Unsecured WiFi at Hotel

[Timeshare Von]

You know, you're always forewarned about the unsecured WiFi at hotels and other places. I rarely have worried about it, but have learned my lesson the hard way.

While staying in Montana, I did use the free WiFi at my hotel. It appears that my activity was logged by a hack who then accessed by AOL account, along with my IgoUgo.com and Trip Advisor accounts.

First thing they did was change my AOL password and some settings which caused me to lose all of my saved emails regarding several recent & future trips. This was my first signal this morning that something was UP.

Then I got an email from one of my IgoUgo editors indicating that my photo and profile had been changed and they subsequently deleted it all. They asked that I repost accordingly, and suggested I change my password.

Finally, I went to TripAdvisor's Montana forum this morning in order to update a forum thread I was contributing to . . . only to find that my Thursday evening post had been deleted on Saturday at 3:47am (I was on the train and had not had access to the internet since approximately Friday at 6:30a!) I also checked my profile there only to learn the hacker changed my password and email contact info to some bogus .gmail account.

I've been able to fix the AOL password issues but lost all of the content deleted. I was also able to fix the issues with IgoUgo.com. Unfortunately, because TripAdvisor requires your current password to change to a new one, and I don't know what this yutz changed it to, I cannot change it easily. Additionally, in trying to change it an email to their email address was generated advising that "someone" is trying to change "their" password.

I have an email into TripAdvisor regarding the issue but no response yet. What a nightmare!

I'm just thankful I did not access any banking info from on the road via this unsecured WiFi connection. Word to the wise . . .

 

[linsj]

This is why I pay $40/year for Witopia, a personal VPN that encrypts my Internet traffic both ways. I have to do more than email and Web browsing, including online bill paying, while out of town, so it's worth the expense to me.

 

[Timeshare Von]

This is why I pay $40/year for Witopia, a personal VPN that encrypts my Internet traffic both ways. I have to do more than email and Web browsing, including online bill paying, while out of town, so it's worth the expense to me.

Good to know . . . I'll pass this on to my hubby who handles our home IT needs Thanks!!!

 

[dioxide45]

What did they have to gain? Other than to cause havoc?

 

[SOS8260456]

What did they have to gain? Other than to cause havoc?

Sometimes I think that is all they want to do. It takes all kinds in this crazy world we live in.

Sorry for the trouble you are dealing with and hope you can get it all straightened out.

I hope alot of bad karma goes to the hacker,

 

[pjrose]

I suppose they could gain the login to your bank account and credit cards if you're doing any of that on vacation.

What can we do to prevent this?

 

[dioxide45]

I suppose they could gain the login to your bank account and credit cards if you're doing any of that on vacation.

What can we do to prevent this?

That information is usually transmitted over a 128 bit encryption. I am thinking that the AOL and TripAdvisor stuff wasn't.

 

[Nickfromct]

I suppose they could gain the login to your bank account and credit cards if you're doing any of that on vacation.

What can we do to prevent this?

If there is a choice between wired and wireless internet. I always use the wired. If we need wireless for some reason, like multiple devices in the room I bring my own travel router which is password protected.

 

[BoaterMike]

What can we do to prevent this?

Either use a secure personal travel router like Nickfromct says or a personal vpn like linsj mentioned. I use the personal vpn myself when I travel. It runs about $50 per year and is worth it for the peace of mind.

That information is usually transmitted over a 128 bit encryption. I am thinking that the AOL and TripAdvisor stuff wasn't.

True, if the gateway or router was security enabled. If not, a novice hacker could easily access the computer on an unsecure network even though the web page was secure.

Reasonable caution is always a good thing.

Mike

 

[Timeshare Von]

What did they have to gain? Other than to cause havoc?

Since the only content that was messed with was my positive comment on TripAdvisor regarding my experience at the Best Western Rocky Mountain Lodge, it could have been a disgruntled employee or perhaps a competitor hotel in the area. It's easy enough to access an unsecured WiFi (BW didn't even have a "user ID" code for guests to log-in with), that someone could sit in the parking lot or within a block or so to log into their system.

The hacker also went into my IgoUgo account and changed my photo and posted some rather lewd info into my profile . . . perhaps making it personal.

Who knows other than maybe idle hands and stupid minds!

 

[Timeshare Von]

That information is usually transmitted over a 128 bit encryption. I am thinking that the AOL and TripAdvisor stuff wasn't.

My DH said there is software out that that hackers can use to actually access people who are online via an unsecured connection, that allows them (the hacker) to see everything on their screen that I would have been seeing and doing online.

The only password ID connections I accessed from the hotel were my T/SVon AOL account and the two travel sites (IgoUgo & TripAdvisor).

 

[Timeshare Von]

Either use a secure personal travel router like Nickfromct says or a personal vpn like linsj mentioned. I use the personal vpn myself when I travel. It runs about $50 per year and is worth it for the peace of mind.



True, if the gateway or router was security enabled. If not, a novice hacker could easily access the computer on an unsecure network even though the web page was secure.

