Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kinko's Spy Case Illustrates Public Terminal Risk

Posted by CowboyNeal on from the virtual-identity-theft dept.

tealwarrior writes "CNN reports in this story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.

18 of 383 comments (clear)

  1. Re:Clarification Please! by lewiz · · Score: 3, Informative

    It's a good question, actually.

    Google finds quite a lot. My guess is it's http://www.kinkos.com/:

    Document Solutions - Done Right, Anytime, Anywhere

    Core Values

    1. Alignment and accountability: We accept responsibility for our actions. We make and support business decisions through experience and good judgment.
    2. Customer Service Excellence: We are dedicated to satisfying customer needs and honoring commitments that we have made to them.
    3. Teamwork: Our team is supportive of each other's efforts, loyal to one another, and care for each other both personally and professionally.
    4. Balance: We are flexible, helping team members strike a healthy work and life balance.
    5. Community and environment: We strive to help and improve the communities where we work and live. We are concerned about the environment and promote the use of recyclable products and renewable energy.
    6. Integrity: We act with honesty and integrity, not compromising the truth.
    7. Passion for results: We show pride, enthusiasm and dedication in everything that we do. We are committed to selling and delivering high quality products and services.
    8. Respect: We treat our team members, customers, partners and suppliers with mutual respect and sensitivity, recognizing the importance of diversity. We respect all individuals and value their contributions.
    9. Open Communication: All team members are encouraged to openly share their opinions and views.

  2. Re:Clarification Please! by volsung · · Score: 3, Informative

    Photocopying, document printing, and some have public access Internet terminals (for a fee).

  3. Some help, but not 100% effective by Anonymous Coward · · Score: 5, Informative

    As does the strategy of opening Notepad (or some other app), typing a couple of characters into the password box, clicking to Notepad and mashing down the keyboard awhile, etc. until you've completed the password. An intelligent keylogger will only hook certain window classes, but most keyloggers are "all-or-nothing."

    The real solution, though, is don't enter your passwords on an untrusted machine! I went to visit my aunt, uncle, and cousins in Nebraska last month. They know I work online and were totally perplexed as to why I wouldn't use their computer to check my email, my PayPal account, etc. "Well it's gonna take awhile to charge your laptop back up, why don't you just use our computer till then?"

    "Because I don't trust your computer" isn't the kind of thing your relatives want to hear, so I emphasized the fact that I have no idea what's running on their computer. We did have a good discussion about spyware, and I downloaded Ad-Aware and showed 'em how to use it. They actually came up fairly clean (just that "satellite" program, I forget who makes it) but I still wouldn't use their machine for anything sensitive.

  4. Re:Out-of-order username & password entry by Anonymous Coward · · Score: 4, Informative

    Curiously as you are using a mac-looking name, 2 of the most popular keystroke loggers for macs (when I used them, which was up until just before the OSX days) would take note of exactly this, and still get your password and your random typing as separate strings. I have no experience with PC loggers as I haven't investigated them since, I've learned to never trust a machine with details I couldn't afford to lose.

    I used to use this exact same technique, then tried it on a couple of loggers I suspected. Some coders have too much time on their hands

  5. RTA -- He did not sign up for GoToMyPC... by Fallen+Kell · · Score: 4, Informative

    Jiang did not sign people up for GoToMyPC. That is just how he was caught! Someone HAD GoToMyPC and because Jiang logged on and did what that person had done, he wound up starting the GoToMyPC services, with which, actually controls your home PC. The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities. That is how they caught him... Not him signing people up for GoToMyPC...

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  6. Re:Out-of-order username & password entry by jmichaelg · · Score: 4, Informative
    Under Windows, logging clicks isn't any harder than logging keystrokes. My macro program, mgSimplify uses the same dll to keep track of both events.

    Instead of trying to be clever, you're probably better off not trusting a publically accessible computer.

  7. Re:And this should surprise us? by will_die · · Score: 4, Informative

    You mean like this.
    If I was to do this I would use one of the versions that uses a a private IRC channel to communcicate, that way you never have to go back to the machine again, yet can control it from almost anywhere with a lesser chance of being found.

