Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kinko's Spy Case Illustrates Public Terminal Risk

Posted by CowboyNeal on from the virtual-identity-theft dept.

tealwarrior writes "CNN reports in this story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.

5 of 383 comments (clear)

  1. Out-of-order username & password entry by G4from128k · · Score: 5, Insightful

    I use out-of-order username and password entry on public terminals. I type a couple of letters of either username or password, click in the middle of the typing entry in the other field, type more letters, etc. It only takes a bit of concentration to remember which password letters I have typed. Unless the logger is doing a full scan of exactly where I click, they get a disordered, mixed version of my username and password broken up by numerous mouseclicks.

    --
    Two wrongs don't make a right, but three lefts do.
  2. This is why some banks... by xneilj · · Score: 5, Insightful

    This is why some banks do not request full information for login.

    For example, here in the UK, NatWest bank's online service will ask you for the following secure information to login:

    Three digits from your four digit online PIN (in a random order, like second, first, fourth).

    Three characters from your password, again a random selection in a random order.

    While it initally irritated me that logging on to the system took a little more thought than normal (I have a long password and it's easier to type it out in full than work out what the eighth, fifth, and eleventh characters are), it's probably a much more secure system when people are going to be using public terminals.

    It also makes people less liable to some sort of 'sniffer' attack, since the system dictates which characters to ask for and locks you out after several incorrect attempts. It would probably require somebody to observe more than one login session before they had enough information to do repeat it themselves, and unless you know which order the characters and PIN were requested, a plain keyboard capture program would be ineffective.

    --
    rm -rf / is the evil of all root
  3. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  4. Bring your own OS? by dschuetz · · Score: 5, Insightful

    One of the initial selling points for NeXT computers, way back when (has it really been 15 years? sheesh...) was the Optical drive. It was a 256 MB, 5"x1/4" hunk of plastic, and the intention was that you could carry your entire NeXTSTEP OS, home files, etc., around with you. Bring it to the public terminal in your dorm's basement, slap it in, and reboot.

    Now, obviously, that didn't work (they were big, slow, and buggy). But today it should be even easier, almost trivial, to do something. Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive). If you can fit it on a business card CD, you can even keep it in your wallet.

    They could even do this at the system-provider level -- have branded, mass-produced, customized versions of Knoppix in each machine, and encourage people to check the CD and reboot before they use it. Of course, this wouldn't work as well with the systems intended for graphic editing, etc. (with AI, Photoshop, etc.), but for simple internet access systems, it'd be pretty good...

  5. Re:Am I the only one not surprised? by xpulsar87x · · Score: 5, Insightful
    Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

    Why is it that the general idea of most people that how much you get paid is directly related to how much effort you put into the job? I worked at Staples in high school, i was paid 6.25 an hour, and I did a pretty damn good job I might say. I didn't mope around my whole shift, I'd help people out, learn about things i didn't know (like printers, i don't print anyhting ever so i didn't know much about the technology in em), took time to learn how do work the machines in our copy center, etc etc. You trying to say that becuase Kinko's employees get paid x amount of dollars they won't bother with this stuff? They could be a budding geek like you and me, still in high school or college something, and they certainly would take an interest in it.