/ Technology

How safe do you feel using free wi-fi hotspots?

Holidays can often mean hunting for free wi-fi hotspots in bars, hotels and restaurants to keep your mobile roaming bill under control. But there’s a sting in the tail with free hotspots – they’re not always very safe…

Free wi-fi is convenient when you’re on holiday, especially if you’re somewhere that your ISP charges you extra for data roaming, or if you can’t get a good enough signal to use your mobile data for getting online.

But there are risks: you could be logging on to a malicious ‘evil twin’ network, for example, or you could be inadvertently letting everyone else using the hotspot see into your laptop.

Or, if you’re outside the EU and thus outside the protections of the Europe-wide General Data Protection Regulation (GDPR), you could have to hand over all kinds of personal data and agree to being sent loads of marketing emails in return for access to the wi-fi.

Free wi-fi in a shopping mall could also mean you’re being tracked closely as you wander in and out of the shops and your online activities logged.

Security experts are unanimous in saying that it’s best if you don’t use free wi-fi hotspots when you’re out and about, whether that’s at home in Britain or abroad.

We’ve got more detailed advice on using wi-fi hotspots safely in the August issue of Which? Computing, but here are some quick tips to help you stay safe while you’re out and about.

Check what you’re connecting to

When you fire up the wi-fi on your phone or laptop, you’ll see a list of available hotspots. Don’t just connect to the first one you see: if you’re in a restaurant or bar, ask them which one is their hotspot and ask them for the password.

If there isn’t a password or the staff aren’t sure which is their hotspot, it’s better not to connect at all.

No password means that anyone nearby can connect to it, whereas a password-protected network does at least limit it to people with the password.

A hotspot without a password could also be an ‘evil twin’ network – one that’s been set up by a hacker to steal your information.

Be careful what you do online

If you must connect to public wi-fi, don’t do any online shopping or banking unless you absolutely have to.

Scammers could intercept your login details while you browse, or hijack the hotspot to send you to a fake landing page designed to steal your passwords.

Look for HTTPS

Make sure any website you’re looking at is encrypted – that means it is exchanging information between your device and the website securely, and that a hacker can’t intercept it.

We’ve got more detail on how that works here on our Helpdesk website.

Consider using a VPN

Security experts recommend using a VPN all the time when you’re away from home. A VPN sets up a secure link via a trusted third-party server that can hide your location and your IP address, and make it look as if you’re connecting from another country.

We think it’s worth paying for a good VPN, as there are trade-offs that could impact your privacy if you use a free VPN. We’ve got some more information about VPNs and how to choose one here.

Do you rely on free wi-fi hotspots, or do you prefer to stick with your mobile data connection? And have you got any tips about how to stay safe when you’re connecting while you’re out and about?


I have become wary about using free WiFi services because of concerns such as those Kate mentions in her introduction. When I’m away from home I use my host’s WiFi or use tethering to my mobile.

If there is no signal to allow me to use mobile broadband then I can live without access to Which? Convo for a day or two. 🙂

Tony says:
3 August 2018

Started using ExpressVPN about 3 years ago after I had my credit card info stolen. Using a VPN has honestly become like second nature to me at this point. I’d def recommend using one.

I would be interested in learning more about the benefits of using a VPN with regard to computer security and any drawbacks. I used FortiClient by Fortinet for years on Macs, mainly to allow me (legitimate) access electronic resources that were intended to be accessible only to users with university IP addresses.

This comment was removed at the request of the user

This comment was removed at the request of the user

Thanks Duncan, but it does not inspire me with much confidence. Thinking just about free WiFi services I think my approach of avoiding using them is the best one for me. Most friends have home WiFi that I can use and tethering works in more locations than it did years ago. I was signed up for a couple of popular free WiFi services but one started sending me junk email so I terminated the account and had no further problem.

I might ask what former colleagues at work use on their Macs.

I agree with wavechange here.

If I can use my existing mobile broadband, then I’ll use that in preference to “free” wifi.

Some smaller hotels to see to offer genuinely free wifi – with no strings attached. If you’re a guest, they already have your personal data – so they have no compelling need to steal more data from you.

The last such hotel I stayed in, during a work visit to Barrow, even gave me free beer after I’d checked. How’s that for service?

