You've known for a long time now that there's an inherent security risk anytime you go online, and that going online via any free or public wi-fi hotspot is risky even by Internet-security standards, because that free network might be nothing more than bait set out by hackers seeking full access to any device that connects to it.
That's why mobile-device owners are advised to adjust their settings so that the devices do not automatically connect to any compatible hotspot, but require the owners' individual approval each time.
Consider: last summer, Ars Technica tried a little experiment and discovered it was very easy for hackers to set up fraudulent wi-fi hotspots that could pass for genuine Xfinity or AT&T hotspots. Here's why: unless you specifically turn off that feature, or your device itself, your smartphone, tablet or other connectable device is always looking to connect with a familiar network.
Let's say you went to Starbucks once, and used their free wi-fi. Now, any time you go there, your phone will automatically send out a signal, basically saying “Hey, Starbucks wi-fi, remember me? Where are you?” and waiting for the electronic response “Here I am! Starbucks wi-fi, connecting with you.”
But it's pretty easy for anyone to set up a wireless hotspot that can respond under a false name: “Here I am! A hacker up to no good, but I told your phone I'm Starbucks wi-fi so now I'm connecting with you, and can do various harmful things.”
That's why you need to shut off the wi-fi connection on your mobile devices when you're not using them, and set it so that it must ask before joining a mobile network.
Today, Ars Technica reported the latest example of a security flaw based on such vulnerable wi-fi connections, this one with the potential to spoof Apple Pay and steal users' payment card data.
Security researchers at the mobile security company Wandera discovered and warned Apple about a vulnerability in iOS that would allow hackers to set up a wi-fi spot and then, once an iDevice connects to it, present it with a fake “captive portal” page imitating the genuine Apple Pay page asking users to enter their credit card data.
As Ars said: “The attack could be launched by someone nearby a customer who has just completed or is conducting an Apple Pay transaction so that the user is fooled into believing Apple Pay itself is requesting that credit card data is reentered. An attacker could loiter near a point-of-sale system with an Apple Pay terminal and continuously launch the attack.”
Granted, the fake Apple Pay page isn't a particularly good fake – unlike the real Apple Pay page, the fake is displayed beneath a fairly prominent “Log In” title bar, and furthermore, anyone familiar with Apple Pay should know that the payment card registration screen is not supposed to pop up after a transaction.
Still, as Wandera's CEO Eldar Tuvery pointed out, “In high footfall locations, even a very small ratio of success will yield a large number of valuable credit card numbers.”