  8. Re:Back in the day.. by Torne · · Score: 3, Informative

    This is why secure operating systems use an SAK, system attention key. Windows NT and its brethren require you to press ctrl-alt-del to log in because that key sequence cannot be trapped by an application (though there are other problems with the NT logon process unrelated to the three-fingered salute). Linux has an SAK too; unfortunately, it's only available through the kernel magic debug keys by default (alt-sysrq-k if you have magic keys enabled) - the SAK under Linux will kill all programs on the current TTY, thus forcing init to spawn you a fresh login process which, assuming the system is otherwise secure, is not going to steal your password. Some *nix terminals actually have a key labelled 'SAK' on their keyboards.

    Torne

  9. More info on this case by dki · · Score: 5, Informative

    ...can be found at SecurityFocus.

  10. Keyboard Loggers... by BJZQ8 · · Score: 4, Informative

    There are PS2-connector keyboard loggers sold in various places on the internet...although they're a bit more conspicuous, how often do you check for the presence of one? In a public-access machine, they can be set to record only usernames and passwords...It's just something you have to accept...that someone is probably watching, somewhere.

  11. Re:And this should surprise us? by Daniel+Rutter · · Score: 4, Informative
    Woo! An excuse to pimp my old reviews of KeyGhost hardware key loggers!

    Review one. Review two.

  12. One time passwords? by cras · · Score: 4, Informative

    Aren't all banks using them? Pretty effectively makes the keyloggers useless. At least the largest banks in Finland do that before giving access to anything important.

  13. OP is wrong by nochops · · Score: 4, Informative

    The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts.

    No, the article does not mention that. The article says that Jiang used a keylogged password to gain access to someone's home machine via GoToMyPC. He then took control of the machine and used it to open a bank account. Similar, but wrong enough to warrant correcting.

    Well, I guess if the OPs aren't going to read the articles they submit, and the editors aren't going to read the articles they post, why should the rest of us read the articles we comment on? Let's just have one massive offtoipc flame-fest! Yay!

    --
    "A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
  14. Re:RTFA by BenjyD · · Score: 3, Informative

    Read it yourself. From the article:

    Jiang had secretly installed, in at least 14 Kinko's copy shops, software that logs individual keystrokes.

  15. Re:Clarification Please! by mblase · · Score: 4, Informative

    Kinko's stores are ridiculously popular in the US, especially near colleges and universities. Photocopies and printing, many are open 24 hours, and they offer computer terminals for rent with graphics and publishing apps already installed. They're so common now that they're practically an entry in the dictionary.

  16. What about hardware loggers? by nochops · · Score: 4, Informative

    This would stop a keylogger application, but not a hardware logger between the keyboard and PS2 connector on the motherboard. They're small, and cheaper than software, and will work across any operating system.

    --
    "A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
  17. Re:easy everything solution by Henry+Pate · · Score: 4, Informative

    I know one piece of software that does they, they used to use it at my high school, it worked pretty well. It's called Deep Freeze, you could do anything you wanted to the computer, and when you rebooted the system was back just the way it was before, with all software installed during the last session gone, everything. You can find it here

    --
    Si Hoc Legere Scis Nimium Eruditionis Habes
  18. Re:Passwords are an obsolete form of authenticatio by hackstraw · · Score: 3, Informative

    Everytime passwords get mentioned on slashdot, I say they suck with little to no moderation. Regarding the lack of standard protocols and software packages try:

    Multos
    EMV (Europay-Mastercard-Visa) Specifications
    JavaCard
    OpenCard
    PC/SC Workgroup
    Standards Committees and Standards Related to Smart Cards

    I attended the 10th annual smartcard convention in 1999, yet have not seen a smartcard outside of the places I used to work programming them. Maybe its time... The cards then were 1 or 2 dollars and the readers were about 6 or 7, hardly an expensive periferal on your computer.

    Let me reiterate. Passwords have nothing to do with authentication, they only say that someone knows your password. Even having a magstripe card at least says that you know a password and were able to obtain phyisical access to the card. The best is a biometric reader with a smartcard. I think bioreaders are about 50 dollars.