On my final day in Bangkok, I went to Pantip plaza with some friends to speck out some copy phones. We spent close to 3 hours there going from counter to counter trying to find a deal we could live with. It was no fun dealing with the sellers there. All the sellers there warned us of other sellers showing a quality phone only to switch it for a bad quality phone once the sale is done. After making a purchase and going through the setup, they did provide a phone that was not what we inspected at the counter, but that is not the problem.

Once we were back in the hotel I noticed a message on my Android Phone (Not the new phone I purchased) telling me that my request to change my western union password was approved. Then several transactions were shown to be processed. I opened my credit card app and saw several pending transactions. I downloaded the Western Union app and tried to cancel the Western Union transactions. They don't make it easy and I had to copy and paste the authorization number into a screen and write a message. I asked them to cancel the fraudulent transaction and to remove my credit card from their site. On the next few that I had to notify them to cancel I asked them to also delete my account.

The transactions were canceled and I was no-longer able to log onto western union so I assumed they canceled my account.... They didn't. When I was at the airport I checked my mail and there was a flood of Western Union pending transactions... I sent off as many fraud notices that I could and soon their webpage seem to become unresponsive. Now I was sitting on the plane unable to do anything with their webpage. I sent an email to my bank with "Fraud" in the subject line and told them that all the western union transactions being processed against my credit card were not initiated by me and were fraudulent.

Western union only stopped the transactions after $2,000 was collected from someone in Thailand, but not because they feared fraud. They canceled the transactions only because my bank refused to process the pending payments.

Once I got home my bank asked me to come in and sign a incident report and they put the money back in my account. Western union is unsure as to what their actions will be. One person told me that they will return the money since it was fraudulent transactions. Another person in the Fraud unit told me that they can't return the money that was picked up from the agent. Western union also told me that I had to report the theft to my local authorities. I laughed and told them that I was in Thailand and the fradulent transactions took place in Thailand and the money was picked up from an agent in Thailand... I also asked them to suggest which police department I should contact? The county police or the state police? They didn't answer the question.

So do I think Pantip had anything to do with this? I can't say for sure but I will put my phone in airplane mode when I am in Pantip in the future.

Ok, first thing's first... you actually used a credit card at one of those little kiosks in Thailand? Ummm, yeah... ok, lesson learned, don't do that! :) If you need to put a purchase on your credit card, walk over to the closest ATM, and pull the cash out off your credit card, and pay with that. I hope you don't pay for restaurant meals with a credit card as well. Generally, it's probably not a good idea to hand your credit card to people who make $250/month.

Second, not sure if the US and Canada have caught up to the rest of the world yet, but contact your bank and ask for a proper VISA. Aside from North America, I think pretty near everywhere in the world when you get a new debit / credit card, you get two VISA#s. One that's printed ont the card itself, which will only go through if the card is physically present and swiped through the POS terminal. If you try that number for an online purchase where the card isn't present, it will get declined.

Then you have a second VISA# which is nowhere on the card, which you can use for online purchases. This way, if someone steals the number off your card, it doesn't really matter, because that number will only work if the card is physically swiped through the POS machine.

Seems more likely that one of your "gentleman callers" skimmed one of your CC whilst they were in your room and you were indisposed

And they then used those details to set up a fake WU account to siphon offf your money...

Regardless - hope you get you money back!
Most I ever got done for was тВм5000 (2500 limit at 23.59 and then 2500 limit again at 00.01) - thankfully my bank eventually refunded me these amounts after ~5 weeks

Why would anyone in their right mind go to Panthip Plaza for phones? Computer hardware yes. Everyone knows that MBK is where to go for mobile phones

buckyboy u really gotta wise up...u knew the place was known for its less than honest traders and yet u still bought a phone there and used your card...really!!!! U epitomise the stereotype american tourist...loud, in sneakers with an expensive watch adorning his wrist and a camera around his neck. Sorry...but u only got yourself to blame.

Did Bucky state that he used a credit card for a purchase? I took it that his cell phone was hacked.

Did Bucky state that he used a credit card for a purchase? I took it that his cell phone was hacked.