Reasonable caution is always a good thing.

Mike

I will obviously need to have my home IT guy (DH) figure out a game plan so that we do not incur in the future. I suppose I've been fortunate given the amount of travel I do to, and the amount of unsecure WiFi use I've had in the past. I feel rather stupid to have fallen victim this time but am glad to have not conducted any business via the internet over the unsecured access.

 

[Sandi Bo]

Oh geez, sorry for you troubles. Thank you for posting as it a good reminder to be cautious.

 

[Passepartout]

We can only hope the perp didn't load some malware on your computer that would allow further tricks. With our travels, we are careful not to access any financial sites unless we have a secure connection. Sometimes I wonder how 'secure' secure is, but so far we have been lucky.

New rule henceforth: No accessing any passworded sites from public networks.

Thanks Von, for bringing this necessary warning to us in a way that gets our undivided attention.

Jim

 

[dioxide45]

My DH said there is software out that that hackers can use to actually access people who are online via an unsecured connection, that allows them (the hacker) to see everything on their screen that I would have been seeing and doing online.

The only password ID connections I accessed from the hotel were my T/SVon AOL account and the two travel sites (IgoUgo & TripAdvisor).

My guess is however that these user IDs and passwords were being transmitted without any encryption and they were able to capture them form their movement over the network rather than seeing what was on your screen. They would have to have been able to install something on your system to capture key strokes. The fact that they were able to easily capture would make me think that they were just monitoring the data traffic over the networkn and captured it that way rather than hacking directly in to your system.

 

[Timeshare Von]

We can only hope the perp didn't load some malware on your computer that would allow further tricks. With our travels, we are careful not to access any financial sites unless we have a secure connection. Sometimes I wonder how 'secure' secure is, but so far we have been lucky.

New rule henceforth: No accessing any passworded sites from public networks.

Thanks Von, for bringing this necessary warning to us in a way that gets our undivided attention.

Jim

Happy to share ALL of my travel adventures . . . the bad with the good

My DH has gone through my netbook and there was nothing there in terms of malware, viruses, etc. so that was good news.

 

[pjrose]

How do we know if it's a secure vs not secure connection?

Would an Airport qualify as a router? It'd be password protected, but once the info leaves the Airport or other router and gets into the wider wireless system, isn't it fair game for hackers at that point?

 

[riverdees05]

BoaterMike,

Which personal vpn do you use?

 

[zinger1457]

How do we know if it's a secure vs not secure connection?

Would an Airport qualify as a router? It'd be password protected, but once the info leaves the Airport or other router and gets into the wider wireless system, isn't it fair game for hackers at that point?

The only way the wireless connection would be secure is if they use some type of encryption like WPA2 which is extremely rare for a public hot spot. Just requiring a passcode means little, it does not provide encryption, just limits who can access it. Once your connection hits the airport wireless router it should at that point travel the Internet over wired connections.

A good app to use for web browsers is a password manager like LastPass. It won't protect you in all cases but will help if a keyboard logger is being used on your system.

 

[Timeshare Von]

Based on our reconstruction of the issue, it appears the hacker was using a Firefox add-on called "FireSheep" that allows shadowing of users on an open WiFi network. It does not monitor or collect key strokes.

 

[BoaterMike]

BoaterMike,

Which personal vpn do you use?

I had been using cyberghost but switched to HMA (hide my ass). I changed to HMA at the time because of the combination of ease of use and value. There may be others equal or better, as I have not made a comparison since last Fall.

I may be making a change again this year if there is a reliable vpn that has both Windows and Android versions for one fee.

Mike

 

[eakhat]

It's a good reminder of what can happen. Thanks for sharing your experience.

We also had something happen to us when we were using our laptop at a timeshare resort in Orlando. Someone hacked in and took over our computer. I think they wanted us to buy the software to get ride of "the virus." We checked with a local place on the cost to have it professionally taken care of. It was very expensive, and they said we could probably lose information stored on the computer. My son, who is a computer techie, recommended we download free software from MalwareBytes, and that did the trick. We are much more cautious when we use our computer when we travel. After reading this blog, we'll spend the money for an encription software.

 

[hypnotiq]

Its simple. Don't do anything important on unsecure wireless. There are so many ways to capture user data, its not even funny, not to mention accessing the file system of any machine that is on that unsecured wireless.

"Free" internet comes at a price. :ignore:

 

[SmithOp]

What did they have to gain? Other than to cause havoc?

You might be surprised at how many people the the same password on many sites, and also keep copies of the registration emails.

Down

 

[Timeshare Von]

Its simple. Don't do anything important on unsecure wireless. There are so many ways to capture user data, its not even funny, not to mention accessing the file system of any machine that is on that unsecured wireless.

"Free" internet comes at a price. :ignore:

Understood. Unfortunately nothing I was doing was "important". But the hassle it created has been frustrating never-the-less.

I have regained control of my TripAdvisor account thanks to their tech folks . . . and I believe everything has been restored back to pre-hack status.