If a “free” wifi hotspot requires me to “register”, then I usually don’t bother.

With it being holiday time, I think the Which? article is aimed at overseas travellers, especially those off to countries where they be charged extra for data roaming or where they won’t have the option of mobile broadband. In my terms that would be a bit like going to a cottage in Wales that didn’t have wifi. On other words, when not on the beach, a great time to use real books and maps and physical DVDs instead of ‘tinternet.

I loved the intro W?C’s posted link:

“Many people are familiar with using a VPN to connect to work resources such as your email or documents when you’re away from the office, but what about ordinary people?”

🙂 🙂 🙂 I love unintentional humour.

Yes, that unwitting put-down by a Which? writer was rather revealing, wasn’t it?

Ordinary people get on fine without all that hoo-ha. We don’t need to be constantly connected. “Ordinary” is the superior state in my book.

I think this topic is over-hyped. You’re far more likely to have your mobile phone physically stolen than you are to suffer a security breach through use of a public wifi network. I use wifi everywhere without any concerns.

This comment was removed at the request of the user

I tend to agree NFH. The opening Which? articles read like advertorials for VPNs and for Which? reviews of them.

I still won’t use “free” wifi if I don’t have to, but I have been content to use it in the past, especially when staying in hotels.

I remember when I was still at school being able to go to the local library and look up everyone who lived in my road, find their telephone numbers, check the rateable value and see how much in rates they paid on their house – but that was about it, and those opportunities are now closed to the law-abiding citizen. And the other big difference is that there was not much I could do with the information, and certainly not find out how much they had in the bank. Today we are all extremely exposed and, although I do not subscribe to all the dire warnings, hacking does happen and in the data trawl ordinary people get their personal information sold to fraudsters. I have never used free wi-fi and would not do so unless it was really necessary; it seems to me to be too easy a place for criminals to start – although the pickings might not be worth the effort.

Dire warnings could be counterproductive but this Conversation and maybe an accompanying article in the magazine could help people to realise that there are risks from using free WiFi services. There is now little incentive for me to use free WiFi when my laptop is already registered to access routers belonging to friends and family that I visit and that mobile network coverage has improved and allows me to tether to my own phone. Anything to do with banking is still done at home.

It is easy to see what others pay in council tax since the charge bands are published online, and so is the band for each property, at leasts in England. With the move to mobile phones and ex-directory landlines, phone numbers are less accessible but other residential phone numbers can easily be looked up.

This comment was removed at the request of the user

So what’s your solution, Duncan? Close down the free wi-fi services? If people stop using them that will happen anyway I suppose.

It has been no secret that GCHQ is recruiting people who have experience on the darker side of the web. It’s entirely believable and an obvious place to look for surveillance experts and interceptors and it has been extensively covered in the press.

This comment was removed at the request of the user

Absolutely, Duncan. I sometimes fear the message does not reach many people but perhaps they just don’t want to hear it.

In the scale of hacking sources, where does free wi-fi stand? Direct hacking of people’s accounts appears to be No.1. Insider hacking must be a high scorer. I don’t know enough about this to identify other hacking origins so free wi-fi could be a biggie.

Every new train and many older ones now come with free wi-fi as a government directive. Are travellers being placed in jeopardy by the government in promoting this use for idle brains and hands?

I occasionally used free WiFi until about three years ago. I think it was a combination of reading terms and conditions and receiving a few unwanted emails that put me off, but it’s possible that security concerns was another factor. Perhaps the last time I used free WiFi was on a very long train journey and it was only free for 15 minutes. After that I just used mobile broadband. I now see free WiFi as a small risk and not one I need to take.

Many rejected advice to install antivirus software on their computers years ago, but eventually complied. Sadly some waited until it was too late.

It’s difficult to quantify the risk of using free WiFi because that will depend on what it is being used for and the nature of the service offered.

This comment was removed at the request of the user

I thought it was free on the train, as it is on the buses in my area. This is what puts more people at risk [if there is a serious risk].

I don’t doubt that but I will just continue to use mobile broadband when I can get a signal.

This comment was removed at the request of the user

I would prefer to have a link to British experience on trains if possible, Duncan.

