Slashdot Mirror
Kinko's Spy Case Illustrates Public Terminal Risk
tealwarrior writes "CNN reports in this
story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.
For us non-US'ers:
What is a Kinkos????
Thanks!
Burma?
Why would anyone consider using public access points to access private/secure data? That's just asking for trouble.
It's amazing. 99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal. Online Banking however, why not. Silly.
I use out-of-order username and password entry on public terminals. I type a couple of letters of either username or password, click in the middle of the typing entry in the other field, type more letters, etc. It only takes a bit of concentration to remember which password letters I have typed. Unless the logger is doing a full scan of exactly where I click, they get a disordered, mixed version of my username and password broken up by numerous mouseclicks.
Two wrongs don't make a right, but three lefts do.
At the last 2600 meeting I attended, we joked about installing a chip to catch keystrokes into a keyboard. What if this was done instead of a piece of software? And who knows if something like this has been done or not. The "man on the street" does not understand one iota of computer security, so why should a public kiosk computer be any different than his home PC? As long as it does not affect them in any way they do not care! This is a wakeup call for "joe sixpack", do not trust any public PC (I don't).
You're (fairly) safe from online fraud, but still perfectly vulnerable to real-world fraud, which is far more common (with regard to banks anyway). I wouldn't bask too much in your sense of security.
Still, everyone is perfectly entitled to judge the risk themselves and do what they want. I'm intrigued though - do you drive? smoke? drink? have sex? Those things are much more likely to cause problems (and they can be much more serious problems) than online banking. Do you exercise the same level of caution there?
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
You`re right that most key logging programs are stupid, though. The best way to detect a key logger is to go in Windows Explorer, do a search for files modified in the last day, then sort the list by modification date descending. Open any unusually named files and look inside. After all, key loggers have to keep a log somewhere!
I spend alot of time at my local kinkos. They do get paid at least 1/2 more than you suggest. It requires experience and training to deal with some of these copiers...as well as lots of patience for the many customers who know even less. (or don't even know what they want. They are one employer that is likely to keep many employees around for a long time to come despite the heavy automation. Sadly the training for the normal coworker doesn't seem to include internet security...which is fundamentaly the responsibility of those persons who did the custom job on Win2k for them...so don't loosly blame the bubs in the blue aprons. oh, I am noticing this handy warning on top of the monitor here. "Be safe. Protect your personal information" sayeth the sign Instructions on how to delete the files one may have saved follow. Hmmm....let's go and see how many folks left their disks in the drives. ;)
In order to install a keystroke logger, it seems to me that you would need root permission to do it on linux or else be able to (re-)boot such linux terminal from floppy or CD.
By taking out floppy/CD drive and simply applying user privileges, I can't imagine that anybody would be able to pull this off on linux terminals.
Therefore, isn't this typically a windows problem? Insecurity by design?
This is why some banks do not request full information for login.
For example, here in the UK, NatWest bank's online service will ask you for the following secure information to login:
Three digits from your four digit online PIN (in a random order, like second, first, fourth).
Three characters from your password, again a random selection in a random order.
While it initally irritated me that logging on to the system took a little more thought than normal (I have a long password and it's easier to type it out in full than work out what the eighth, fifth, and eleventh characters are), it's probably a much more secure system when people are going to be using public terminals.
It also makes people less liable to some sort of 'sniffer' attack, since the system dictates which characters to ask for and locks you out after several incorrect attempts. It would probably require somebody to observe more than one login session before they had enough information to do repeat it themselves, and unless you know which order the characters and PIN were requested, a plain keyboard capture program would be ineffective.
rm -rf / is the evil of all root
Comment removed based on user account deletion
Well, to be fair, Muhammed and Jiang are two of the more common names in the world, simply by weight of population...
More interesting question: why is it never Amy, or Meiying, or Fatimah?
By anyone. Most banks are moving away from magnetic stripes exactly because the readers are so inexpensive and easy to install on public terminals and ATMs. In addition to the official readers. The smartcards are coming.
Money for nothing, pix for free
Never ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever NEVER access any critical data from a public terminal under any circumstances EVER.
The corallary to this maxim is to make sure that the password of an account that you access from a public terminal is different from any password that you access from a non-public terminal. Then again, the truly paranoid have different password anyway....
I dunno, do you keep track of your finances? If you balance your checknook, occasionally check your credit rating (which shows open accounts), etc, you would have some clue whether or not you were affected.
If you don't do the above, why should Kinko's clean up your mess for you?
One of the initial selling points for NeXT computers, way back when (has it really been 15 years? sheesh...) was the Optical drive. It was a 256 MB, 5"x1/4" hunk of plastic, and the intention was that you could carry your entire NeXTSTEP OS, home files, etc., around with you. Bring it to the public terminal in your dorm's basement, slap it in, and reboot.
Now, obviously, that didn't work (they were big, slow, and buggy). But today it should be even easier, almost trivial, to do something. Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive). If you can fit it on a business card CD, you can even keep it in your wallet.
They could even do this at the system-provider level -- have branded, mass-produced, customized versions of Knoppix in each machine, and encourage people to check the CD and reboot before they use it. Of course, this wouldn't work as well with the systems intended for graphic editing, etc. (with AI, Photoshop, etc.), but for simple internet access systems, it'd be pretty good...
