Why do people use unsecure public Wi-Fi? An investigation of behaviour and factors driving decisions

© 2016 Copyright is held by the owner/author(s). Public Wi-Fi networks are now widely available in many countries. Though undoubtedly convenient, such networks have potential security and privacy risks. The aim of this study was to understand if people are aware of those risks, and - if so - why they decide to take them. We set up an experimental free Wi-Fi network at 14 locations in central London, UK, for a period of 150 hours, and people connected most often to use instant messaging, search engines, and social networks, and sensitive data (such as name, date of birth, and sexual orientation) were transmitted. We subsequently investigated people's risk awareness and risk behaviour through semi-structured interviews with 14 participants, and an online scenario-based survey with 102 participants. The majority of participants said they would use public Wi-Fi under circumstances where the risks taken are not consistent with maximising utility. Female participants rated the risks associated with public Wi-Fi use, more highly - and yet more females than males said they would use them to save their data plans. These findings align with insights from behavioural economics, specifically the insight that people can misjudge risky situations and do not make decisions consistent with expected utility theory

The continued risks of unsecured public Wi-Fi and why users keep using it: Evidence from Japan

Many people find public Wi-Fi networks convenient but these networks harbor security and privacy risks. As public knowledge of these risks becoming common, we investigated whether the risks were still at large and what factors influenced users to use the networks — being the first study to draw evidence from Japan. Adapting the methodology from a previous study in the UK, we first set up an experimental open public Wi-Fi network at 11 locations in downtown Nara and captured Internet traffic. From approximately 7.7 million packets captured from 196 unique mobile devices during a 150-hour experiment, we found private photos, emails, documents, and login credentials being transmitted in clear text without encryption — confirming that not only did many applications still fail to encrypt data-inmotion but also did many users continue to use unsecured public Wi-Fi networks. We then used a scenario-based survey to examine factors affecting the users’ decision to use the networks. From 103 participants, we found that the desire to conserve mobile data — a form of resource preservation heuristic — instigated a risk-taking attitude and influenced participants, especially among those usually having a small monthly data plan, to use unsecured public Wi-Fi networks. Female and those having finish highschool only, were also more likely to use the networks

Economic drivers in security decisions in public Wi-Fi context

This thesis investigates economic drivers in security decisions in the context of public Wi-Fi. Four sets of studies took place. The first set examined the risks of public Wi-Fi today. An experimental rogue public Wi-Fi was set up for 150 hours first in London, UK, in 2016, and then in Nara, Japan, in 2017. Sensitive data such as emails and login credentials were found to have been transmitted insecurely. The second set of studies examined decision-making and drivers influencing users to use public Wi-Fi. Participants (106 - UK, 103 - Japan) took part in scenario-based questionnaires. Findings showed that the desire to save mobile data allowance, a form of resource preservation heuristic tendency (RPHT), significantly prompted participants who regularly face mobile data constraints to use public Wi-Fi. The next study examined evidence in the wild. Participants (71 - UK only) were recruited for three months to run My Wi-Fi Choices, an Android app developed to capture factors driving the decisions to use public Wi-Fi. The results emphasised the importance of RPHT in driving users to use public Wi-Fi. Therefore, advising an individual trapped in mobile data RPHT to stop using public Wi-Fi entirely is futile. Alternative security advice is needed. This led to the last set of studies examining user decision to adopt a Virtual Private Network (VPN) app which can help to mitigate public Wi-Fi risks. Discrete choice experiments were run with 243 participants (154 - UK, 94 - Japan) to examine attributes of a VPN app affecting user decision. Various attributes of a VPN app were identified as drivers for the download and installation and the actual use of the app. Combining the knowledge gained from all studies, this thesis proposes a RPHT-decision model explaining the effects of RPHT on security decisions

Development of a Client-Side Evil Twin Attack Detection System for Public Wi-Fi Hotspots based on Design Science Approach

Users and providers benefit considerably from public Wi-Fi hotspots. Users receive wireless Internet access and providers draw new prospective customers. While users are able to enjoy the ease of Wi-Fi Internet hotspot networks in public more conveniently, they are more susceptible to a particular type of fraud and identify theft, referred to as evil twin attack (ETA). Through setting up an ETA, an attacker can intercept sensitive data such as passwords or credit card information by snooping into the communication links. Since the objective of free open (unencrypted) public Wi-Fi hotspots is to provide ease of accessibility and to entice customers, no security mechanisms are in place. The public’s lack of awareness of the security threat posed by free open public Wi-Fi hotspots makes this problem even more heinous. Client-side systems to help wireless users detect and protect themselves from evil twin attacks in public Wi-Fi hotspots are in great need. In this dissertation report, the author explored the problem of the need for client-side detection systems that will allow wireless users to help protect their data from evil twin attacks while using free open public Wi-Fi. The client-side evil twin attack detection system constructed as part of this dissertation linked the gap between the need for wireless security in free open public Wi-Fi hotspots and limitations in existing client-side evil twin attack detection solutions. Based on design science research (DSR) literature, Hevner’s seven guidelines of DSR, Peffer’s design science research methodology (DSRM), Gregor’s IS design theory, and Hossen & Wenyuan’s (2014) study evaluation methodology, the author developed design principles, procedures and specifications to guide the construction, implementation, and evaluation of a prototype client-side evil twin attack detection artifact. The client-side evil twin attack detection system was evaluated in a hotel public Wi-Fi environment. The goal of this research was to develop a more effective, efficient, and practical client-side detection system for wireless users to independently detect and protect themselves from mobile evil twin attacks while using free open public Wi-Fi hotspots. The experimental results showed that client-side evil twin attack detection system can effectively detect and protect users from mobile evil twin AP attacks in public Wi-Fi hotspots in various real-world scenarios despite time delay caused by many factors

Kontextbasierte Sicherheitsmaßnahmen für mobile Geräte in nicht vertrauenswürdigen Netzwerken

[no abstract