Highly unlikely, especially considering the Western Union transfers were sent to someone in Thailand. Most likely, someone swiped his credit card number at some point during his trip. Could be a hotel clerk, restauarant waiter, someone at a cell phone kiosk in Pantip, who knows...

When in places like Thailand, use cash. It's kind of a basic rule that everyone should already know.

I use them sparingly in Thailand but since Chase sends me an email alert within 1 second of the card being used anywhere in the world , I 'm not too worried since in 1 minute I can call and block the transaction.

That said mostly only used in Big Chain Hotels although I have used it in MBK with no problems.

No one got my credit card number
. The person used my email address and sent a change password request to wetern union. Once they changed the password they used the "Send it again" option that is offered. they then somehow managed to get the transaction.number needed to pickup the cash as well as change the name of the recepient. Those transactions were applied ain't the default credit card associated to my online western union account. Sorry. I thought I made it clear that this was a cyber theft.

All fraud happen in the cyber world and was not a credit card skimming theft.

This is the email I got from Western union, i never asked for this pas sword change....


Dear,

We've received a request to change the password for your account.

Please click the following link, or copy and paste it into your browser, to reset your password: https://www.westernunion.com/new-password-flow/start.

Your temporary password is EDITED. Please change it right away, and keep it in a safe place.

If you didn't make this request, please contact us immediately, by email at customercare@westernunion.com or by calling 1-877-989-3268.

Thanks for using Western Union.

DON'T REPLY TO THIS EMAIL. IF YOU HAVE QUESTIONS, PLEASE CONTACT US.

This is a customer service email from Western Union Financial Services, Inc. Please don't reply to this email, but instead contact us securely through the "Contact Us"section at http://www.westernunion.com if you need help.

Western Union Financial Service, Inc.
PO Box 6036 Englewood, CO 80112

Privacy Statement

If you believe this may be a fraudulent email, type http://www.westernunion.com/ directly into your browser. Learn more about how to protect yourself from fraud.

┬й2015 Western Union Financial Services, Inc . All rights reserved. All other logos, trade marks, service marks and trade names referenced in this material are the property of their respective owners

All fraud happen in the cyber world and was not a credit card skimming theft.

In that case, someone managed to swipe your e-mail address + password from your phone while in Thailand. While having a guest in your room, did you have a shower while leaving your phone on the table?

I could be wrong, but would venture a guess it happened within Thailand. Otherwise, if it was a pure cyber attack, those WU funds would have been sent to probably Russia, China, or another Eastern European country, not Thailand. Trust me, Thai hackers have absolutely nothing on Russian hackers -- those guys know what they're doing.

Best suggestion is, either keep your phone in your safe while you have guests over, and/or don't store your e-mail password on it. Enter your password each time you check your e-mail instead.

No, I know how I happen. I left my bluetooth on on and all they did was spoof a Bluetooth connection that allowed them access to my basic phone information.

There was a recent Android warning that recently came out warning that something like this could happen and I should have known better but I forgot all about taking that precaution of turning off my bluetooth when it wasn't in use.

Hindsight is 20/20. I just posted this to warn you all of the potential threat you could face.

No. I didn't leave my phone with anyone.
No. I don't leave my phone unlocked and it requires a fingerprint or a 10 digit passcode to unlock and I lock my phone and tablet in the safe when company sleeps over.

The hacker was able to change my western union password and intercept western union messages.

No, they don't have access to my gmail but it is possible for them to know my email address as I don't keep it secret.

I'll answer any genuine questions but I won't reply to unrelated speculation from this point forward.

Thats scary stuff, can I ask is your phone an iPhone ? I'm not up on these things so can I ask would that have saved you if it was or made any difference either improved security wise or would it not have helped either way anyway and that's just something apple would like us all to believe perhaps ?

I might have a samsung galaxy s6 edge plus. The vulnerability is with the Bluetooth connection that is the same for any phones sold today on the market.

Thanks for the warning Bucky. The reality is that there is no such thing as a totally secure electronic device that is connected to the internet.

Bucky
Why do you need Western Union account at all ?
Isn't it more simple to withdrow money from the ATM ?

buckyboy u really gotta wise up...u knew the place was known for its less than honest traders and yet u still bought a phone there and used your card...really!!!! U epitomise the stereotype american tourist...loud, in sneakers with an expensive watch adorning his wrist and a camera around his neck. Sorry...but u only got yourself to blame.

