Slashdot Mirror
Kinko's Spy Case Illustrates Public Terminal Risk
tealwarrior writes "CNN reports in this
story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.
For us non-US'ers:
What is a Kinkos????
Thanks!
Burma?
Why would anyone consider using public access points to access private/secure data? That's just asking for trouble.
It's amazing. 99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal. Online Banking however, why not. Silly.
I use out-of-order username and password entry on public terminals. I type a couple of letters of either username or password, click in the middle of the typing entry in the other field, type more letters, etc. It only takes a bit of concentration to remember which password letters I have typed. Unless the logger is doing a full scan of exactly where I click, they get a disordered, mixed version of my username and password broken up by numerous mouseclicks.
Two wrongs don't make a right, but three lefts do.
You`re right that most key logging programs are stupid, though. The best way to detect a key logger is to go in Windows Explorer, do a search for files modified in the last day, then sort the list by modification date descending. Open any unusually named files and look inside. After all, key loggers have to keep a log somewhere!
I spend alot of time at my local kinkos. They do get paid at least 1/2 more than you suggest. It requires experience and training to deal with some of these copiers...as well as lots of patience for the many customers who know even less. (or don't even know what they want. They are one employer that is likely to keep many employees around for a long time to come despite the heavy automation. Sadly the training for the normal coworker doesn't seem to include internet security...which is fundamentaly the responsibility of those persons who did the custom job on Win2k for them...so don't loosly blame the bubs in the blue aprons. oh, I am noticing this handy warning on top of the monitor here. "Be safe. Protect your personal information" sayeth the sign Instructions on how to delete the files one may have saved follow. Hmmm....let's go and see how many folks left their disks in the drives. ;)
This is why some banks do not request full information for login.
For example, here in the UK, NatWest bank's online service will ask you for the following secure information to login:
Three digits from your four digit online PIN (in a random order, like second, first, fourth).
Three characters from your password, again a random selection in a random order.
While it initally irritated me that logging on to the system took a little more thought than normal (I have a long password and it's easier to type it out in full than work out what the eighth, fifth, and eleventh characters are), it's probably a much more secure system when people are going to be using public terminals.
It also makes people less liable to some sort of 'sniffer' attack, since the system dictates which characters to ask for and locks you out after several incorrect attempts. It would probably require somebody to observe more than one login session before they had enough information to do repeat it themselves, and unless you know which order the characters and PIN were requested, a plain keyboard capture program would be ineffective.
rm -rf / is the evil of all root
Comment removed based on user account deletion
Well, to be fair, Muhammed and Jiang are two of the more common names in the world, simply by weight of population...
More interesting question: why is it never Amy, or Meiying, or Fatimah?
One of the initial selling points for NeXT computers, way back when (has it really been 15 years? sheesh...) was the Optical drive. It was a 256 MB, 5"x1/4" hunk of plastic, and the intention was that you could carry your entire NeXTSTEP OS, home files, etc., around with you. Bring it to the public terminal in your dorm's basement, slap it in, and reboot.
Now, obviously, that didn't work (they were big, slow, and buggy). But today it should be even easier, almost trivial, to do something. Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive). If you can fit it on a business card CD, you can even keep it in your wallet.
They could even do this at the system-provider level -- have branded, mass-produced, customized versions of Knoppix in each machine, and encourage people to check the CD and reboot before they use it. Of course, this wouldn't work as well with the systems intended for graphic editing, etc. (with AI, Photoshop, etc.), but for simple internet access systems, it'd be pretty good...
Why is it that the general idea of most people that how much you get paid is directly related to how much effort you put into the job? I worked at Staples in high school, i was paid 6.25 an hour, and I did a pretty damn good job I might say. I didn't mope around my whole shift, I'd help people out, learn about things i didn't know (like printers, i don't print anyhting ever so i didn't know much about the technology in em), took time to learn how do work the machines in our copy center, etc etc. You trying to say that becuase Kinko's employees get paid x amount of dollars they won't bother with this stuff? They could be a budding geek like you and me, still in high school or college something, and they certainly would take an interest in it.
Since DMCA passed the Congress, USA is one of most totalitarian states out there. May be even worse than China.
Sklyarov was a victim of exactly same illusion as you have - he thought that USA is free country, he come there and was put into jail for the action which do not constitute crime at all by Russian laws - publishing information about security flaws in eBook, nd was done on Russian territory.
Note that Alan Cox of UK shares almost same opinion - he refuse to go to USENIX because after Sklyarov case he doesn't consider USA a safe place for programmer.
I have used a Kinkos machine in Columbus Ohio (near Ohio State) and here is what I found:
1. Windows 2000 with the user logged in as poweruser or administrator.
2. Pop up software installed (unknown spyware).
3. I could not find a USB port so I stood up and moved the PC and plugged in in the back. No comment from staff.
The only "security" I saw was protecting the billing app.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
For a lot of people, places like public libraries are their only Internet access. They have to use them to file unemployment claims, check their email, apply for student financial aid, look up medical information, apply for jobs... You get the idea.
In such cases, people essentially have to trust the security and/or take as much evasive action as possible.
The best way to handle this? Educating people how to use computers and how to be the most secure. Of course, if the general populace actually paid attention to signs explaining security procedures, that might help, but since a large portion of the populace can't seem to understand the usefulness of the print preview command in avoiding printing 3 billion excess pages, I'm not going to hold my breath.
Whoops. That last sentence was a bit bitter, even if it was dead on.