Friday, May 30, 2014

Fear and Paranoia on the Internet, Chapter XXXIV

Is using a WiFi Hotspot in an Internet Cafe risky?   Not Really.

The media loves to bombard us with scare stories about how all your data and precious collectibles are going to be stolen over the Internet.  Fear sells - news stories, burglar alarms, guns, whatever.   You never make money telling people "Everything is OK, folks!"

Everything is OK, folks!

I was in a cafe today with a friend and noted they had a WiFi hotspot.  My friend said, "Oh, my buddy says never to use these WiFi Hotspots!   You could get your identity stolen!"

Ahhh... Internet folklore!   Like the legends about identity theft if you don't blur our your license plate number on online photos.   Our cargo cult culture at work!

But a funny thing, I have never heard of any case, ever, ever, EVER, of someone having anything stolen from them at an Internet cafe, other than their purse or smart phone.   The idea that people are going to "hack" into your computer and "steal all your passwords" is sort of nonsense.

Think about it.   Yea, I know it is hard thinking.  Put down your stupid smart phone for a minute and think.

Thinking is hard, but it is good for you.

Now think.   If you had my all my online passwords, banking information, retirement accounts, etc., what could you do with that information?  Steal all my money?   How?

For example, you went to an Internet Cafe, and somehow logged onto their router, and you somehow hacked into my computer (if I was dumb enough to list the network as "home" rather than "public") or were somehow able to intercept all those packets of data as I log into Citibank or whatever.

So, now you have my bank information, username, and password.   What do you do?

Well, you can log into the account and see that I have $1425.67 in the account.   But how to steal it?   You could go to "bill pay" and have the system cut a check, with your name and address on it.

Well, there's a problem.   You now have left a paper trail right to your home, quite literally.

Not only that, but the system will e-mail me saying a new payee has been created.  It will then sent a second e-mail saying a payment (check) has been made.  So I call the bank and alert them to the fraud, and freeze the account.

OK, so you go to "account settings" and change the password and change the account e-mail address.   Doing this may lock the account, in terms of online withdrawals, for several days, on many financial computers.  They know when user addresses, e-mails, or other critical data is changed, it may be a prelude to fraud.

It also means that an e-mail will be sent to my old e-mail address, notifying me of these changes - giving me plenty of time, again, to call the bank and freeze the account.

And, if you change these parameters and try to take money out of the account, it may just lock the account anyway, as the bank has an anal-retentive fraud prevention department.

So bill pay is out.  What does that leave?

Well, you could try a bank-to-bank transfer, I suppose.   But again, you'd have to enter your routing number and account number, and your name.   You'd be leaving a paper trail again, so to speak (an electronic trail, I guess).   And the bank would again notify me by e-mail that such a transfer is being attempted.   It takes two days to set up the bank-to-bank transfers, and three days to process the transfer.   The odds of getting caught are pretty high.

And the same is true with other types of accounts.   We are trying to settle a relative's estate, and the executor was chagrined that the folks at Vanguard wanted all sorts of documentation to close the account and cut a check.  I told him, "Well, if it was my account, I would want them to demand proof of who you are, why you are entitled to the money, and the fact that I am dead."

That just seems like simple logic.   And not surprisingly, they wanted to see his driver's license and passport, a copy of the trust document, and a sealed copy of the death certificate.   Even then, it will take weeks for them to process the transaction - and the check cut will go to a physical address with a name associated with it.  You'd be better off just forging a check than trying to go this route.

No matter how you slice it, stealing someone's data through a WiFi hotspot is just not that easy.   Now granted, if you could scour their hard drive and somehow find their social security number and other identifying information, you might be able to open a credit card in their name.  But that rarely happens - and most of the time it does, it is a relative, not a stranger who does this.

Yes, "identity theft" is rampant - particularly now that the Credit Card companies report any kind of credit card fraud as "identity theft."  But real identity theft?  Just not that common - simply because it is pretty hard to do.

Yes, I have had credit and debit card data stolen from me in the past.   From some high-tech hacking?  WiFi monitoring?   Someone going through my garbage for old statements?   Hacking into Target's computer system?   Hell, No.   I ordered some car parts from a company and they printed out, on a piece of paper my name and card number and other information.   The thief then used a high-tech machine known as a "photocopier" to make copies of this data (and that of many others) as he worked in the warehouse, and the company foolishly gave him all this data, just to fulfill the order.   He sold the data to someone who then used it online.   The first time, this cost the bank $1.11 for an attempt to buy at iTunes (to test the card).  The second time (with a debit card) they charged $400 for online ads, which I immediately noticed (being notified online) and had the card shut down, right before they attempted a $1,000 charge (which did not go through).

I should note, however, that in both cases, I was liable for nothing.   The credit card company had to pay the fraudulent charges (or seek refunds) and mail me out new cards.   So even in instances where I was "hacked" (using that high-tech "photocopy machine") I was not even liable for the damages.

So you see, this "identity theft" thing, which is just credit card fraud, is not some high-tech deal.  Your waitress copies down your card information when she takes it to the back of the restaurant, and then sells this data for a vial of crack.   It is not some "hacker" in a darkened basement stealing your data, in most cases.   There are easier ways to steal!

You just don't hear about identity theft from WiFi hotspots, simply because it is just not that prevalent - if it exists at all.  It is really hard to steal anything, even if you have someone's username and password for all their bank accounts.  You'd be wasting your time, loitering at an Internet cafe, trying to steal passwords.

Now, if you had their ATM card account number (and could encode a magnetic card) AND their PIN number, you might be able to clean out a bank account, $600 at a time, at multiple ATM machines.  Wear a hat and dark glasses, though.   

But you ain't gonna get that information over a WiFi connection, and bank websites don't ask for it.

So why are these rumors spread that WiFi is unsafe?

Well, think about it - again.   Thinking is hard.

Who profits from such a rumor?  Think hard.

Just as the Coal industry profits from scare stories about "Fracking" (and makes sure that these stories are spread and that "grass roots" anti-fracking groups are well-funded), the wireless companies make money from scare stories about WiFi.

If you use your laptop, pad device, or even smart phone, at an internet cafe, and use the WiFi to connect to the Internet, make a phone call, or whatever, you are charged nothing for the bandwidth you use.  It is free, and the telco gets no money from this.

In fact, some of my readers report that this is exactly how they use their smart phones and pad devices.  The buy a used "last year's model" and sign up for a "bare bones" plan, and then using WiFi for most of their data and voice requirements - thus sticking it to the wireless company.  For a pad device, you might not even have a wireless plan, but use WiFi for all your data needs.

If you run a wireless company, this is no fun!   You want to charge them $650 for a new phone (amortized over a two-year contract) and have them pay by the Megabyte, or by the minute, or a boatload of money for an "unlimited" or "family" plan.

In other words, you want them to use your network, not some free WiFi at the coffee shop.

What better way to herd the cattle toward your pricey network than to spread (or just allow to fester) rumors that "WiFi is unsafe."

Of course, we all know that communications companies (telcos, wireless, and cable) are the height of propriety and their staff and founders are people whose honesty is above reproach.  So, obviously my analysis here is just paranoia.

Fear sells, all sorts of bad ideas.   And my friend was convinced that it was "safer" to spend $160 a month on a wireless plan, than to use some questionable, free, WiFi network.

I'll bet they pay $29.95 a month for "credit protector" as well!