Another nasty comment from latintopxxx.
He realy needs help and the sooner the better.

It just shows how easy it is to obtain information from your phone or laptop. I am always careful about that and I try to log in manually to my e-mail account every time instead of leaving it open.

No, I know how I happen. I left my bluetooth on on and all they did was spoof a Bluetooth connection that allowed them access to my basic phone information.
That old phrase "a fool and his money are soon parted" has acquired a new twist. You leave Bluetooth ON by default? Is it part of The Look? :((

Oh dear me =))

The answer to the question is now revealed as "No, I can't blame Pantip Plaza" :-\

Sorry for all your trouble, Bucky. You were looking for a copy phone. What is that?

The only place I used my credit card was at Ganymede. Was that an unnecessary risk?

Sorry for all your trouble, Bucky. You were looking for a copy phone. What is that?

The only place I used my credit card was at Ganymede. Was that an unnecessary risk?

I purchased a fake Samsung Galaxy Note 5. My friends purchased a fake samsung Galaxy S6 as well as a fake Iphone 6S Plus. We all used cash and never used a credit card.

As far as bluetooth being unsecure...

If you have linked your phone to any car or bluetooth device that lets you talk on the phone, that device can be faked by a computer or another phone to make your phone think it has made a secure connection to that trusted device. Once they have that connection they have access to anything your phone can access. Much like when you link your phone to your car audio system and you can have it access your phones address book, emails, text messages and anything else you can have Siri or Google access.

It can also plant software if you have a samsung galaxy phone that is loaded with sidelink. If you don't have a samsung phone then they can send a file that you will not know about that allows them access to your phone and all its content that can become visible on the screen.

And for my Fan asking about "The Look".... I wore it again in Bangkok and Pattaya and it never fails to bring me very positive comments by Thai and foreigner alike. Thanks for asking and letting me know that i'm still your windsong.

[youtube:hpo094wl]http://www.youtube.com/watch?v=ihS6GlVpMXo[/youtube:hpo094wl]

I purchased a fake Samsung Galaxy Note 5.
Please let us know how long it takes for a fake Samsung Galaxy Note5 to self-immolate. [Just interested, how much did you pay for that].
You might well get lucky, who knows about these things.
Buck, do you by any chance use Bitcoins.

I have some bitcoins that were given to me but the value is less than $10 as for the copy phones go my friend from the Philippine tells me that his iPhone is no longer working and the copy Samsung Galaxy s6 is on its last legs. The phone I bought is still in the box and I may sell it on Craigslist letting them know that it is a copy.

I have some bitcoins that were given to me but the value is less than $10 as for the copy phones go my friend from the Philippine tells me that his iPhone is no longer working and the copy Samsung Galaxy s6 is on its last legs. The phone I bought is still in the box and I may sell it on Craigslist letting them know that it is a copy.
You sly dog, Bucky. A"few" bitcoins. The exchange rate today according to Google is 1 Bitcoin = 411 US dollars!!!

I just checked, I have $13.21 in bitcoin.

I may use it to buy a drink at dreamboys in bkk.

I just checked, I have $13.21 in bitcoin.

I may use it to buy a drink at dreamboys in bkk.
Perhaps jingling your few bitcoins in your pocket is part of The Look?

For aficionados of Bluetooth, the extra strength version is coming next year http://thenextweb.com/insider/2015/11/1 ... e-in-2016/ (http://thenextweb.com/insider/2015/11/11/bluetooth-set-for-100-percent-speed-boost-and-better-range-in-2016/)

Nobody can access your phone using Bluetooth unless you have your Bluetooth on your phone in "Discoverable" mode, which you should only do for the brief time it takes to connect a new device. Any attempt to connect another device to your phone will be be displayed on your screen and ask your permission to pair. The only way around this is if someone gained physical access to your phone and installed malware. I do this for a living guys, it's perfectly safe to walk around with bluetooth on. If you buy a "Fake" phone from a shady source, who knows what has been secretly installed on that phone. Buyer beware.

