Attacks On E-Tail Sites Over Public Wi-Fi: Just A Click Away
Written by Frank HayesHow close are we to software that automatically attacks any E-Commerce being done on a nearby public Wi-Fi connection? Apparently, a lot closer than anyone would have thought a month ago. In October, a Seattle hacker released Firesheep, a free tool that lets almost anyone hijack public Wi-Fi Web browsing by people signed into Amazon, Foursquare, Facebook, Twitter and other retail-impacting social sites. In the weeks since, new tools that automate the hijacking have surfaced. The next obvious step: Versions that target E-tailers.
That may seem unlikely. After all, who would want to disrupt customers just trying to buy a book, a pair of shoes or a gadget online? Probably not professional thieves—it’s not easy to steal money through an E-tail site. But among the 700,000-plus people who have downloaded Firesheep, some are likely to have vendettas against certain retailers (and no, not just the Wal-Marts, Targets and Best Buys of the world). The clock may be ticking on how long E-tailers have before they either provide full-session security for all shoppers or risk losing business.
Firesheep, the free Firefox add-on that started this shakeup, wasn’t supposed to be that big a deal. According to Eric Butler, the programmer who wrote Firesheep, he was annoyed that so many social sites used secure connections when users logged on but then reverted to using cookies to track sessions after that. When those cookies are being passed on public Wi-Fi, anyone in the vicinity can capture them and hijack the user’s session. Expert tools to sniff networks and grab those session cookies already exist; Butler just made session hijacking a matter of a few clicks.
Yes, it was a stunt. The purpose was to shame sites like Amazon, Foursquare and Facebook into spending the money to create secure connections for the whole time their users are on their sites.
In that respect, it’s been at least moderately successful. Facebook now says it hopes to provide full-session encryption within months. Twitter says it’s looking into it, too. And on Tuesday (Nov. 9), Microsoft’s Hotmail service began offering full-session encryption as an option. Notably missing from the we’re-getting-more-secure list is Amazon, the only big E-tailer among the sites targeted by Firesheep.
-Marc
November 22nd, 2010 at 6:01 am
Sorry but its a risk to be using wireless that is not secured properly and does not undergo some sort of modulation of the password scheme.
Then to be in a public area you are at risk of anything happening to your data transmitted over the open air waves.
People willing to spend the time to get your data will.
Same for even being on a land line, it really depends how determined someone is to take your information.
Open thought and information is good to providing a gifted society that respects each other.
Ask the founders.
November 22nd, 2010 at 3:27 pm
Secondly, When I saw this on the news page of my tech sites I immediately downloaded it for safe keeping.
Because yes I want to prove a point to some people that their wireless is junk and that it needs to be disabled or better secured.
I also have Backtrack4 and have used it to prove that the neighbors are unsecured.
November 28th, 2010 at 6:43 am
But isn’t the point of the article that it’s the e-tailers that are potentially going to be targeted by this kind of attack? And they can’t really control what sort of internet connection their customers are using…