Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@. Skimlinks & other affiliated links are turned on

Search
  • FIRST POST
    • silvercar
    • By silvercar 28th Nov 17, 9:32 AM
    • 36,183Posts
    • 152,906Thanks
    silvercar
    downloading emails on phone on public wifi. Safe?
    • #1
    • 28th Nov 17, 9:32 AM
    downloading emails on phone on public wifi. Safe? 28th Nov 17 at 9:32 AM
    If I'm abroad and in a hotel/ cafe with passworded wifi and access the wifi on my iPhone, my email accounts update automatically and new emails download from the passwords already saved on the phone.

    How easy is it for a fraudster to access the email passwords?

    Part 2 is that there is an email from the credit card company whose CC I then use to pay the bill in the hotel/ cafe. Enabling a fraudster to link credit card name and number with email address.
Page 1
    • AndyPix
    • By AndyPix 28th Nov 17, 12:22 PM
    • 2,994 Posts
    • 2,072 Thanks
    AndyPix
    • #2
    • 28th Nov 17, 12:22 PM
    • #2
    • 28th Nov 17, 12:22 PM
    How easy is it for a fraudster to access the email passwords?.
    Originally posted by silvercar

    Almost impossible - certainly not something you need to worry about


    Part 2 is that there is an email from the credit card company whose CC I then use to pay the bill in the hotel/ cafe. Enabling a fraudster to link credit card name and number with email address.
    Originally posted by silvercar

    Dont worry
    Running with scissors since 1978
    • silvercar
    • By silvercar 28th Nov 17, 1:28 PM
    • 36,183 Posts
    • 152,906 Thanks
    silvercar
    • #3
    • 28th Nov 17, 1:28 PM
    • #3
    • 28th Nov 17, 1:28 PM
    I should say that this is what actually happened. Someone gained access somehow to my email account and then somehow managed to get access to a credit card that is linked to that email address! I’m just trying to work out how that happened and the email over WiFi seemed the most likely given that I had been abroad and used hotel WiFi extensively. The card was then used as some sort of verification to open an online store card (UK) and order goods. I’m just trying to work out how it happened.
    • AndyPix
    • By AndyPix 28th Nov 17, 1:40 PM
    • 2,994 Posts
    • 2,072 Thanks
    AndyPix
    • #4
    • 28th Nov 17, 1:40 PM
    • #4
    • 28th Nov 17, 1:40 PM
    How do you know someone got access to your email account ?


    Unless you actually typed in your password (or your phone autofilled in a logon form) for your email account and sent it over the unencrypted wifi then there is no mechanism for it to have happened in this way.


    If the phone is linked to the email account (ie always logged in) then you didnt lose your password via this route.


    The most common way BY FAR for this kind of thing to have happened is that these details got tricked/ socially engineered out of you either by a convincing caller, or much more commonly, a cloned website.


    The rougue wifi could have been set to redirect say the gmail logon page to a copy and then could have hoovered your details. But as you say you didnt type them then this isnt the case here.


    Just to be clear, when you say your phone stays logged into your email account, do you mean that, or do you mean that is saves and sends the password each time you log in ?
    Running with scissors since 1978
    • AndyPix
    • By AndyPix 28th Nov 17, 1:43 PM
    • 2,994 Posts
    • 2,072 Thanks
    AndyPix
    • #5
    • 28th Nov 17, 1:43 PM
    • #5
    • 28th Nov 17, 1:43 PM
    The hotel will have access to your card details, the hotel will have your email address.


    Do you use the same password for your email that you use for anything else ?
    Because if i were going to try to attack you in this way then that is the first thing i would try


    ie i would try to log into your email account using the password you set up for the "free" wifi (which i would be able to see) etc etc
    Running with scissors since 1978
    • spadoosh
    • By spadoosh 28th Nov 17, 1:52 PM
    • 4,659 Posts
    • 6,110 Thanks
    spadoosh
    • #6
    • 28th Nov 17, 1:52 PM
    • #6
    • 28th Nov 17, 1:52 PM
    I should say that this is what actually happened. Someone gained access somehow to my email account and then somehow managed to get access to a credit card that is linked to that email address! Iím just trying to work out how that happened and the email over WiFi seemed the most likely given that I had been abroad and used hotel WiFi extensively. The card was then used as some sort of verification to open an online store card (UK) and order goods. Iím just trying to work out how it happened.
    Originally posted by silvercar
    How do you know the email is involved at all?

    It seems a long winded way of going about it. I doubt your emails display the full card number so what could they have ascertained from your emails?

    Itd be much easier for someone comitting fraud to just clone your card whilst it was being used for a transaction or to simply just copy the card details that are printed on it.

    To access your emails to get your details (which probably wouldnt have enough on their anyway ) through wifi in a hotel in a foreign country to then set up an account based in the UK just doesnt seem like the most plausible explanation.
    Don't be angry!
    • silvercar
    • By silvercar 28th Nov 17, 2:28 PM
    • 36,183 Posts
    • 152,906 Thanks
    silvercar
    • #7
    • 28th Nov 17, 2:28 PM
    • #7
    • 28th Nov 17, 2:28 PM
    My phone downloads my emails automatically ie the password is stored on the phone, I didn’t type it in.