I find it much more likely that somewhere, somehow, someone gained physical access to your phone or spoofed your email address from another computer or from using an insecure WiFi source.

You're guessing that I actually used the phone I purchased and I have not. And the bluetooth access is a known weakness. Google it.

http://www.techtimes.com/articles/98427 ... sponse.htm (http://www.techtimes.com/articles/98427/20151024/experts-warn-it-just-takes-10-seconds-to-hack-fitbit-fitness-trackers-heres-fitbits-response.htm)

http://www.webroot.com/us/en/business/r ... ce-devices (http://www.webroot.com/us/en/business/resources/articles/corporate-security/a-review-of-bluetooth-attacks-and-how-to-secure-mobile-workforce-devices)

http://www.computerworld.com/article/29 ... tbwcw.html (http://www.computerworld.com/article/2936346/byod/samsung-swiftkey-mitm-itbwcw.html)

http://www.digitaltrends.com/mobile/and ... hack-news/ (http://www.digitaltrends.com/mobile/android-stagefright-mms-hack-news/)

http://www.forbes.com/sites/thomasbrews ... -and-macs/ (http://www.forbes.com/sites/thomasbrewster/2015/05/28/hacking-hipster-skateboards-androids-and-macs/)

and

https://www.google.com/webhp?sourceid=c ... wirelessly (https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=how%20to%20exploit%20android%20phone%20wireles sly)

You're guessing that I actually used the phone I purchased and I have not. And the bluetooth access is a known weakness. Google it.


Read your own quoted articles. All of these exploits involve using out dated software on your phone. Keep your phone operating software up to date and you have little to worry about,

I guarantee that it wasn't from the Bluetooth vulnerability.

My guess: You used a public computer in a hotel lobby or cyber cafe to log in and check your email. Or you used a friend's computer. And that computer had a keylogger virus on it. Thus, your email account was compromised.

Or, you used a free wifi connection somewhere and logged in to Gmail without using SSL ( you used http instead of https ). And your email account was compromised.

Or you used your own computer to log in to your gmail.... and it has a keylogger virus on it.

Whatever you do.... Go to a known "clean" computer and change your email password.... NOW. They very likely still have access to your email account.

I guarantee that it wasn't from the Bluetooth vulnerability.

My guess: You used a public computer in a hotel lobby or cyber cafe to log in and check your email. Or you used a friend's computer. And that computer had a keylogger virus on it. Thus, your email account was compromised.

Or, you used a free wifi connection somewhere and logged in to Gmail without using SSL ( you used http instead of https ). And your email account was compromised.

Or you used your own computer to log in to your gmail.... and it has a keylogger virus on it.

Whatever you do.... Go to a known "clean" computer and change your email password.... NOW. They very likely still have access to your email account.

Sounds possible but it has been months since I have had to enter my G-mail password.

The public wifi... Now that is possible. I do know that what is done on public wifi is not private and once you connect to a public wifi spot it is nothing for someone to set up a copy wireless connection with the same name that will allow your phone to connect and once they have access.... Well... anything is possible.

The other security flaw was with the Samsung galaxy phones itself related to the samsung OEM apps, but I can't find that info now. I think I may have heard it on the security now vlog on the twit network or it may have been one of the all about android episodes.

Nice to see that the OP is coming around to the idea that he may have been "hacked" somewhere else other than in Pantip

Like CameronCat, IT security is what i do for my career... and i like to think i am good at it!
Hacking is not like the movies or "24" and there are no computer prodigys in Pantip waiting to hack people bluetooth connections in real time... Hacking take time!

The most likely source of the hack is a "man-in-the-middle" attack, probably over a hotel or public wifi

In the MITM attack the wireless router that you are connected to (in a hotel or public wifi) fakes the SSL cert of your destination website...
By doing that it can then obtain your passwords in clear text, but at the same time proxy'ing them on to the real website to make it feel like you are getting a real experience...
Remember that time you told your device to treat the Wifi like a "trusted zone?" == Gotcha!

How do i know this?
Because EVERY employer or Wifi can do the same, as long as they have a WAF (Web Application Firewall) or Proxy in their office (which most corporate employers will have by default these days) which is capable of spoofing the SSL cert, of course the average emploee is oblivious to this...
But most employers who are security concious try to teach their employees to be security concious... and not even trust their employer....

