CINCINNATI, Ohio - You check into your hotel room, close the door, and lock it. But the threat isn't from someone prowling the halls of the hotel. It could be the guy staying in the next room.
The thief sets up his own Internet hotspot on a laptop inside a hotel room, the lobby, or even outside on the street. Computers allow you to give your hotspot any SSID label you want, and thieves either mimic the hotel's own name or use a generic label like "Hotel Wi-Fi."
Apolonio Garcia, a security expert with Health Guard IT Security, set up a demonstration for us inside a hotel room.
"If you're in an airport, you can make it an airport hotspot," Garcia said. "If you're in a coffee shop, you can make it the name of the coffee shop. In this case we're in a hotel, so we made it 'Hotel Wi-Fi.'"
Garcia bought a high gain Wi-Fi USB device for $40 and downloaded a free program from the Internet designed for capturing usernames and passwords.
"As soon as someone accesses that, and starts using the Internet, we're able to see and capture everything they're doing," Garcia said.
We're not giving the bad guys ideas. They're already doing this. There are even "how to" videos posted online.
Within minutes, Garcia's fake hotspot was up and running in Room 515. His high-gain antenna provided the strongest Wi-Fi signal to lure more potential victims.
In this case, he denied access to all users but the I-Team. We agreed to be the target, connecting into "Hotel Wi-Fi" and visiting an online shopping web page.
Garcia had his laptop connected to the Internet through his smartphone, so we were shown the real login page for the shopping site. An unsuspecting victim would have no idea that they were connected through the thief's laptop.
As soon as I typed my username and password into the shopping page, it showed up immediately on Garcia's laptop.
Thanks to the illicit program, the laptop was "looking for usernames and passwords, for log-ins, and when it sees them it actually logs them for us to use later," Garcia said.
Credit card numbers could be captured the same way, or the login credentials could be used to order products delivered to any location the thief designates.
Garcia moved his laptop to the lobby bar. While everyone assumed he was a business man working on his laptop, Garcia was running the closest and most powerful hotspot in the middle of the hotel.
A thief could even duplicate the hotel's real login page by simply copying the HTML code the web browser uses to display the page, then making a few minor changes to redirect the victim's credentials to the thief's computer. The hotel guest would have a seamless web experience with the theft occurring invisibly in the background.
To avoid being a victim of a scam like this, always ask the front desk for the name of the hotel's network when checking in.