Most users of Wi-Fi routers are lulled into a false sense of security. Photo: IC

When Evilsay (pseudonym) was asked by a friend to find out the WeChat account of the beautiful woman next door, he could have worked out a plan to casually run into her. Instead, he used his computer smarts to hijack her router.

Afterwards, Evilsay posted online the steps he'd used to decode the woman's Wi-Fi password through the router's security protocol and then steal her user ID. The post got over 2,000 comments, most of them expressing great alarm. Evilsay, whose day job is in Internet security, said that his only intention was to educate the public about the dangers of routers. He warns home users of Wi-Fi to change their router's default admin password to a complicated one - to never divulge it to strangers.

In public places, where free Wi-Fi has become so widespread that most urban residents can't imagine life without it, it's very easy for identity thieves to prey on users who haven't taken security precautions. Network safety experts caution that anybody who uses free public Wi-Fi is putting their private information and their assets at risk of being stolen.

"In a public Wi-Fi environment, it only takes me several minutes to hack into someone's computer or phone," said Roy Li, an experienced hacker.

Echoing his words, a recent post on the popular Tianya forum by a novice hacker said that in public places like Starbucks and McDonald's, it only requires 15 minutes and a wireshark (network protocol analyzer) to gain access to the usernames and passwords of everybody on the network. With that information, hackers can engage in phishing practices that steal personal and financial information.

 "The same thing can be done on office networks," said Li. "The only benefit to an office network is that it has fewer strangers, which makes it comparatively safer."

However, office Wi-Fi safety cannot be guaranteed when the routers themselves are not secured. In 2013, the National Computer Network Emergency Response Technical Team Coordination Center of China released a report showing that lots of popular routers - including D-LINK, Cisco, Linksys and Tenda - have a "back door," referring to a direct control exploit inserted by the software developers. Moreover, it's worth remembering that a company's IT staff has access to everything that users do on their work computers.

To reduce one's risk when using public Wi-Fi, Robert Liu, vice president of product development for Trend Micro's enterprise business unit, told Metropolitan that Internet banking is better accomplished via official apps than through a browser. "This is because most phishing takes place through browsers, while most apps have encryption and link to the official website directly," explained Liu.

"When users are on public Wi-Fi, it's better to open the browser through a VPN (virtual private network). Connections to websites via VPN are encrypted," he said.

Liu told Metropolitan that since 2012, there have been instances of hackers setting up fake Wi-Fi hotspots in public places to lure users in and then harvest data for phishing scams.

"You must install reliable security software to notify you of anything out of the ordinary. It's also important to carefully read the security certificates that pop up on browsers in order to identify the fake ones," said Liu, who added that using 3G is safer than Wi-Fi.

Duan Jibo, a lawyer at Beijing Zhongwen Law Firm, told Metropolitan that it's rare to see lawsuits concerning Wi-Fi security, but that hackers who are found hacking into phones and computers using Wi-Fi may face up to 10 days in prison.

"In serious cases, like invading government computer systems and illegally controlling or stealing information relating to national affairs and defense, hackers may face more than five years of prison time," noted Duan.