Evil Twin Attack

Seems to me to be a new name for an old issue.

It's an old problem. Most of the hot spot owners that I know are not going to get involved in protecting their customers from any variation of the "man in the middle" attack. An attacker can also get the same results with a sniffer and data logger. It would still be necessary to trick the user into using a fake web page in order to get their information as all sniffed and "evil twin" traffic is usually encrypted by an SSL (https) web page. The point about T-Mobile using a credit card number for access is well taken. They should know better as it's been dogma since the stone age of computing that the user name is presumed to be "well known" and should not be anything that needs protection.

PC World is not known for being rather astute with their "warnings". For example, they don't question why the author innocently setup a HostAP access point on his laptop in an airport. I guess MIT security managers do such things. No mention of XP's overly friendly habit of connecting with any access point. The article also doesn't make a connection between their newly coined "Evil Twin" exploit, and the comments on spyware legislation at the bottom, with no mention of URL hijacking.