The public wifi... Now that is possible.

I've no idea whether this will help you going forward, but I subscribe to HideMyAss https://www.hidemyass.com a virtual private network (VPN) which encrypts your computer, tablet and phone comms. through its servers. It also lets you spoof where you are located. If you keep an eye out during Black Friday тАФ Cyber Monday, they usually offer the annual subscription at half-price, in the past c. $40.

They also have a free service at https://hidemyass.com/proxy which you can use via a web browser.

If it helps anyone, for VPNs I can recommend http://nordvpn.com/ -- they even take Bitcoin bucky, so you can spend your $12 there.

If it helps anyone, for VPNs I can recommend http://nordvpn.com/ -- they even take Bitcoin bucky, so you can spend your $12 there.

I now have $13.21 in Bitcoin. I just hired a 24-hour guard to keep them safe I'm going to go out and buy a gun later today. No one will be stealing my Bitcoin !

Remember that VPNs are only as trustworthy as..... well... as the VPN itself is. The out-point of the connection is readable by the VPN company itself.... so you must choose a VPN company that you really trust.

( If you are ever doing anything where you require anonymity, you will need to use the Tor Browser.... and learn how to use it correctly and safely to stay anonymous. )

The most likely source of the hack is a "man-in-the-middle" attack, probably over a hotel or public wifi
In the MITM attack the wireless router that you are connected to (in a hotel or public wifi) fakes the SSL cert of your destination website...
By doing that it can then obtain your passwords in clear text, but at the same time proxy'ing them on to the real website to make it feel like you are getting a real experience...
To fake a destination website sounds like hard work. How common is this ?

( If you are ever doing anything where you require anonymity, you will need to use the Tor Browser.... and learn how to use it correctly and safely to stay anonymous. )If you're serious about using Tor I suggest you create a bootable USB with the Tails (https://tails.boum.org/) operating system on it - it's a Linux distro that boots straight into Tor. Running Tor itself through a browser on your main PC or Mac can open your computer up to backdoor attacks, the most inconvenient of which is ransomware. Using a bootable USB generally makes the rest of your computer invisible to anyone who's trying to look. Tails is the O/S preferred by Edward Snowden (https://en.wikipedia.org/wiki/Edward_Snowden)

To fake a destination website sounds like hard work. How common is this ?

They're not faking the destination. Just grabbing the info that gets sent to the destination site during transfer (hence "man in the middle"). It's definitely possible, but not quite as easy as colmx implies. Well, depends. If you're a snoopy boss, then it's extremely easy. If you're a hacker with no access to the network, then it's a little more difficult, although possible. All depends on the system the company uses, as some are more secure than others.

If you want to be safe, just don't do stupid things like login to online banking from a free public wifi that Starbucks provides. Even with proper wifi setups you want to be careful, but be especially careful with ones provided by coffee shops, hotels, etc.

If you want to be safe, just don't do stupid things like login to online banking from a free public wifi that Starbucks provides. Even with proper wifi setups you want to be careful, but be especially careful with ones provided by coffee shops, hotels, etc.

That is great in theory, however when away on a prolonged holiday, the only wifi I have access to is mostly hotels, coffee shops & true hotspots.
On balance, I prefer the hotel due to fewer other people to snoop.

The mobile 3G is a bit slow and limits me to the phone handset.

geez....its a simple technical issue...either is safe or not...with u guys its like I think maybe I could be kinda half pregnant.

geez....its a simple technical issue...either is safe or not...with u guys its like I think maybe I could be kinda half pregnant.

Then fire up a copy of Kali Linux, root a server, and come back and tell us how easy it was.

heh, fuck...

Im not embarrassed to admit that I have absolutely no idea what u just posted?!?! But again...like anything technical..either something is safe..or its not. The common view seems to be that public free networks are NOt safe and secure.

