Beware of fake Wi-Fi hotspots when making contactless payments


Fraudsters are able to target credit card users by setting up fake wireless internet hotspots in public places, a Guardian investigation has found.


Research commissioned by the newspaper confirmed that it is indeed possible to gather passwords and credit card details from smartphone users in this way. During the first test, a mobile Wi-Fi router was set up at London's St Pancras International station and several smartphones attempted to connect to it.

Investigators then set up a fake paid-for Wi-Fi gateway at Waterloo station and found that three people attempted to log on and provide credit card details during the 30-minute test period, even though the usage policy warned that their private information would not be protected.

BT, which operates about 2.5m Wi-Fi hotspots, told the Guardian that the industry had been aware of the flaw "for some years" and that efforts were being made to address it.

Stuart Hyde, head of e-crime prevention at the Association of Chief Police Officers, also confirmed that criminals could use Wi-Fi to ensnare unsuspecting members of the public, many of whose smartphones are set up to automatically connect to Wi-Fi gateways.

"Until there are improvements in security, I would advise people to be very wary indeed when using insecure Wi-Fi in public places," said Mr Hyde to the newspaper. 

The warning comes just weeks after life assistance company CPP published research showing that 54% of second-hand mobile phones contained credit card details, usernames and passwords from a previous owner.

See related: Credit card details found on old mobile phones; Transport for London introduces contactless card payments for Tube, tram and DLR

Published: 26 April 2011