It pays to plug leaks in unsecured wireless networks

by  Alan Zisman (c) 2007 First published in Business in Vancouver June 12-18, 2007; issue 920

High Tech Office column; 


Wireless networking (aka WiFi) has become pervasive as the way to connect laptops or multiple computers to the Internet and to one another. It’s spread from universities, cafés and hotels to homes and small businesses. It’s also increasingly used in large enterprise settings, replacing traditional network wiring.

But many people who wouldn’t imagine using a computer without antivirus protection can’t be bothered turning on the security settings of their WiFi router. Partly it’s because the manufacturers leave all the security settings off by default, making it easier for users to plug ’em in and get online. Part of it is because a user trying to turn on the security settings is likely to get overwhelmed with jargon that varies from manufacturer to manufacturer.

But there’s also an attitude of “Why bother? What’s the worst that can happen? Some guy sitting in his car in front of my house using some of my excess Internet bandwidth? How likely is that?”

It just doesn’t seem much of a worry. But it should be.

This past winter, TJX Companies (parent company of Winners, Marshalls, HomeSense and other clothing retailers in the U.S. and Canada) reported the loss of credit card numbers and other customer information from corporate databases.

According to reports in the Wall Street Journal, the data breach began with hackers in a car in the parking lot of a Minnesota Marshalls store. From there, they breached the store’s poorly secured wireless network. Over a period of two years, they were able to download some 45.7 million credit card numbers.

In a recent quarterly financial report, TJX attributed US$12 million in losses for costs for that quarter related to the intrusions. There have been wireless network intrusions reported at U.S. hardware chain Lowes and other large retailers. (In the first U.S. prosecutions for wireless-based attacks, the Lowes hackers received sentences ranging up to nine years.)

Besides investigations of large corporate network hacks, there are increasing reports of prosecutions for stealing bandwidth. In these cases, the “crime” can be something as seemingly harmless as sitting in a car making unauthorized use of someone else’s Internet connection.

In a May report from Michigan, a man who habitually sat in his car parked in front of a café to check his e-mail was charged under that state’s fraudulent access to computers and computer networks law. The felony carries a maximum sentence of five years in prison and a $10,000 fine, though prosecutors are asking for less.

There have been reports of similar charges and convictions in a number of U.S. states, including neighbouring Washington and Alaska, and in London, England. The Alaska case involved a man arrested playing online games while parked outside a public library after hours.

Take the time to familiarize yourself with your wireless router’s security settings and enable the wireless encryption that’s left off by default. Use the more powerful WPA or WPA2 encryption. The older WEP encryption is too weak and may be worse than nothing, because it’s relatively easily hacked but gives users the illusion that they’re protected. German security researchers recently broke WEP encryption in 20 seconds. The St. Paul, Minnesota, Marshall’s store thought its network was safe behind WEP encryption. It wasn’t.