Listen to me people. Do not use open, public wireless connections to do your banking… especially in a major city’s busy wifi cafe.

While sitting in one of my usual coffee shops, I’ve just witnessed yet another unthinking moron practically begging to be a victim. The cafe isn’t crowded, but it certainly is busy with the usual variety of people – the short stumpy kid in the corner obviously watching YouTube, a handful of bloggers or other writers, one guy playing chess on his laptop (he should instead be down the block with the group of old men that play chess in the park), one girl sketching, a few people reading… and the girl by the window, paying her bills.

Over open, unencrypted wifi.

In a busy coffee shop.

She’s typing and mousing with one hand, and holding both her ComEd bill and credit card high up with the other, elbow resting on the table with her forearm straight up so that her bill and card look more like a giant “please take my money” sign. Flailing her bill and credit card around like that is nothing less than an announcement that she is about to toss some valuable financial info into the air for anyone with even the most rudimentary network monitoring tools to see. Keep shit like that folded up on the table and your credit card in your wallet where it belongs. These are the first clues that you are an easy mark, that you’re being careless and that it won’t be difficult to fuck you over. It’s an giant red flag, an invitation to would-be thieves. Don’t announce what you’re doing, even just with the paper you’re holding – unless you’d be perfectly comfortable with painting it all on the sidewalk of a busy intersection.

Just to see if I’m right, I fired up the packet sniffer on my laptop and in just a few minutes was able to see which mac address was hers (I just had to look for TCP traffic to/from exeloncorp.com, i.e. ComEd’s site), and then I was seeing everything she was sending. Since the cafe’s wifi isn’t WPA or WEP encrypted and has no shared key or password or security of any kind, it’s as though she were writing everything on a giant billboard and yelling out each key she typed. With just a few more minutes of work, I *could* have spoofed her mac address to the wifi router, with would let me talk directly to her ComEd account as if I were her, but I’m not going that far.

“So what, big deal” you might say. “She’s probably using SSL encryption over her browser,” which is the little https instead of just http in the address bar, “…and that’s secure right?”

No, not really. I won’t go into details of how (because 1, it’s easy enough to find if you’re looking, and 2, this isn’t a crash course on wifi data theft) but cracking https is fairly trivial once you’re intercepting packets, especially when the target is using a junk browser like IE – and she is. Because I’m not that much of an asshole, I only grabbed a few minutes worth of packet data and stopped short of cracking the SSL and getting her plain-text credit card and whatever other personal data she was sending. But most others won’t be so kind, from just charging a few thousand dollars on her card to full-blown identity theft and a decade of hassles trying to clear things up.

It’s awfully easy to be a victim, but it’s really not hard to take a few precautions and protect yourself either. First, never, ever do your banking over a public, open wifi connection or any wifi connection for that matter. Seriously. Don’t fucking do it. Don’t login to your online bank or PayPal either. If you really need to check your balance, use your cell phone instead (that has security issues too, but at least it’s not so simple to hijack your data) or an ethernet cable. Check your email, but don’t expect that your account or what you’re reading and sending is secure. Use instant messengers, but don’t even think about having conversations with sensitive information. Don’t expect any more privacy than if you were doing all of this on a giant projector with someone video taping your keystrokes. Hopefully this little exercise of mine has shown you just how easy it is for someone to make a victim out of you. Don’t help them do it.

Now I think I’ll see what the short stumpy kid is up to online. He’s just pulled out a full-size ergo keyboard (who does that in a coffee shop?) right after a bathroom trip that was way too short for him to have washed his hands. Nasty.