Why is it that the general idea of most people that how much you get paid is directly related to how much effort you put into the job? I worked at Staples in high school, i was paid 6.25 an hour, and I did a pretty damn good job I might say. I didn't mope around my whole shift, I'd help people out, learn about things i didn't know (like printers, i don't print anyhting ever so i didn't know much about the technology in em), took time to learn how do work the machines in our copy center, etc etc. You trying to say that becuase Kinko's employees get paid x amount of dollars they won't bother with this stuff? They could be a budding geek like you and me, still in high school or college something, and they certainly would take an interest in it.
Since DMCA passed the Congress, USA is one of most totalitarian states out there. May be even worse than China.
Sklyarov was a victim of exactly same illusion as you have - he thought that USA is free country, he come there and was put into jail for the action which do not constitute crime at all by Russian laws - publishing information about security flaws in eBook, nd was done on Russian territory.
Note that Alan Cox of UK shares almost same opinion - he refuse to go to USENIX because after Sklyarov case he doesn't consider USA a safe place for programmer.
How can this be a flamebait if I am French ? :)
Trolling using another account since 2005.
First of all, blocking ability to install doesn't mean jack if they still have the ability to run any application they want. Locked down the shell pretty good with poledit?(hah!)
Don't forget about the ability to click a link to an executable in a browser and run it from location rather than saving it. Bottom line is that if someone has physical access to a machine, if you can't stand behind them and watch them as they use it, it's insecurable. Best bet for a safer internet terminal is a custom diskless X terminal. Easier to lock down, noone can install anything permanently, and you have the extra measure of security by obscurity because dumb hax0r kids won't have a billion keyloggers and trojans to pick from to install. It wouldn't be hard either to have a cron job shell script run some regexes on the list of running processes and send you an email when something runs that does not match the list of allowable applications.
Chances are, a "Virtual Keyboard" just emulates key strokes from the keyboard. Not too same IMO.
I have used a Kinkos machine in Columbus Ohio (near Ohio State) and here is what I found:
1. Windows 2000 with the user logged in as poweruser or administrator.
2. Pop up software installed (unknown spyware).
3. I could not find a USB port so I stood up and moved the PC and plugged in in the back. No comment from staff.
The only "security" I saw was protecting the billing app.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
And if I have physical access to a Linux machine?
One line blog. I hear that they're called Twitters now.
For a lot of people, places like public libraries are their only Internet access. They have to use them to file unemployment claims, check their email, apply for student financial aid, look up medical information, apply for jobs... You get the idea.
In such cases, people essentially have to trust the security and/or take as much evasive action as possible.
The best way to handle this? Educating people how to use computers and how to be the most secure. Of course, if the general populace actually paid attention to signs explaining security procedures, that might help, but since a large portion of the populace can't seem to understand the usefulness of the print preview command in avoiding printing 3 billion excess pages, I'm not going to hold my breath.
Whoops. That last sentence was a bit bitter, even if it was dead on.
As a rule, most folks who get arrested, sued, punished and publicised are from countries regarded as anti-US during the cold-war, at any rate.
Pakistan?!? What kind of history do they teach at your school?
Buy Steampunk Clothing Online!
Of course, that won't protect against the Key Katcher.
Too late to be known as Bush the First, he's sure to be known as Bush the Worst.
Well not if they were born in the US I dont. How come people can come to america with $1 in their pocket and turn it into enoguh money to send their kids through college, but if you were born here, you expect to get paid $50 an hour at a job before you consider doing a good job at it? My cousin was a bar-certified lawyer with 5 kids, but he wouldnt take the job pushing papers in a law office (even though thats entry level) because it paid too low (~$12 hr) He wanted to be brought in as a partner, even though he was just out of law school and all (he was like 30 at this point though, law school takes longer with a bunch of kids) So what does he do with that new law degree? He paints houses and mooches off my uncle to make ends meet, still waiting, 5 hears and 2 more kids later for that partner position at a law firm. Do0nt be lazy! there are worse things in the world than getting paid $6 an hr to do light sales work.
Please tell me you are not just looking for a class action lawsuit because you smell easy money.
Take some responsibility for you own actions and think this through. Were you actually harmed by this? If not what makes you think you are entitled to compensation? Do not say emotional distress please or try the RIAA method of valuation inflation. If you were harmed by this then read all the other comments here about being smart with your sensitive information. Then decide if Kinkos is responsible for loss or just another victim.
The system is screwed up enough with all the lawsuits flying back and forth, save them for when you really need it.
"He is no fool who gives what he cannot keep in order to gain what he cannot lose."
Obviously you've never worked for that kind of money for longer than 2 or 3 months.
(this was pre-boom)
He'd moved out here thinking that working in Frys would be a good place to make connections and learn tech skills. He found out Frys treats their employees like dirt, there's no reward to knowing your job, and if you are capable of answering customer questions, there were other places which would pay you more, so why not work there?
So what you end up with is people who don't have the skills to work anywhere better-paying. It's different now - it's amazing how many people at Frys know what they're selling - but it won't last.
(And it's stupid on Frys part too - how often back then did you see a trainee-cashier with a trainer right behind him - did it not occur to them that if they paid better, they could keep their cashiers beyond the training period, and only have to pay one person instead of two?)