News, Culture & Society

Use wi-fi in a coffee shop? Here’s how the man sat behind you could be emptying your bank account

Wireless internet is a modern marvel that allows us to surf the internet wherever we are. 

But after spending a day out with a hacking expert, The Mail on Sunday’s Toby Walne discovered that public wi-fi is a dangerous place to go online surfing.


Sitting in the foyer of Stansted Airport Novotel – with three smiling receptionists just 30 feet away – it feels a secure place to dig out my laptop.

Threat: Toby Walne thinks he is logging on to the Nero wi-fi but it is a hotspot set up by expert Colin Tankard, left

This is a great vantage point for watching the hustle and bustle of travelling businessmen and holidaymakers – and gives me a chance to catch up with emails. The Novotel home page appears as I search on my settings for wi-fi. 

It cursorily mentions the network is ‘unsecured’ but this means nothing to me – other than it cuts out the hassle of creating a password or tiresomely tapping in my personal details.

One of the passing businessmen politely asks if the neighbouring seat is taken and whether he might use the wall socket to charge his computer. His disarming manner puts me at ease – but it is nothing but a ruse. 

This is cyber security expert Colin Tankard and he is about to share the secrets of how hackers routinely hijack computers and smartphones of innocent people without them even knowing.

Tankard whips out a black box the size of a cigarette packet with two antennae on top. He tells me this is a ‘pineapple’. It resembles no fruit I have ever seen. Although it looks pretty innocuous it has the ability to spy on my every move. 

Toby discovers nowhere is safe from a hacker with this £200 device known as a 'pineapple'

Toby discovers nowhere is safe from a hacker with this £200 device known as a ‘pineapple’

This £200 gadget is designed to imitate the signal of the wi-fi that I wish to join – tricking me into using its internet service rather than the real thing. 

While I use it to check my emails and surf the net it is tracking everything I do – picking up details I tap in, such as passwords and credit card numbers, which can later be used to rob me blind.

In just a few minutes, Tankard has gained access to all the contacts on my computer – a goldmine for future phishing expeditions. This is where crooks send out scam emails to try to trick recipients out of cash.

… and you aren’t even secure in your home 

With my feet up in the living room later in the day I lay back on the sofa with a glass of red wine and a vinyl disc spinning on the record player.

I spoil this relaxing moment by going online – a nasty modern habit few of us can resist. But I feel happy at last to be safe in my own home with a password-protected broadband service.

When clicking on the wi-fi logo on the top bar of my laptop screen I see a padlock next to the name given to my home internet service. Fortunately, my computer automatically remembers my password when I am at home even if I never do. All is well – or so I think.

But the living room where I am sitting is served by a ‘signal booster’ – a plug-in gadget bought years ago to extend my home wi-fi signal to areas where reception is weak. The booster has its own wi-fi symbol but shows no padlock symbol on my computer – and has no password protection – meaning the system is not secure.

Tankard shakes his head in disbelief at my stupidity. ‘How on earth do you sleep at night? With no padlock logo or password prompt at all any Tom, Dick or Harry passing by can use your wi-fi. You have no idea what they are getting up to – they could download illegal material and it will have been done using your equipment.’

With my stern telling off over, Tankard admits even if I had used a secure password on my home wi-fi booster it would still be no match for a serious hacker wielding a ‘pineapple’ device.

He says: ‘Remember, a hacker is not just a spy but he can take over too. If you do any online banking they watch and as soon as you tap in your account details cut your connection. It looks like a glitch on your computer – perhaps the screen momentarily locks or you see a spinning “wait cursor” disc. But meanwhile the fraudster is still on the website – changing direct debit details of regular expenditures, such as utility bills and putting in new bank account payment numbers. This ensures you do not notice anything suspicious when you log back in.

‘The first you know about it is when your bank account has been emptied.’

Just in case there was any doubt left that Big Brother has now arrived – and can steal all my money and personal details – Tankard highlights the other vulnerable wi-fi devices that can be tapped into from outside the home with the right hacking tools.

They include baby monitors that can be eavesdropped on, TVs and smart ‘virtual assistants’, such as Alexa, that record private conversations. Adding passwords is important though not a cast-iron deterrent for the determined hacker – meaning installing special security software at home could be worth the effort for peace of mind. Oh dear. I think it is time to go and lie down in a dark room – with no wi-fi.

