WPA3, a new security protocol, better encrypts hotel, coffeshop communication
Personal finance writer
Statistics enthusiast focused on data-driven content
Using public Wi-Fi networks may become a whole lot
safer as new security upgrades coming later this year vow to keep your online
The Wi-Fi Alliance, the organization that sets Wi-Fi standards,
a new security protocol called WPA3 in January 2018 aimed at
better protecting the vulnerable public Wi-Fi arena. The upcoming privacy
protections will impede people from guessing passwords and better secure both
your online browsing activity and Wi-Fi-connected gadgets.
This is good news for consumers and their payment card
details. “The biggest threat people have to their privacy today is their
security,” said Matt Erickson, executive director of the Digital Privacy
Here’s what you should know about the public Wi-Fi
changes to come and how it should – and should not – impact how you manage your
finances and shop online:
public Wi-Fi vulnerability
the successor to the WPA2 technology that currently protects nearly every
phone, computer and router on a Wi-Fi network, has been designed to patch a
security hole in existing Wi-Fi setups. The WPA2 hole, which was revealed
in October 2017, can expose anything typed on an
Internet-connected device, such as passwords, credit card numbers and contact
As mobile shopping continues to increase in popularity
and smartphones are ever-present, the odds of consumers exposing private
information in an unsecure Wi-Fi situation are high. What might seem like a
quick credit card purchase while waiting to pick up takeout food may actually
be a gateway for fraudsters to snag payment information.
“If you go to a coffee shop that has open Wi-Fi, then
it’s completely unencrypted, completely unsecured,” explained Erickson. “So, in
that instance, you have to rely on the services you are using to provide any
kind of security for the traffic you are sending over the internet. Anybody
with an antenna can read what you are typing, and WPA3 is supposed to provide
means to overcome that.”
WPA3 will do?
Wi-Fi technology manufacturers have attempted to fix the known security hole
with software updates, WPA3 is more than a patch. It seeks to implement new
features and address areas of the security protocol that haven’t been broached since
WPA2 was introduced more than a decade ago.
There are three key changes WPA3
will bring to Wi-Fi networks and users, says Greg Young, vice president of
cybersecurity for Trend Micro:
1. Better defense against guessing the router admin
password, even if the password chosen is very simple.
2. Stronger and better
3. Better privacy for “open” or public Wi-Fi connections since those will be
“All three changes are counters to the most common
attacks that go after payment card details: grabbing them at a compromised
router, listening in on less protected open networks or beating weak
“The biggest threat people have to their privacy today is their
For consumers who frequent public Wi-Fi hotspots, such
as coffee shops, hotels or libraries, increased privacy on such public networks
will greatly reduce the odds that online traffic – including the passwords and
sensitive details entered on websites – is exposed to anyone keeping tabs on
the Wi-Fi activity.
With WPA3, encryption will be built in the open
network, providing users with a secure and private channel that others can’t
spy on. The change could provide consumers nearly as much privacy as secured Wi-Fi
networks, such as what you have at home or the office, when fully implemented.
Overall, the adoption of WPA3 should give consumers
added peace of mind as they do things such as browse the Internet on their
tablet while out to lunch or working online at hotels.
“According to the developers, it will be more secure
and it will take some of the burden off of consumers,” said Eva Velasquez, president
and CEO of the Identity Theft Resource Center. “Essentially, what they have
told us is ‘Even if you decide to use weak passwords, we might still protect
However, WPA3 defenses are not bulletproof. The added
encryption protections will prevent mass, passive surveillance of public Wi-Fi
activities, but a hacker could still steal data through a direct attack.
“WPA3 as described is an incremental improvement, not
a revolutionary one,” Young said. “Older routers or poorly configured new
ones will still be a big part of the landscape, and Wi-Fi is, of course, only
part of the experience that online shopping and payment involves.”
new security standards will not arrive overnight. According to the Wi-Fi
Alliance, additional details about WPA3 and how it will be rolled out will be
released later this year.
“First, the standard does need finalization, and that
takes a while,” Erickson said. “The Wi-Fi Alliance is made up of many different
companies, each with their own interests.”
“According to the developers, it will be more secure
and it will take some of the burden off of consumers.”
Once the standards are finalized, the security update
will need support from hardware and software manufacturers, which will require another
transitional time period. Then, Wi-Fi hosting businesses and individuals will
need to make sure their networks and equipment are up-to-date.
“WPA3 needs to be designed into new routers and
devices, and then these devices need to be put into place,” Young said. “So,
change will proceed at the speed of manufacturer adoption and router
replacements. This won’t be fast.”
Consumers, don’t let down your guard
the tech industry works on increasing privacy and security by design, it’s
still the responsibility of consumers to ensure they are protecting themselves and
the information they put in cyberspace.
“It’s great from a cultural standpoint that the
industry is stepping up and fixing a lot of these vulnerabilities for us and
working to make us safe, but this is a shared responsibility,” Velasquez said. “At the end of the day, I don’t want consumers abdicating that responsibility
and going, ‘Well, now I don’t have to worry about those things.’
“This is great,
but I liken it to getting a new insurance policy for your car. You don’t get it
and go, ‘Wow, I’ve got even better coverage and a lower deductible. Now I can
really drive like a maniac.’ You still have personal responsibility to be safe.”
While the adoption of WPA3 should offer added peace of
mind when browsing publicly, continue to follow
traditional advice when it comes to safe Wi-Fi behavior.
For example, encrypt your mobile device and keep it up-to-date to ensure the
strength of security protections,
“Safely doing business over Wi-Fi falls in two
categories: protecting where you do Wi-Fi business and limiting the impact of
a payment information compromise,” Young said. “Doing anything sensitive in an
open Wi-Fi environment remains risky.”
Additionally, always make sure you are using SSL-encrypted
websites for shopping, paying bills or logging into accounts. SSL-encrypted
websites will either note “secure” at the top of the window or show a closed
padlock symbol by the URL bar.
“That’s really the only way to guarantee safety,
because that means there is a completely encrypted tunnel between you and
whoever you are giving your payment card information to,” Erickson said.
“And then on top of that, make sure you are running on secured networks when
you do pay for things online.”
Even after WPA3 is thoroughly implemented, browse
cautiously on public Wi-Fi networks.
“You’re only as secure as their
configuration, and you really can’t know how good it is: Coffee shops and
libraries remain a minefield,” Young said. When in doubt, wait until you are home
to make sensitive internet transactions. “There are ways to limit your exposure,
but it’s a good data point that at hacker conferences no one uses the public
Wi-Fi,” he added.
See related: 6 ways to safeguard cards when shopping online, How to avoid credit card security overkill
Three most recent Legal, regulatory, privacy issues stories: