Keystroke loggers on public computers
 

I've recently been giving some thought to this. While traveling for pleasure, I frequently leave my laptop behind and rely on a combination of internet cafes, airport lounges and hotel business centers for my online access. Most of the time I'm just checking email and doing general browsing. However, on longer trips, it becomes necessary to login to my online banking site and credit card sites to pay bills, check balances, etc.

Doing so on publicly accessible computers has always made me pretty nervous. Most of these computers aren't setup with any sort of access control to prevent random users from installing software on the box. It seems like it would be pretty easy for someone to come along and install a keystroke logger that has some logic to look for username/password combinations and email them back "home". And I'm guessing that the average airport lounge / hotel business center / internet cafe doesn't employ staff who are clueful or motivated enough to pay attention to this sort of thing.

Paranoia or reality? Anything I can do about it or should I go back to banking by phone while abroad?

While I'm at it, maybe I should stop checking email as well. While it's not as critical as my financial accounts, I'd really prefer that someone not gain access to my email. And I guess I should stop booking hotels / flights online while abroad as well. Armed with my ual.com and spg.com password, a malicious user could book himself a nice vacation without me ever knowing!

When I'm on holiday, I take a pocket PC with me for this very reason. It does just about everything a laptop does for me and is far smaller and lighter. I just don't trust public computers.

I would tend to say reality. In this day and age, it verges on suicidal to trust anything that isn't under your control.

.....

It's happened to some frinds of mine. Whilst in Spain, they had their paypal account details acessed. they were lucky enough to find out before too much damage had been done.

A good option might be to just carry a CD with Knoppix on it. Simply put the CD in the drive and reboot the PC (yes, I know it may not work 100% of the time). Now you're running an independent OS with no worry about keyloggers, trojans, etc.

If you carry a briefcase and/or CD wallet it wouldn't be very difficult to add 1 CD.

.....

Thanks! Ingenious solution. Another variant, for computers that still have a drives, is to keep passwords on a disk, then cut and paste them into user/password lines, as loggers wouldn't read the information being cut and pasted. Of course, if a program captured a screen shot, that wouldn't work. All of this is beyond me, so I just use email at Internet cafes abroad, and then I change my password the moment I return home.

Seconded on that. Very clever. You can be as complicated as you like with it too since too many attempts to work out what the actual combinations of the letters and numbers will lock your account for you :).

I'll often use Terminal services to logon to my server at home, and then use an onscreen keyboard to enter stuff.

You could google it to find the details, but a year or so ago they nailed some kinko's employees for doing just that, the were keystroke logging people at their public terminals, and were collecting logins for remote access like gotomypc, and bank and credit account users and passwords. I forget who traced it back to that one shop in a tourist area, but it was something four or five of the people had in common.

Lots of providers of remote access have one time use passwords now, and lots of people use a VPN to get to a network they trust first. I would be very careful on a public terminal, and any place you do use, be it your remote access, corporate mail, credit or bank accounts, absolutly anyplace you put in a username and password, you should change it at the next chance you get from a non public terminal.

deleted

The On-Screen Keyboard is a very good way way to address this. It will defeat any keylogger, software or hardware, because what occurs are mouse clicks, rather than key presses. Combine that with mixing up the username and password.

BTW, in Win XP, the On-Screen Keyboard is installed by default: Start > Programs > Accessories > Accessibility> On-Screen Keyboard

Good tip.

I haven't tried this yet but I'm thinking about getting one. Of course you'll need to have access to a USB port.
http://stealthsurfer.biz/index.html

That seems like a total waste of money. All the apps and services on the key are free. You could pick up a 128Mb USB key for as little as $15 and put the apps on it yourself.

Besides that, it would be of little use if the PC is equipped with a keylogger.

Great feedback from everyone. I guess it's a small consolation to know that I'm not being overly-paranoid. I am really going to have to re-think my usage while on untrusted computers.

Internaut, carrying a Pocket PC is definitely a good, albeit expensive, solution. Do you ever have difficulty finding WiFi signals to use? It seems like there are still an unfortunately large number of airports and hotels that lack WiFi, and those that have it are rarely free.

Scandalous, I like your scheme to interlace the characters of your username and password while typing them in. Brilliant! I'll definitely keep that one in mind.

JadedTraveler and ScottC, the idea of using the WinXP onscreen keyboard is also an excellent one that I had not thought of.

I think the thing that is most frightening is the idea that if someone were to intercept one of my passwords (either through keylogging or other means) they could potentially take control of that account without me ever knowing.

It seems like a simple way to address this would be for sites to send an alert to the (original) email when anything changes in an account. That way if someone were to maliciously gain access to an account and change the password and/or email address associated with that account, the site would send an email notification that would make you immediately aware of the problem so you could take action before any substantial damage is done. It appears that Paypal does this, but surprisingly, none of my credit card sites nor my online banking site did so.

What if you created a new email address on yahoo or gmail. From there, you tell the email client to read your emails from your real address via POP3/IMAP (without deleting the messages). When you get back from your trip, you remove the email forwarding to the new account. So now, if someone does manage to get access to your email system, they can only read those emails sent to you while you were on your trip. If you dont install SMTP, they wont be able to send messages using your name. Of course, now that you limited their access to the email system, you too are limited in what you can do on it.

So while there are many ways to protect yourself online, if someone is trying to be malicious, they can get access to your account -- the only question is how far they will go in order to accomplish that. I'm guessing that most of these hackers are lazy and figure they can acquire someone else's password much more easily and wont waste their time doing anything too complicated on one person. But if they have the hardware keylogger and the screen capture software (meaning they spent about 100$ in this operation), then you cant really defend yourself in the public domain.