I don’t really know, Duncan. I can see that the convenience of advance technology is going to be offset by security concerns in future. In the days of the transistor radio, pocket calculator and home computer I was an early adopter. Now I am not, for a variety of reasons and security is in there.

This comment was removed at the request of the user

As a matter of interest, what is the source of that information, Duncan?

I don’t have a problem with it and most people have probably realised for some time that the security services have these resources. Those with nothing to hide have nothing to fear, and the notion that the police are going to make a list of everyone protesting about something or other is fanciful in my opinion.

Are you having a problem with your single apostrophe key? It’s being replaced by other symbols. Are you using the same key that has ‘@’ on it but without the shift? I have noticed for some time that you usually use a comma instead of an apostrophe for abbreviations and in the possessive sense.

This comment was removed at the request of the user

But what’s the problem? I suppose if I’m talking to Ivan about smuggling the new codes for the palm-sized fusion reactor he’s selling me then there might be a problem. But otherwise my whereabouts are no secret, and I don’t care if anyone listens into my (comparatively few) ‘phone calls, except before Christmas,when I’m buying pressies.

And frankly, my credit card history says a lot more about me than any mobile ‘phone call possibly could. Should we all give up using them?

Also Ian, if I’m sat behind you, I can look over your shoulder and see exactly what you’re doing on your MacBook. My headcam will record everything you type.

Or I might sit next to you and strike up a conversation, i.e. for some “social engineering”, as they say in espionage circles.

And, never mind the authorities tracking you via IMSI, they’ve also got “public safety” CCTV and face recognition software.

I don’t know why some groups and individuals make out it’s so clandestine and that they’ve opened the lid on something frightful. So long as we have had security services we have had espionage, wire taps, surveillance, tracking, listening devices, and intercepts, The difference today is that we no longer need to have rooms full of spooks sorting it all out, taking it to pieces, and reassembling it in a card index. They can run it through a big computer and correlate it with all the other indices from DWP and HMRC to Ladbroke’s and Coral’s. It’s not what you gather but how you use it that’s important. I don’t think many people are getting the knock in the night despite the consternation.

This comment was removed at the request of the user

“…including the wrong homes due to computer data”

Straight of “Brazil” that one…

And it’s been happening here for as long as I can remember. No need for AI to manage that one…

Yes, Duncan; I am sure things are dreadful in America, but that isn’t the situation here so I am not going to worry about it.

This comment was removed at the request of the user

I don’t suppose anyone thinks you are lying, Duncan. We know how awful things can be in the USA. Did you see the programme on BBC2 with Ed Balls witnessing and reporting on Donald Trump’s America? Luckily, not everything that America does migrates over here. Now that we have stopped idolising all things American its influence has declined considerably. Recently, some of the really bad things have come from Russia. Take out the language, some shared history, and a diminishing amount of shared ancestry, and the USA and the UK don’t have that much in common actually.

Of course, if you wanted to establish the veracity of what you’re saying. Duncan, you don’t need to start “posting actual-real American news items”, simply the links…

This comment was removed at the request of the user

This comment was removed at the request of the user

Thank you for that, Duncan. It’s very interesting. It does not reveal how many hacking attempts on passengers’ data have occurred but the fact that it is possible because of inadequate protection from other channels is worrying; I hope the train operating companies and Network Rail are getting on top of this. Warnings in the carriages about the risks of using on-board Wi-Fi might be a good idea.

What is rather more disturbing to read in that document is that it is technically possible for an external agent to interfere with the digital train control system and the ‘driver to central control’ communications network because they are not sufficiently isolated from other data channels nor adequately protected from interference. Since the UK network still runs on static signalling there is time to get this right but there is a growing amount of automatic route setting, electronic train control, train system monitoring, and track condition surveying carried out by regular service trains that rely on secure radio and other telecoms links so any compromise to the fidelity of the systems must be prevented. Luckily for most safety-critical applications there are three data paths and at least two must be in concordance to execute a command. The digital railway is only a year or so away now and trials are already taking place.

“On no Thomas, you’ve been hacked!”

This comment was removed at the request of the user

Meanwhile back on topic, here is some advice from a commercial source: https://www.kaspersky.co.uk/resource-center/preemptive-safety/public-wifi-risks

Good advice.

Just use the free WiFi and enjoy life