It's hacker heaven here at the Starbucks near North Point Mall in Alpharetta. The names and passwords of patrons roll by on Richard Rushing's computer screen like closing credits for a movie.
Customers using a wireless Internet connection busily type e-mail messages and check Web pages --- unaware that Rushing's laptop computer sees much of what they are doing.
As is true at most public wireless connection points --- or hotspots --- there is not even the most rudimentary security between users' computers and prying eyes. Rushing explains he could repeat the performance at almost any place that offers wireless access.
Fortunately for these Starbucks customers, Rushing isn't a thief. He's chief security officer for AirDefense, a wireless security company based in Alpharetta, and his demonstration is purely for the benefit of a reporter.
But here's the troubling part: Almost anyone can do the same thing if armed with an unhealthy curiosity and free software downloaded from the Internet. They can see passwords, read your e-mail and determine what Web sites you visit while using a hotspot.
Hotspots are growing in popularity along with the proliferation of wireless computers and other devices, and many users may be unaware of the security risks. One Web site that tracks hotspots --- www.jiwire.com --- estimates there are 25,500 in the United States and nearly 850 in Georgia, though numbers are imprecise.
"We're predicting a 100 percent growth of hotspots in 2005," said Kevin McKenzie, chief executive of Jiwire. "Hotels and other location types that naturally cater to the business traveler will be large contributors to this rapid growth."
A hotspot works like a wireless network for home computers, where all computers in a given area can share an Internet connection. The difference is that strangers share hotspot connections, making them wide open to eavesdroppers.
"Using an open public hotspot would be analogous to leaving your front door open, all your file cabinets open and your bank accounts sitting on your dining room table," said Chris Rouland, a security expert at Internet Security Systems in Atlanta.
"All it takes is the software," said Ron Hutchins, head of academic and research technologies for Georgia Tech's Office of Information Technology. "All they have to know is how to push 'go.' "
How worried should computer users be? That's hard to say, as data on the frequency of hacking is anecdotal. Rouland said he detects about two break-in attempts an hour when he uses a wireless computer in metro Atlanta hotspots.
Experts say most hotspot hacking involves casual snooping by people who do it for the technical challenge and perverse pleasure of reading strangers' e-mails.
Professional thieves
But the dangers can go beyond snooping. Rushing said professional data thieves may haunt hotspots at places that attract executives, such as expensive hotels and airport frequent-flier lounges. Hotspot attacks in those places are often attempts to steal business data for resale to competitors. Hackers can also steal credit card numbers or other personal information, experts warn.
There's also what security experts call "the evil twin."
A hacker picks a promising hotspot and uses a laptop to set up a second hotspot that imitates the real one. If the signal is stronger from that second hotspot, "the evil twin," users mistakenly connect to it, opening their computers to the hacker.
Said Rouland: "There aren't many effective ways today to defend against that."
Hotspot user Ed Lorek of Marietta understands the risks --- and has taken precautions.
Lorek, vice president of a local technology company, travels frequently and often uses hotspots to connect to the Internet.
"The onus is on me to protect my data," he said. So Lorek uses what is called a virtual private network when he logs on from a public hotspot. The software encrypts the data sent back to work and protects him from snoopers.
Almost no public hotspots in Atlanta use even basic encryption, even though wireless computers are capable of using WEP, wireless encryption protocol, which scrambles transmitted data. Users type in a WEP key --- which works like a password --- to enable the security.
It's not foolproof, as there are free tools to intercept even scrambled transmissions. But it is secure enough to stop casual snoopers and many would-be hackers.
Some hotspots avoid adding WEP protection because it would add complexity for users, and require more work and expense for the business offering the service. Many users would need assistance to enable WEP on their computers.
For a hotspot offering free service, that's a headache.
"It's just too difficult for the user experience if people have to enter a WEP key," said Richard Tanksley, head of business development for Atlanta-based Third Wave, which has created free hotspots for about 57 locations in Atlanta, including Lenox Square mall.
"It's not going to be a benefit for the coffee shop if every 20 minutes they have to show someone how to do it," he said. "It's free, so people complain less."
Even so, two days after talking to a reporter about hotspots, Tanksley called to say that Third Wave would post security tips and warnings at all the Atlanta sites it maintains.
While WEP doesn't guarantee safety, "there is absolutely less risk with WEP," said Georgia Tech's Hutchins. "Everything you do lowers your risk. It's like buying a padlock. It might not stop everyone, but it makes it more difficult. The more padlocks, the lower the risk."
It's not just naive computer users who fall victim to hotspot hacking.
Hutchins recently attended a seminar for security experts. During one speech, many participants listened with half an ear while logging on to a wireless connection to catch up with e-mail.
"When it was over, someone stood up and said, 'OK folks, I have 67 passwords that I've just snooped off the network,' " Hutchins said. "All these were people that I knew, professionals, and they were sending their passwords right over the air."