If hotel wifi is deemed to be insecure, does anyone have any ideas about how to securely handle on line banking and stock dealing when away from home?

open public wi-fi networks are inherently insecure and if you sit down in a busy shopping center or a hotel lobby and connect to something named "Free Wi-Fi" then I have no sympathy for you though it is far from guaranteed that something nasty will happen to you and your passwords

however (despite all the FUD from the security "experts") a properly set up wi-fi network at a hotel or even a coffee shop may be no more insecure than you connection at home - particularly if you use wi-fi at home and whoever set up that wi-fi is not particularly skilled in network security!

learn more about basic wi-fi security issues then check the details of your hotel's network and access the potential security risk for yourself and make an informed decision

alternatively 3G/4G networks are still considered reasonably secure so use your mobile phone as a secured personal wi-fi hotspot if the feature is available

bkkguy

alternatively 3G/4G networks are still considered reasonably secure so use your mobile phone as a secured personal wi-fi hotspot if the feature is available


Do any of the Thai providers have 3/4G that is adequately fast, at least in Bangkok & Pattaya ?
Over the last 3 trips I've tried AIS, DTAC and True. The connections have all been slow.

However True probably shades it as they had quite a lot of wireless hotspots which at least provide more options for getting a connection. Even if not helping with security.

I've worked in IT pretty much all my life.... since I was 16. I was Director of IT R&D for a Fortune 400 company. ...just for some background. I study the latest in internet security as a hobby now. Many of my friends are true world class experts.

To give you a simple bottom line:

If you're using a laptop in a hotel or other public wifi, just install and use a free app called Lantern ( https://getlantern.org/ ) and make sure you change the Settings to "Proxy ALL Traffic".

If you're using an Android phone, use a different free app called Psiphon ( https://psiphon.ca/ ).

If you're using online banking, for example, also ALWAYS check that the address bar starts with HTTPS ( not only HTTP ), and that the main .com part of the domain name is correct. ( for example, https://www.bankofamerica.com/mobile/banking.go ).... *before* entering your password.

These simple steps will assure that you can safely use ANY wifi, or any other Internet connection..... and ALL of your data will be encrypted. ( The HTTPS pages will actually be double encrypted. Slight overkill. ) As a side benefit, no sites will be censored or blocked by local governments anywhere you happen to be in the world. Also, these apps will *not* slow down your Internet speed by any noticeable amount.

This is all you need to do to give you an excellent degree of safety and privacy using any wifi anywhere.

All three mobile carriers in Thailand ( True, AIS, and Dtac ) now have 4G speeds which are usually considerably *faster* than the typical hotel or coffee shop wifi. However there are two catches. ONE. Their coverage areas for 4G are limited. But now most of central Bangkok and Pattaya should be covered. But maybe not in Chiang Mai or elsewhere yet. They will only have 3G.... or even 2G speeds. TWO. Your total amount of data at that fast 4G speed will be limited, depending on your rate plan. For example, I get only 4GB per month (at 4G speed) on my rate plan. All data after that is at a very slow speed. ( I can pay like 100 baht to get 1GB more, if I choose to. ) So, if you're uploading or downloading large files, videos, or streaming videos ( like YouTube ), then you can run out of that fast speed pretty quickly.

Bottom Line: It's usually best to use that free wifi whenever and wherever you're going to be sitting for a while... Ask those bars and restaurants if free wifi is available there.

Another tip: The mobile carriers themselves offer free wifi at a huge number of public areas now. These connections are often blazing fast. They also don't count toward your rate plan's alotted limit. Look for wifi called something like TruemoveH or AISwifi or DtacWiFi.... and ask your carrier shop to show you how to set up automatic login for those hotspots.

@-) ( Just be *sure* to use Lantern if it's a laptop, or Psiphon if it's a smartphone..... before logging on to your online banking ! ) @-)

That doesn't prevent a MITM attack. Even if you are going through a proxy, it's not going to matter if they've hacked the router / network you're using. They'll still be able to capture the data you're sending. All a proxy does is help disguise who you are, so you can do neat things like browse porn sites while in Thailand. :)

For the most part, I wouldn't worry about it too much. As colmx pointed out, it takes quite a bit of time and skill to root most networks. Technically possible, but if it happens to you, you're most likely being specifically targeted for some reason.