    Email password is totally different to credit card account passwords.

    I know that the email was accessed from a new device and hacked because there was an email to the account sayinga different device had been used to access and the password was changed. Hassle to get back in and change it again.

    I know the credit card online account was hacked because the credit company could see that. They could also see that someone had succeeded in opening a store account and paying with the credit card. Unbelievably once the card was stopped they had tried to gain access again - further emails sent asking for verification codes etc before I spotted that the email account had been compromised.

    All virus checked laptops etc are fine and other email accounts on the same computers are fine.

    Just want to work out how they managed to gain access.
    • AndyPix
    • By AndyPix 28th Nov 17, 3:24 PM
    • 2,994 Posts
    • 2,072 Thanks
    AndyPix
    • #8
    • 28th Nov 17, 3:24 PM
    • #8
    • 28th Nov 17, 3:24 PM
    My phone downloads my emails automatically ie the password is stored on the phone, I didn’t type it in..
    Originally posted by silvercar
    Ok good - then we know your email account was not compromised in this way

    Email password is totally different to credit card account passwords.
    ..
    Originally posted by silvercar
    You misunderstand me


    What i am asking is if your email password is the same as other passwords you use regularly.
    What i am trying to get at, is if you used the same password that you use for your email account anywhere else ?


    For instance, if you were asked to create an account to use the hotel wifi, would you have used the same password that you use for your email account ?


    Or , for example, if you were asked to review the hotel on a website, but first asked to create an account, would you have used the same password that you use for your email ?


    I know that the email was accessed from a new device and hacked because there was an email to the account sayinga different device had been used to access and the password was changed. Hassle to get back in and change it again.

    I know the credit card online account was hacked because the credit company could see that. They could also see that someone had succeeded in opening a store account and paying with the credit card. Unbelievably once the card was stopped they had tried to gain access again - further emails sent asking for verification codes etc before I spotted that the email account had been compromised.

    All virus checked laptops etc are fine and other email accounts on the same computers are fine.

    Just want to work out how they managed to gain access.
    Originally posted by silvercar

    This has probly been brewing for some time and is unlikely to be related to use of unsecured wifi (apart from what i have typed above).
    These things take time to set up and execute and dont happen in one swift move like the news and movies would have you believe.


    They probly had your email address and password for a long time while collecting other information.
    Like i said, this almost always begins with you entering your credentials into a rogue/copy site.


    You wont have even noticed because all it will do when it has pinched your credentials, is display a "wrong password" message, and then forward you to the genuine site, where you proceed to log in correctly and never realise anything dodgy has happened.


    To keep safe in future
    1. dont re-use password for different stuff
    2. Make sure any site where you are typing credentials is genuine (check the address bar)
    3. Dont follow links in emails / dont trust company phone numbers in emails
    4. Dont plug in any USB sticks that you are unsure of the source of
    5. If using public wifi, if you must physically type a password, make sure the prefix of the site is HTTPS
    6. Do regular virus and malware scans


    Moving on, change your passwords using a trusted computer, chalk this up to experience and ensure to follow the points above in future and you will be fine
    Running with scissors since 1978
    • silvercar
    • By silvercar 28th Nov 17, 4:36 PM
    • 36,183 Posts
    • 152,906 Thanks
    silvercar
    • #9
    • 28th Nov 17, 4:36 PM
    • #9
    • 28th Nov 17, 4:36 PM
    What i am asking is if your email password is the same as other passwords you use regularly.
    What i am trying to get at, is if you used the same password that you use for your email account anywhere else ?
    yes. loads of places, but not for the credit card website which has and had a fairly unique password.

    For instance, if you were asked to create an account to use the hotel wifi, would you have used the same password that you use for your email account ?
    That didn't happen, was just given the wifi password or it was my hotel room number and surname.

    You wont have even noticed because all it will do when it has pinched your credentials, is display a "wrong password" message, and then forward you to the genuine site, where you proceed to log in correctly and never realise anything dodgy has happened.
    I see what you mean, though I generally avoid clicking on links, but possible.

    Moving on, change your passwords using a trusted computer, chalk this up to experience and ensure to follow the points above in future and you will be fine
    Thanks.
    • AndyPix
    • By AndyPix 28th Nov 17, 5:27 PM
    • 2,994 Posts
    • 2,072 Thanks
    AndyPix
    yes. loads of places, but not for the credit card website which has and had a fairly unique password. .
    Originally posted by silvercar

    Then this is how it started.


    Treat your email password a ssecurely as your bank password
    As you have learned the hard way, a hacker having access to your email account can lead to financial loss.
    Because they can then "pretend to be you" for all intents and purposes, which is how they have performed this attack.