Next, Tankard pulls out a silver ‘range extender’ from his pocket that is the size of a box of matches. This £30 device looks harmless enough but is an extra weapon in the hacker’s spy armoury.

Tankard says: ‘Walking past I get a sense of whether you might be a target worth hacking. This booster allows me to then go and hide out at the other end of the hotel – or sit in a car 100 feet away – to crack your computer.’

I am told that hotel chains have become a magnet for hackers, with big names such as InterContinental, Marriott and Hyatt on the radar of criminals. Part of the problem is a desire by hotel groups to make their wi-fi easy to access for the convenience of guests. Tankard informs me that by digging a bit deeper hackers can even use wi-fi spyware to plug into hotel systems to find reservations, room key details and more stored credit card numbers.


On escaping the hotel I take solace with a latte at a coffee shop in my nearby hometown of Bishop’s Stortford, Hertfordshire. Gingerly opening my laptop I am now far more wary of Tankard and his underhand tricks.

I try to log on to the cafe wi-fi. It seems easy to spot as the free internet connection has the cafe’s name ‘NERO’ in capitals.

Yet unbeknown to me this wi-fi has absolutely nothing to do with the coffee chain. It is a fake put there by Tankard who is broadcasting the signal from his pineapple hacking device. The signal on an imposter wi-fi can often be stronger than the authentic public system. Many people – including me – wrongly equate this increased strength as a sign it is the genuine source.

But the coffee shop’s real wi-fi uses ‘The Cloud’ and requires an email address and password. To access this I must first register – providing my name, address, phone number, date of birth and even my mother’s maiden name.

Now Tankard starts to play a popular hacking game called ‘man-in-the-middle’.

He watches me as I go on an online shopping expedition using Amazon – spying as I obliviously tap away on the website in search of a good summer read.

Like any self-respecting hacker he has previously downloaded software on to his computer that alerts him with a pop-up window when a victim – it could be anyone in the coffee shop that mistakenly latches on to his sham wi-fi source – taps into one of hundreds of websites on his hit list. This includes high street banks, popular shopping websites and utility firms from which he hopes to steal details and money.

My laptop shows a bogus Amazon home page – a carbon copy of the real thing – that his computer has automatically sent via his hoax wi-fi.

It enables him to harvest my log-in details and password. Tankard says he can use these at his leisure to go on a shopping spree at my expense arranging for purchases to be sent to another address by later tampering with the delivery settings. 

Tankard says that even if I had used a secure password on my home wi-fi booster it would still be no match for a serious hacker wielding a ‘pineapple’ device

Tankard says that even if I had used a secure password on my home wi-fi booster it would still be no match for a serious hacker wielding a ‘pineapple’ device

The beauty of this hack is that with my log-in and password he does not even need to know my credit card number – as this is already stored on my Amazon account.

Bought items can be posted to a vacant home where they are picked up – leaving victims none the wiser until they get round to checking their bank statement. Having stolen my personal information the page then freezes in front of my eyes.

But I do not worry too much as it just looks like the internet connection has simply dropped out. I log in again – this time to the authentic cafe website – but by now the fraudster has long gone with his ‘loot’.


It’s not just airport hotel and coffee shop wi-fi that is vulnerable. Other public areas that provide free internet, including trains, pubs, restaurants and hospitals also leave you at risk from hackers. To combat the threat of online fraudsters when you are out and about you can protect yourself with something called a ‘virtual private network’ (VPN) that includes anti-virus software.

This allows you to use public wi-fi without a fraudster being able to get into your account. The VPN encrypts what you are looking at on the internet – making it gobbledegook to prying eyes that might try spying on you from another computer. 

Tankard points out that although such software can be purchased for a few pounds a month it can be worth trying a free VPN like those offered by software firms Avira or Sophos.

By trying it for free first you can always later upgrade to a paid-for version with additional features, such as offering security for several devices. Getting the protection installed is straightforward. 

You simply visit the company website and download the version you need – either for a PC or Mac. After initially tapping in a username and password the computer should automatically use the VPN when you join any public wi-fi.