select all

How to Safely Enjoy All That Free Subway Wi-Fi

The MTA: Same delays, but with better Wi-Fi! Photo: Andrew Burton/Getty Images

The MTA, working with Transit Wireless, has now rolled out free Wi-Fi and cell service to nearly every underground subway station in its system — 277 in total. (Four remaining stations, South Ferry, Prospect Avenue, 53rd Street, and Bay Ridge are either undergoing or are about to undergo renovations; they’ll get Wi-Fi and cell service as well once they reopen.)

It’s been a mammoth undertaking, says Bill Bayne, CEO of Transit Wireless and a daily subway rider (“I mainly take the 4, 5, or 6,” he says). To get service to all stations, Transit Wireless had to do everything from lay 120 miles of fiber cable to design equipment that could withstand the extreme conditions of NYC subways, which (as any commuter can attest) can be freezing cold in winter and sticky, hot hell in summer.

With 5,000 Wi-Fi hotspots and 4,000 cell antennas in place, Bayne estimates they’ll be seeing 800 terabytes of throughput a month through the system by the end of 2017. And you’re free to suck up as much bandwidth as you want — go nuts on Netflix if you want. “We see people in inclement weather who will go down into the stations, hang out, drink coffee, and watch videos,” says Bayne. “It’s pretty incredible.”

But just like when you jump on that Wi-Fi signal at Starbucks, there are things you want to do keep yourself safe. Here are three things to keep in mind while enjoying the MTA’s largesse.

Try to stick with URLs that begin with HTTPS instead of HTTP

Quick rule of thumb: While sending traffic to is relatively secure, is not. “These are need-to-know things when it comes to public Wi-Fi,” says Alex Heid, chief research officer at SecurityScorecard. HTTPS (or Hypertext Transfer Protocol over Secure Socket Layer — quite the catchy name!) encrypts the data sent between users and websites. HTTP sites do not — and it’s trivial to use a “packet sniffer” to capture the unencrypted data sent between users and websites.

So, say someone is sitting on the same open Wi-Fi network as you and they’re using a packet sniffer. If you go to a HTTP site, they can see everything that you’re sending to the website, and everything the website is sending back to you. If you go to a HTTPS site, they can see that you’re sending data — but that data is encrypted, meaning it’ll be gibberish to our hypothetical hacker. (Back in 2010, before Facebook switched over HTTPS, it was comically easy to sit in a coffee shop or library and hijack someone else’s Facebook account.)

While plenty of sites have wised up and now use HTTPS by default, there are still many that don’t. “Major enterprises, a lot of Fortune 500 companies, they’re doing what they need to be doing when it comes to implementing basic HTTPS,” says Heid. “On the flip side, a lot of medium- and small-sized business don’t make use of it properly. It’s a fairly complicated thing.”

So the danger is, if you reuse the same username and password across multiple sites (though you really should just use a password manager), entering your username and password on an unencrypted HTTP site means you’ve potentially exposed yourself to getting hacked.

“The best practice is to understand the sites you’re using and make sure they’re secure sites,” says Transit Wireless’s Bayne. “Whether you’re in a retail outlet, library, park, or subway, be cognizant and cautious about the sites you’re using to protect your own interests.”

And for what it’s worth, it’s still possible to defeat HTTPS. Exploits like Heartbleed, POODLE, Drown — these all broke the “Secure Socket Layer” part of HTTPS. “Encryption is a math problem; people are always solving the math problems,” says Heid. There are also things like “Evil Twin” attacks, ARP spoofing, or an SSL strip, but once you’re in this territory it’s a bit like worrying about being hit by a meteor while also being struck by lightning — it could happen, but it’s unlikely, and you wouldn’t have much control over it regardless. Just keep an eye on that URL.

But really, just use a VPN

But if you want to be 100 percent safe, Heid says there’s a much easier way to avoid all this angst: Use a VPN (virtual private network) service. If you’re super cheap and technically minded, Amazon offers a free VPN you can set up on any Android or iOS device. If you want something with fewer tech headaches, there’s a whole range of VPN services out there, most available for a few dollars a month.

All VPNs will do the same thing: prevent anyone examining the Wi-Fi network you happen from seeing anything except that you’re connecting to the VPN of your choice — and nothing else. None of the data you pass back and forth will be visible except as gibberish. You no longer need to worry about whether you’re on a HTTP or HTTPS site because everything you send and receive is protected.

VPNs won’t protect you against every threat. You can still get phished or hit by other social-engineering attacks (though these types of attack work regardless of the type of Wi-Fi network you’re on). But using a VPN will already put you far ahead of the pack when it comes to being secure while using an open Wi-Fi network. Much like running from a bear, you don’t need to be the fastest — you just need to be harder to catch than someone else.

If you really need to do something sensitive and don’t want to use a VPN, use your data connection

But let’s say you’re stuck at Atlantic Terminal and you really need to log in to a site that doesn’t use HTTPS and you’re not on a VPN. Then your best bet is to avoid Wi-Fi altogether.

“It’s always better to just make use of your data plan,” says Heid. “You’re only trusting your data carrier to your data, instead of to a bunch of random ad hoc third-party data carriers.” Depending on the size of your bill, you may not have the warmest feelings toward your cell-phone company, but one thing they are pretty good at is encrypting the data you send over their networks. Absent a major data breach of your cell-phone carrier’s servers, your information will be safe.

Better safe than sorry

It’s great that the MTA has put in Wi-Fi at so many stations (and, for what it’s worth, Transit Wireless’s Bayne says they’re working on extending that connectivity into the tunnels themselves as well), and most of the time, you should feel fine using them. “With free Wi-Fi browsing, if you’re on a network and you see HTTPS and everything looks as it should — chances are it’s fine,” says Heid. But it doesn’t hurt take these extra precautions while using the MTA’s Wi-Fi network — even if the dangers you face while using that network are different than what you’d face at Starbucks.

“The coffee-shop-style attacks don’t fly on the subway,” says Heid. “Users aren’t there for long periods of time. You have to be moving along with the target to really get it to work.” But Heid does admit the MTA’s Wi-Fi system presents its own unique temptation to hackers — while they may not be able to stay with a target for a long time, simply by sitting still at a busy station like Times Square or Grand Central they’ll have access to thousands of people, heads down, checking their phones while waiting for a train. A hacker’s chances for success may be lower than at a coffee shop — but they’ll have a lot more chances.

How to Safely Enjoy All That Free Subway Wi-Fi