Your Network & Connections
Every connection your device makes is a potential interception point. Most people think nothing of connecting to any available network. That habit is what attackers rely on.
The Hotel Lobby
Anita was staying at a business hotel in Bengaluru.
She connected to "Hotel_GrandView_WiFi" in the lobby to check her corporate email before a morning meeting. The network was open, no password required.
She did not know that name had been set by another guest's mobile hotspot. The actual hotel network was "GrandView_Guest" - a name she had not checked.
The hotspot owner was running a man-in-the-middle proxy. Every request Anita's device sent was routed through it. Her corporate email session token was captured. So was her banking app session, which she opened briefly to check a payment.
Three days later, her corporate email began forwarding copies of every email to an external address. It took IT two weeks to identify the source.
The attack took under four minutes in a hotel lobby.
What Is Actually Happening: Network Interception
34%
of public Wi-Fi networks tested in major cities lacked adequate encryption or were configured for traffic interception.
Open networks are unencrypted by design. Anyone on the same network can attempt to read traffic.
Source: Norton Cybersecurity Insights Report, 202484% of Routers Use Weak or Default Passwords
Most home routers ship with default admin credentials that are publicly documented. An attacker nearby who knows your router model can try the default password.
Bluetooth Attacks Require Proximity - Not Much Else
Bluetooth-based attacks work within 10 metres. Leaving Bluetooth on in public makes your device discoverable without any action on your part.
Free VPNs Often Sell the Data They Claim to Protect
Several high-profile free VPN apps were found to log and sell user browsing data. A VPN shifts trust from your ISP to the VPN provider - choose carefully.
HTTPS Encrypts Content - Not Your Identity
HTTPS encrypts data between you and a site. It does not hide which sites you visit, your IP address, or session metadata from network observers.
What to Never Do on Public Wi-Fi
Open networks transmit data unencrypted. Anyone on the same network can attempt to read it.
Never on public Wi-Fi:
- Log into banking, investment, or payment apps.
- Enter card details for any purchase.
- Access work systems or corporate email without a company VPN.
- Access systems containing others' personal data.
Generally fine on public Wi-Fi:
- Reading news or public websites.
- Streaming video or music.
- Looking up directions or public information.
When in doubt, use mobile data. Your carrier connection is encrypted end-to-end and cannot be intercepted by someone in the same coffee shop.
What a VPN Does - and What It Does Not
A VPN encrypts traffic between your device and the VPN server and hides your IP address from the sites you visit.
What a VPN protects:
- Your ISP from seeing which sites you visit.
- Local network observers on public Wi-Fi.
What a VPN does not protect:
- The VPN provider itself can see your traffic.
- Session tokens already captured before connecting.
- Malware already on your device.
- Phishing - a VPN does not verify where a site goes.
Choosing a VPN: Mullvad, ProtonVPN, and Windscribe have independently audited no-log policies. Treat free VPNs with significant scepticism.
Bluetooth and NFC Risks
Both are short-range wireless protocols that should be off when not actively in use.
Bluetooth connects headphones, keyboards, and speakers. In public, it also makes your device discoverable to nearby strangers. Bluejacking and KNOB attacks exploit open Bluetooth connections within 10 metres. Turn it off when not using headphones or a paired device.
NFC (Near Field Communication) enables tap-to-pay and quick device pairing. It operates within a few centimetres, but malicious NFC tags placed on public surfaces can trigger unwanted actions - redirecting your browser, initiating a payment, or installing a configuration profile. Turn NFC off when you are not making payments.
Simple rule: both on when using, both off otherwise.
Safe Browsing Habits
Three habits that meaningfully reduce browsing risk:
Check for HTTPS. Before entering any credentials or payment details, confirm the URL starts with https://. The padlock icon confirms the connection is encrypted. An HTTP site (no 's') transmits data in plain text.
Review browser privacy settings. Most browsers default to accepting all cookies and tracking scripts. In Chrome: Settings > Privacy and security. In Firefox: Settings > Privacy & Security. Switch to "Strict" tracking protection. Clear cookies for sites you no longer use.
Avoid unvetted browser extensions. Extensions run inside your browser with broad access to every page you visit - including banking pages. Remove extensions you no longer use. Before installing one, check the publisher, the permissions it requests, and the number of reviews. A malicious extension with camera or microphone access can capture everything you do in the browser.
Your Home Router
Your router is the gateway for every device in your home. Three things to do:
1. Change the admin password. Log into your router's admin panel (usually 192.168.1.1 in your browser). Change the default admin password to something unique.
2. Set up a guest network. Use a separate "guest" Wi-Fi for visitors and smart home devices. This prevents a compromised IoT device from accessing your main devices.
3. Update the firmware. Routers receive security updates that are not applied automatically. Check your router's admin panel for a firmware update option every 6 months.
Try It: The Public Wi-Fi Test
You are in a coffee shop on free open Wi-Fi. Five tasks to complete. Decide which are safe to do here.
What That Just Showed You
1. The task type determines the risk, not the network quality. Streaming on public Wi-Fi is low risk. Banking on it is high risk. What you do matters more than how fast the network is.
2. A network name proves nothing. Anyone can name a hotspot "Airport_Free_WiFi." Verify network names with a human at the location before connecting for sensitive tasks.
3. Mobile data is the simplest safe alternative. When unsure about a network, use your carrier's data. It cannot be intercepted by someone in the same physical space.
4. VPNs add protection but are not a complete solution. A corporate VPN is appropriate for work systems on public networks. Neither a VPN nor HTTPS fully protect an already-intercepted session.
Three Things Worth Doing
1. Turn Bluetooth off when not in use. Make it a habit: headphones on, Bluetooth on. Headphones away, Bluetooth off. Reduces your discoverable exposure in public.
2. Log into your router admin panel and change the default password. Search for your router model and "default admin password." If it is still the default, change it now.
3. Never do banking or work logins on open Wi-Fi - use mobile data instead. This single rule covers the highest-risk public network scenario.
One Question Before You Continue
Anita connected to 'Hotel_GrandView_WiFi' - which was a rogue hotspot set up by another guest. What was the key failure that enabled the attack?