Convenience and security rarely travel together
As millions of football pilgrims converge on Mexican cities for the 2026 World Cup, a quieter vulnerability awaits them beneath the spectacle: the invisible networks that promise connection but may deliver exposure. Kaspersky researchers, having mapped tens of thousands of public Wi-Fi signals across Mexico City, Guadalajara, and Monterrey, found that roughly one in six open networks offers little meaningful protection against those who would listen in. It is a recurring human paradox — that the tools we reach for in moments of need are often the ones that leave us most open to harm — and in the compressed, distracted atmosphere of a global tournament, that paradox becomes a calculated opportunity for cybercriminals.
- Nearly 70,000 public Wi-Fi access points were mapped across three World Cup host cities, and a troubling fraction — up to 18.5% in Guadalajara — offer attackers an open door to intercept credentials, monitor traffic, and stage convincing fake networks.
- The danger is compounded by a hidden flaw: 45% of networks still run outdated WPS technology, meaning even networks displaying modern encryption labels like WPA2 or WPA3 may carry a backdoor that renders those protections hollow.
- Millions of fans arriving from abroad will instinctively reach for public Wi-Fi the moment they land, conducting banking transactions, navigating unfamiliar cities, and communicating with family — precisely the behaviors that make them ideal targets for financial fraud and identity theft.
- Security researchers are urging fans to treat public Wi-Fi as a hostile environment: verify network names with staff, avoid any sensitive transactions, and route all traffic through a VPN to close the gap between convenience and safety.
- The World Cup is not an isolated risk but a concentrated version of a global pattern — large international events reliably attract sophisticated cyberattacks, and the 2026 tournament may determine whether fans carry home memories of football or the lasting damage of compromised accounts.
Millions of football fans preparing to travel to Mexico for the 2026 World Cup are facing a warning that has nothing to do with the pitch: the public Wi-Fi networks they will depend on are significantly less secure than they appear.
Kaspersky's Global Research and Analysis Team scanned more than 84,000 wireless signals across Mexico City, Guadalajara, and Monterrey, identifying nearly 70,000 unique public access points in high-traffic areas. Their findings were sobering. Roughly one in six open networks in Mexico City lacked adequate security protections, while Guadalajara reached 18.5% and Monterrey 17.2%. These gaps allow attackers to intercept data, steal login credentials, monitor traffic silently, or lure users onto convincing fake networks.
What makes the threat especially deceptive is the illusion of safety many networks project. Nearly half of those studied still have WPS — an outdated and vulnerability-riddled connection feature — enabled. Even when a network displays modern encryption standards like WPA2 or WPA3, an active WPS function can hand attackers a backdoor into the entire system.
Kaspersky's Latin America researcher María Isabel Manjarrez captured the core tension: travelers need connectivity the moment they arrive, and that need — for maps, payments, communication — is exactly what cybercriminals are counting on. Convenience and security rarely coexist on public networks, and the distracted, celebratory atmosphere of a World Cup makes the trade-off more dangerous still.
Experts are urging fans to avoid banking or payment activity on public Wi-Fi entirely, confirm network names with venue staff before connecting, use a VPN to encrypt their traffic, and keep devices updated with firewalls and two-factor authentication active. The broader lesson is one that repeats at every major international event: concentrated crowds, unfamiliar infrastructure, and divided attention create ideal conditions for large-scale fraud. Whether fans leave Mexico with only football memories will depend, in part, on choices made long before kickoff.
Millions of football fans are about to descend on Mexican cities for the 2026 World Cup, and cybersecurity researchers have a warning waiting for them: the public Wi-Fi networks they'll rely on to stay connected are far less secure than they appear.
Kaspersky's Global Research and Analysis Team conducted a sweeping study of wireless networks across Mexico City, Guadalajara, and Monterrey—the three host cities that will draw the largest crowds. They scanned more than 84,000 free Wi-Fi signals and identified nearly 70,000 unique public access points in high-traffic tourist and sports zones. What they found was troubling: roughly one in six open networks in Mexico City lacked adequate security protections. The problem worsened in Guadalajara, where 18.5% of networks were classified as insecure, and remained significant in Monterrey at 17.2%.
These vulnerable networks create multiple pathways for theft. Many lack proper encryption or use flawed configurations that make it simple for attackers to intercept data, steal login credentials, monitor internet traffic without permission, or set up fake access points designed to fool unsuspecting users. The mechanics are straightforward: a traveler connects to what appears to be a legitimate network, conducts a banking transaction or checks email, and a waiting criminal captures everything that passes through.
What makes the threat particularly insidious is that many networks wear a false mask of security. Nearly half of the networks studied—45%—still have an outdated feature called WPS (Wi-Fi Protected Setup) enabled. WPS was designed to make connecting devices easier, but it's now considered obsolete and riddled with vulnerabilities. Even if a network displays modern encryption protocols like WPA2 or WPA3, the presence of WPS can give attackers a backdoor to access the entire system and compromise any information users transmit across it.
María Isabel Manjarrez, a security researcher for Kaspersky in Latin America, framed the dilemma plainly: travelers need connectivity. The moment they land and turn off airplane mode, they're searching for internet. Navigation, transportation apps, payment systems, communication with family—all of it depends on being online. But convenience and security rarely travel together, and public networks are where that trade-off becomes most dangerous.
The research team and other experts are now offering a toolkit for fans who want to protect themselves. The most important step is avoiding sensitive transactions—banking, payments, credential entry—on any public Wi-Fi. Before connecting, verify the network name directly with the business providing it; criminals often create convincing fakes. Use a virtual private network (VPN) to encrypt everything you send and receive. Keep your phone's operating system and apps updated, activate your device's firewall, use strong passwords, and enable two-factor authentication on important accounts. Turn off file-sharing features when you're not using them, and consider a password manager to store credentials securely.
The timing of this warning reflects a broader reality: international sporting events have become prime hunting grounds for cybercriminals. Millions of visitors, most of them focused on the match rather than their digital hygiene, concentrated in a few cities, all dependent on wireless networks—it's an ideal environment for large-scale fraud and identity theft. The 2026 World Cup will be no exception. What happens in the coming weeks will determine whether fans leave Mexico with only memories of great football, or with the added souvenir of compromised accounts and stolen data.
Citas Notables
Travelers need to stay connected for navigation, transportation, payments, and communication, but convenience usually comes with reduced security.— María Isabel Manjarrez, Kaspersky security researcher for Latin America
La Conversación del Hearth Otra perspectiva de la historia
Why would cybercriminals specifically target a sporting event? Aren't there easier ways to steal data?
Scale and predictability. Millions of people in one place for weeks, all using the same networks, all distracted. A criminal doesn't have to be sophisticated—they just have to be present.
The study found that 45% of networks have this WPS vulnerability. That seems like a lot. Why haven't these been fixed?
WPS is enabled by default on most routers. Most network administrators don't know it exists or don't understand the risk. It's invisible to the user, and it works—until it doesn't.
If I'm a fan and I need to book a hotel or buy tickets while I'm there, what do I actually do?
Use a VPN before you connect to any public network. It encrypts everything, so even if the network is compromised, what you send looks like gibberish to anyone watching. It's the single most important tool.
Does Mexico have a responsibility here? Should the government be forcing these networks to be more secure?
Ideally, yes. But enforcement is slow, and many of these networks are run by small businesses that don't have IT expertise. The real burden falls on travelers to protect themselves.
How bad could it actually get for someone who ignores this advice?
A stolen credit card number, a compromised email account that gives access to everything else, identity theft that takes months to unravel. For some people, it could mean thousands of dollars in fraudulent charges.