based operating system that is freely downloadable from the net and can be run from a CD, a hacker can easily hack into a WiFi network using a normal PC or even a netbook such as the Asus EEE PC.

There is no need to hack into the user's PC since the computer is connected to the WiFi network. The hacker only needs to hack the WiFi Access Point (AP) or the WiFi router and all data that goes through the WiFi network can be easily viewed, according Bikesh Lakhmichand, Group Chief Executive Officer of iTrain.

Bikesh said that it is easy to obtain a user's login details. A well prepared hacker will first hack into the WiFi network. All Internet activity in the hacked WiFi network will be normal but when the user types in “http://www.maybank2u.com.my” on their browser, he or she will see a phishing Maybank2u web site that is hosted on the hacker's PC or on the internet.

The user could still look out for the SSL sign but according to Bikesh even that can be faked or the hacker could just issue a new SSL certificate which is commonly accepted by the user without going through it. In this case, the user sees a fake Maybank2u site and a secured connection is established between the user's PC and the hacker's PC.

After entering their login details on the first attempt, which will eventually fail, users will then be diverted to the real Maybank2u website and not realize that they have just given their usernames and passwords to the hacker.

Bank login details are not that useful since the bank will still require users to validate themselves with their registered mobile phone numbers using the Transaction Authorisation Code (TAC).

The point here is, if SSL can be faked in WiFi network, what can be done to protect the consumer's private data?

Linksys, a division of Cisco responded to our queries. “Just as in wired networks, no one can guarantee a completely secure networking environment that will prevent security attacks every single time. Security protection is dynamic, and as such businesses, end-users, service providers and technology manufacturers need to stay one step ahead of the hackers.” said Craig Gledhill, Vice President of Linksys, Asia Pacific.

Craig said that Cisco has yet to receive official reports of successful breaches of WPA2 security encryption, however he said that professional hackers will constantly to evolve their methods to find new ways to unlock weaknesses or vulnerabilities in an emerging security standard.

(In part 2, we will look at how consumers could protect themself in a WiFi network. )