That doesn't prevent a MITM attack. Even if you are going through a proxy, it's not going to matter if they've hacked the router / network you're using. They'll still be able to capture the data you're sending. All a proxy does is help disguise who you are, so you can do neat things like browse porn sites while in Thailand. :)

For the most part, I wouldn't worry about it too much. As colmx pointed out, it takes quite a bit of time and skill to root most networks. Technically possible, but if it happens to you, you're most likely being specifically targeted for some reason.

Sorry. This is flat out not true. It's also mixing topics and not going to help anyone in the real world.

These apps I recommended above are free VPN apps. When using either of them, ALL traffic is encrypted. Nobody will be able to capture the data you're sending. That's nonsense.

MITM is a buzzword term which people use to mean many different things. In the context of normal human members of this forum, it's 100% a non-issue... and totally irrelevant.

On the other hand, if you happen to be an international terrorist arms dealer being tracked and targeted by the CIA and the NSA, then yes. You're right. They could send agents to Boyztown to compromise the wifi router at the Ambiance Hotel.... just to track YOU. But otherwise, just follow my recommendations above..... and you'll be fine. ;)

Oh, and by the way, a VPN does *not* hide who you are. It's the opposite. It only protects the privacy of your data by encrypting it ( as long as you have that Setting set to "Proxy ALL Traffic" ). It gives you PRIVACY of your data, passwords, etc. It does *not* give you complete ANONYMITY online. For that, you need to install the Tor Browser. ( Tails is fine to use, but it's overkill and not for someone who's not very technical. Tor Browser is also fine and effective and much easier to install and use. Anyone can use it easily. https://www.torproject.org/projects/torbrowser.html.en )

Sorry. This is flat out not true.

It's completely true. We're talking about compromising public wifi networks, like at Starbucks and hotels. Even if using a VPN, your data goes like this:

Computer -> router -> VPN -> internet.

If someone hacks the router, it makes zero difference if you're using a VPN or not. A VPN is a good idea, because it hides your IP address in the case that someone wants to target your specific computer, but it makes zero difference if someone has hacked a public / hotel wifi spot.

Again, it's nothing to get too alarmed over. Yes, technically possible, but takes some time and skill to get into any single network. And if someone is going to put the effort in, they're probably targeting you specifically for some reason. Trust me, I deal with hackers on an almost daily basis. That's why I get paid -- to keep my client's servers and operations secure.

Obtaining physical access to a public wifi router.... because they know you're going to use it.... because they are specifically targeting YOU... and only YOU.... just isn't going to happen to anyone here. And thus, as I said, it's irrelevant and confusing to people.

( If anyone is being *that* specifically targeted, they're going to need a lot more help than this forum could ever provide. )

By the way, if anyone ever wants to test what their *real* internet speed they're getting is.... Don't trust those speed test apps to give you an accurate speed test.

Instead, use this web page: http://testmy.net

It's best if you login and "Change Server" to the San Jose, California server. This will test your speed from wherever you are..... to/from the Silicon Valley area of the US, where most internet services are based. ( Otherwise, they will default to your nearest big city. Testing my speed from my home in Bangkok to servers in Bangkok is completely irrelevant. I almost never use web sites based in Bangkok. My speed to California is what matters in my real world use. )

Obtaining physical access to a public wifi router.... because they know you're going to use it.... because they are specifically targeting YOU... and only YOU.... just isn't going to happen to anyone here.

Yes, that is the most likely outcome.
Of course specialists in IT security never make money by understating the security risk.

It's completely true. We're talking about compromising public wifi networks, like at Starbucks and hotels. Even if using a VPN, your data goes like this:

Computer -> router -> VPN -> internet.

If someone hacks the router, it makes zero difference if you're using a VPN or not.

No, it does make a big difference with any VPN that is properly secured. My VPN client verifies the VPN server's certificate, so if someone hacks the router and attempts to impersonate the VPN server I'm using by redirecting my traffic to their own machine, my VPN client realizes that and refuses to establish a connection. Thus I'd know that something is amiss, and I would use another WiFi network or mobile connection instead of the compromised one. While I cannot rule out beforehand that any public WiFi network I'm using isn't safe, I can definitely detect if it's trying to tamper with my secure connection.

Yes. This is true also.