Piggybacking (Internet Access) - Preventing Piggybacking

Preventing Piggybacking

Laws do not have the physical ability to prevent such action from occurring, and piggybacking may be practiced with negligible detection.

The owner of any wireless connection has the ability to block access from outsiders by engaging wireless LAN security measures. Not all owners do so, and some security measures are more effective than others. As with physical security, choice is a matter of trade-offs involving the value of what is being protected, the probability of its being taken, and the cost of protection. An operator merely concerned with the possibility of ignorant strangers leeching Internet access may be less willing to pay a high cost in money and convenience than one who is protecting valuable secrets from experienced and studious thieves. More security-conscious network operators may choose from a variety of security measures to limit access to their wireless network, including:

• Hobbyists, computer professionals and others can apply Wired Equivalent Privacy (WEP) to many access points without cumbersome setup, but it offers little in the way of practical security against similarly studious piggybackers. It is cryptographically very weak, so an access key can easily be cracked. Its use is often discouraged in favor of other more robust security measures, but many users feel that any security is better than none or are unaware of any other. In practice, this may simply mean that nearby non-WEP networks are more accessible targets. WEP is sometimes known to slow down network traffic in the sense that the WEP implementation causes extra packets to be transmitted across the network. Some claim that "Wired Equivalent Privacy" is a misnomer, but it generally fits because wired networks are not particularly secure either.
• Wi-Fi Protected Access (WPA), as well as WPA2 and EAP are more secure than WEP. As of May 2013, 44.3 percent of all wireless networks surveyed by WiGLE use WPA or WPA2.
• MAC address authentication in combination with discretionary DHCP server settings allow a user to set up an "allowed MAC address" list. Under this type of security, the access point will only give an IP Address to computers whose MAC address is on the list. Thus, the network administrator would obtain the valid MAC addresses from each of the potential clients in their network. Disadvantages to this method include the additional setup. This method does not prevent eavesdropping traffic sent over the air (there is no encryption involved). Methods to defeat this type of security include MAC address spoofing, detailed on the MAC address page, whereby network traffic is observed, valid MACs are collected, and then used to obtain DHCP leases. It is also often possible to configure IP for a computer manually, ignoring DHCP, if sufficient information about the network is known (perhaps from observed network traffic).
• IP security (IPsec) can be used to encrypt traffic between network nodes, reducing or eliminating the amount of plain text information transmitted over the air. This security method addresses privacy concerns of wireless users, as it becomes much more difficult to observe their wireless activity. Difficulty of setting up IPsec is related to the brand of access point being used. Some access points may not offer IPsec at all, while others may require firmware updates before IPsec options are available. Methods to defeat this type of security are computationally intensive to the extent that they are infeasible using readily-available hardware, or they rely on social engineering to obtain information (keys, etc.) about the IPsec installation.
• VPN options such as tunnel-mode IPSec or OpenVPN can be difficult to set up, but often provide the most flexible, extendable security, and as such are recommended for larger networks with many users.
• Wireless intrusion detection systems can be used to detect the presence of rogue access points which expose a network to security breaches. Such systems are particularly of interest to large organizations with many employees.
• Flash a 3rd party firmware such as OpenWrt, Tomato or DD-WRT with support for RADIUS.
• Honeypot (computing) involves setting up a computer on a network just to see who comes along and does something on the open access point.
• Disabling SSID broadcasts. Although, it only hides networks superficially. MAC addresses of routers are still broadcast, and can be detected using special means.