Safety: 7 Practices for Securing Customer-Facing WiFi

So your boss has decided it’s time to hang a “Free WiFi” sign on the door—and it’s your job to make it happen. It might seem like a deceptively simple task. If you invest in a business-class router, and negotiate a contract with your Internet service provider (ISP) for adequate bandwidth, what could go wrong?

As it turns out, from an IT security perspective, quite a lot.

The problems can begin right at setup. The default settings of WiFi routers aren’t secure. Unless you encrypt your own, anyone in the vicinity can get onto your network. At best, they will just use the free wireless Internet for browsing and downloading. But even this innocent use of your WiFi can pose a problem, as it can eat up bandwidth and slow down your ability to connect to websites and applications. Worse, people with bad intentions could access your PCs and files, capturing your passwords or hijacking any accounts that don’t use SSL encryption. These include popular Web email clients and Facebook and Twitter.

And unfortunately, even protecting your WiFi network with WiFi Protected Access (WPA) encryption—a former standard, and one in widespread use still today—doesn’t do much to keep out the people intent on breaking into your network. WPA was broken into several years ago. (There are even automated programs you can get from Internet sites that boast “hack any WiFi network.”)

This isn’t just about you—it’s about protecting your customers, too. The 2013 Identity Fraud Report found that the number of identity fraud victims shot up to 12.6 million consumers in 2013—that’s one out of every 20 U.S. consumers. Cybercriminals are busily “sniffing” for sensitive data information over unsecured WiFi connections.

It can get even more complicated depending on which ISP you have. Some big ISPs are turning customers’ cable modems into public WiFi hotspots accessible to anyone with an account login from that ISP. They’re not asking permission. So if you see a hotspot appear in range of your devices labeled “xfinitywifi” or “attwifi,” it might well be originating from your own cable modem.

This is raising hackles as well as security concerns among customers. You need to carefully evaluate whether instead of being an endpoint on a network, you would be okay with being a node on a public network. You will be, unless you opt out, so it’s important that you think about it, make an informed decision, and, if necessary, take action to inform your carrier of your decision.

Here are seven tips on how to extend WiFi to customers while keeping yourself—and them—secure:

Use Enterprise WPA2 encryptionIEEE 802.11i, also known as WPA2, uses IEEE 802.1x for mutual authentication between the client and the network and Advanced Encryption Standard (AES) for data encryption. WPA2 is the stronger big brother of WPA, and provides the best WiFi protection to date. But to confuse matters, you can deploy WPA2 in either Personal or Enterprise mode. Most wireless routers support both modes. Although the Personal mode is easier to set up, it has recently been cracked. However, to deploy WPA2 Enterprise mode, you need a RADIUS server, which requires time and expertise to set up. Another option is to use a hosted service that deploys WPA2 in enterprise mode. And always create a long and strong passphrase when setting up the encryption, using no words or phrases that might be in a dictionary.

Tip No. 2: Create a separate private WiFi network just for guests—You might be tempted, because it’s much easier, to simply allow your customers to log onto the WiFi network your employees use. Don’t do it. Once onto your internal network, cyber criminals can easily hack into supposedly protected files or applications, and steal data from your company.
To protect your business, create a separate private wireless network—most business-class routers will let you do this—and encrypt it, just as you encrypted your internal WiFi network. If your router has already been configured to send out a second, public signal by your ISP, theoretically, this shouldn’t interfere with your ability to set up a guest network yourself. However, the jury appears to be out regarding whether it could adversely impact your available bandwidth. Again, consider opting out if you are at all concerned about this.

Tip No. 3: Create a “captive portal” for guests—You don’t want to make it too difficult for your customers to get onto your network. But you should have what’s called a “captive portal,” which requires Internet users to agree to terms of service before proceeding to the Internet. Although the captive portal’s primary purpose is authenticating users, it offers other benefits. You can create a landing page tailored to your business, assign access codes that collect information about users, and put into place traffic controls to limit bandwidth.

Tip No. 4: Be aware of other hotspots that appear in the vicinity“Evil Twin” and “Ad Hoc” hotspots can try to mimic yours to trick your customers into logging onto them. Once an Evil Twin gains access to a computer, it can launch a “man in the middle” attack that can be devastating to an individual or a business.

Again, your ISP might be complicating matters by using your router to create a public hotspot for your area. Although, theoretically, this gives your customers more WiFi choices, it also increases the opportunity for cybercriminals to confuse users with rogue networks. If this makes you at all uncomfortable, you should opt out of your carrier being able to use your router as a public hotspot. Again, if you don’t take any action, your carrier will make you part of its plan to build a national network of public hotspots.

Tip No. 5: Use MAC authentication for your employee network—MAC authentication locks down your employee network even more securely by restricting network access to pre-registered devices only. Yes, setup is a bit of a hassle, as you have to assign MAC addresses to specific wireless cards, but it will stop unauthorized devices from accessing your secured network.

Tip No. 6: Don’t let your customers access illegal or offensive sites—You should always block sites with illegal or objectionable content on both your employee and customer WiFi connections to prevent possibly illegal or dubious situations from arising on your premises.

Tip No. 7: Don’t underestimate your bandwidth needs—Make sure that your equipment (or service provider) allows you to scale as your users demand more bandwidth. After all, nothing is more frustrating than slow WiFi—for either your employees or your customers. Although the ISPs that are piggybacking on customers’ routers to create public hot spots claim that this will not impact customers’ bandwidth, be on the lookout for degradations in service levels—and be prepared to contact your ISP to holler if you detect any.

By putting the right security measures in place, your business can reap all the benefits of offering WiFi to customers while protecting both your own data and applications and those of customers.