    Change your email password to one that you do not use anywhere else.
    Remember, you often sign up to stuff using your email address (news websites, coupon sites etc etc etc)
    Now if you use the same password that you use for your email account for this, then you can see that a 3rd party can easily access your email account.


    Although email accounts are generally secure, the same cant be said for all these other sites and their employees.


    Hope all that helps
    Andy
    Running with scissors since 1978
    • were
    • By were 28th Nov 17, 6:41 PM
    • 564 Posts
    • 334 Thanks
    were
    I mentioned in another post that I repaid someone's PC. think the disk had crashed due to mistreatment.

    In recovering the data found the guys have an app that phoned home via email. The text messages were credit cards numbers with all the details and email addresses and captured his keystokes.

    Knowing the owner on a personal level I asked him about them and eventually the grey cells started to work, and by now these were old cards.

    He actually pinned the event to staying at the Heathrow Hilton on one night as that is when the txt file were dated and he remember having internet trouble too.

    Think it was a man in the middle? Also I have to say this was about 10 years ago.

    A vpn would have stopped the software being installed.
    • AndyPix
    • By AndyPix 29th Nov 17, 9:52 AM
    • 2,994 Posts
    • 2,072 Thanks
    AndyPix
    Think it was a man in the middle?.
    Originally posted by were

    Yeah possibly . A rogue AP (or "evil twin" as they are known )


    The user would stiull have had to knowingly click "yes" to install the app though. But could easily be tricked into doing this ..
    Running with scissors since 1978
    • silvercar
    • By silvercar 29th Nov 17, 10:05 AM
    • 36,183 Posts
    • 152,906 Thanks
    silvercar
    OH has now found trojans on his work computer....that he has used to log in to the credit card website.

    So that explains a lot. No doubt he would have used the password that I use for emails for other review sites we both use, even though we were careful to use a different password for the credit card account.
    • AndyPix
    • By AndyPix 29th Nov 17, 10:06 AM
    • 2,994 Posts
    • 2,072 Thanks
    AndyPix
    yep ......
    Running with scissors since 1978
    • Frozen_up_north
    • By Frozen_up_north 30th Nov 17, 8:00 AM
    • 1,296 Posts
    • 613 Thanks
    Frozen_up_north
    Are you using lousy email settings? Like POP3 and SMTP? Providers like Karoo (Kingston Comms in Hull) use plain language email, including the log-on, which offers no security at all. I'm sure Karoo aren't the only email providers who are clueless about security.

    Free WiFi is a known security issue, which is why many of us use a VPN to keep hotel/bar/shopping centre WiFi connections secure.
    • unforeseen
    • By unforeseen 30th Nov 17, 9:41 AM
    • 1,968 Posts
    • 2,478 Thanks
    unforeseen
    Are you using lousy email settings? Like POP3 and SMTP? Providers like Karoo (Kingston Comms in Hull) use plain language email, including the log-on, which offers no security at all. I'm sure Karoo aren't the only email providers who are clueless about security.

    Free WiFi is a known security issue, which is why many of us use a VPN to keep hotel/bar/shopping centre WiFi connections secure.
    Originally posted by Frozen_up_north
    I think you may be jaded by Karoo's poor service.

    POP and SMTP use encryption as standard these days. A quick scout around tends to point to Karoo being in a very small minority (the only one I found) that don't bother with encryption

    You consider SMTP to be 'lousy'. How do you send emails? Even using IMAP outgoing email is sent via SMTP

    Whether you use POP or IMAP, the incoming the servers are normally set up the same for both when it comes to SSL/TLS. Which you use depends on how you want to use it. Each have their merits as each have their downside.
    • AndyPix
    • By AndyPix 30th Nov 17, 9:56 AM
    • 2,994 Posts
    • 2,072 Thanks
    AndyPix
    I think he/she means that they dont use ssl for the web interface.


    So everything is sent in plain text


    Incredibly enough, Yahoo and many others didnt do this either until quite recently
    Running with scissors since 1978
    • unforeseen
    • By unforeseen 30th Nov 17, 10:00 AM
    • 1,968 Posts
    • 2,478 Thanks
    unforeseen
    I think he/she means that they dont use ssl for the web interface.


    So everything is sent in plain text


    Incredibly enough, Yahoo and many others didnt do this either until quite recently
    Originally posted by AndyPix
    I thought email client due to the mention of POP & SMTP, protocols that are immaterial when using webmail.
    • AndyPix
    • By AndyPix 30th Nov 17, 10:06 AM
    • 2,994 Posts
    • 2,072 Thanks
    AndyPix
    Yeah but as we both know, this statement "Are you using lousy email settings? Like POP3 and SMTP?"


    Doesnt really mean anything (no disrespect to poster)..


    So i kind of extrappolated out


    BUT .. Looking at the interface now (logon page at least) , it does offer SSL currently, so i may be confused
    Running with scissors since 1978
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

1,010Posts Today

6,195Users online

Martin's Twitter