Kinko's Spy Case Illustrates Public Terminal Risk

tealwarrior writes "CNN reports in this story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.

is this viable for a class-action lawsuit?

[squarefish]

I used a NYC Kinko's during H2K2 last year on 7th Ave. I've been unable to find it now due to dilution of the story, but I found on online article the other day that said this had actually gone on for two years and that the person that discovered it had used a computer at one of their stores on 7th Ave, but they have two. I used the one at 500 N. 7th, store # 0961

I called their customer support line on Wednesday as soon as I saw this article, and they said they didn't know anything about it- the person I spoke to called me back and said that their corporate office would get back to me by the end of the day.... I'm still waiting.

I called the store directly last night and the manager, sounding like he was lying through his teeth, told me that they were absolutely not one of the stores.

So, I've very interested in knowing if this has class-action lawsuit potential since Kinko's was prosecuting this case and obviously had no intentions of notifying their customers of the risk they were at while using their store. If there is an existing lawsuit, how do I find it? Thanks!!!!

Stupid users, Stupid Kinkos

[jsailor]

You might be amazed at what people save on the hard disks. I've found all sorts of stuff including insurance letters complete with SSNs, addresses, etc. (of course, I've found similar stuff left on the copy machines - lower tech stupidity)

Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware. This doesn't seem like it would be too hard for Kinkos to do as well. If you've been to a Kinkos in NY, you would know that the copy specialists in the stores are not maintaining the machines.

Virutal keyboards

[bogado]

Banks in brasil are using virtual keyboards, they are a numeric pad that apear in the screen with the numbers in a random order and/or in a random position. You must then click the password with a mouse. Of course if you own the machine you can save the HTML and mouse clicks to analise it latter, but it makes the life of keyloggers harder.

Am I the only one not surprised?

[xThinkx]

I mean, come on, there have to be tons of computer geeks like me out there that look at public libraries, kinkos, office max, internet cafes, etc; and think that a keystroke logger could be infinitely damaging.

Considering any schmuck could pick up a completely software undetectable and almost completely visually/physically undetectable hardware keystroke logger for under $100, this doesn't surprise me. Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

Again this brings me back to the opinion that allowing any idiot to do whatever they please on a computer is a rediculous idea. I know this is beating a dead horse, but, do we let people drive a car or fly a plane without a license? Before you jump on my case I'm not saying people should need licenses to use computers, or that computers can physically kill a boatload of people like a car or plane could. What I am saying is that banks might require some for education or training, or even just provide literature, something, ANYTHING to let people know that it's probably not the best idea to do your internet banking from KINKOS!.

I'd also like to point out that gotomypc.com sucks, if I see one more ad for them, I'm going to gototheirpc and smash the living crap out of it

Sloppy.

[MImeKillEr]

When I worked in support, I was responsible for publicly available PCs. The first thing I did when I took over supporting these was to set policies in place BLOCKING the ability to install ANYTHING by anyone other than the administrator.

Whoever was doing support for Kinko's didn't do their job.

Same goes for any other publicly available PCs. Slap policy editor on the system and lock down the ability to install any additional applications, as well as the ability to change the look of the computer. How fscking hard is that to understand?

Failure to do so leads to incidents like this, as well as makes it easier for someone to install pirated software, pr0n, etc. on your systems.

Passwords are an obsolete form of authentication

[Dratman]

Even before the Kinko's case, the recent proliferation of fraudulent emails, supposedly from ebay and similar sites, which ask for passwords to be re-entered on a web site, illustrate that passwords are no longer an adequate form of security.

The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM. Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense. Probably the most significant barrier to their widespread adoption is the lack of standard protocols and software packages.

Re:What do people expect?

[squaretorus]

99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal

Are you sure? I've been sitting on a train as a guy opposite sat with his card on the table shouting the numbers into his mobile phone (he was ordering flowers for his wife - anniversary - £100 bunch - no ribbon - she hates ribbon - thinks its a waste - and nothing with those really thick stems - she always complains about those too - and just put 'hey' on the card - yes - just 'hey') gave his address for delivery, his postcode, his home and mobile numbers and his wifes name (Ruth - kind of old fashioned a name I thought) and a few other bits. Practically enough to get a passport with!

Maybe he was the 1%. So far as I could tell I was the only one logging all this info into a palm at the time tho - so no harm done!

easy everything solution

[straybullets]

last time i went to an easyeverything cybercafe i noticed that on logout the pc would reboot and re-install a fresh image of the whole os on the disk. I think it got the image from the network but i can't recall what soft they used to do it (it had a strange name)...

Of course it takes some more time on rush hour (like 10-20mn) but they have lots of pc so ...

and also, too bad for installing key loggers then ..

From a Kinko's employee

[catfishmonkey]

I'm a manager at Kinko's.
You really would be shocked to see the kind of stuff people leave behind on the hard disks and in the copy machines. At least a dozen I.D. cards, birth certificates, credit cards, confidential company files, etc.. are left every day.
Just yesterday a customer came in and asked if we'd found her credit card. She said she'd left it in the copy machine a week ago and just noticed it gone. We couldn't find it and told her she'd probably wanna go ahead and cancel the damn thing. She replied, "nahh... too much trouble.. it'll turn up someplace".

What a world.

Re:I am typing this now from a Kinkos

[BitchHead]

I worked at a Kinko's as a second job for a brief stint, and while I'll agree with you on the wages, I can't say as much for the training that most employees receive. The general guidelines that are given to employees are that the self-serve machines are just that: Self-serve. Don't spend a lot of time trying to explain things on the machines. If someone wants a job done, and can't figure it out on the self-serve machines, they can get it done behind the counter. The same rule holds true for the computers. It's part of the self-serve area. Help people only to the extent of not being discourteous, but the copy associates are not there to tell people how to work their email or perform tasks on Photoshop.
The majority of the training goes into learning how to work the supplementary process machines (folders, tape and coil binders, bookletizers, etc.) because those are the large batch jobs that bring in the most money. Very few employees, depending on the location and the shift, will actually know how to set up specialized features on the large DocuCenter machines. Day shifters and second shifters will typically run the small batch jobs that need to get out that day, and leave the rest of the work for the night shift. If you want the job done right, bring it there at 3am for a morning pickup. The night shift is usually only 2 people, many times just one (as was the case when it was my shift) and they need to know how to work everything in the shop.
The computers, however, are not upkept by the individual branch employees. There are regional network engineers who do the initial installation at a branch. After that, there is a Kinko's central hub help desk to take care of any questions that the manager/employees have, and a central station for remote administration of branch networks for a region. The managers are expected to be able to follow a colour coded wall chart in the network closet if they want to move equipment or add machines. Ours was an absolute nightmare. Serious technicolour spaghetti, and totally misconnected according to the wall chart. The managers and employees receive zero training on any network essentials, so don't expect them to know anything about security measures. The manager at the branch I worked at couldn't tell you the difference between a keystroke logger and a timber logger.