Kinko's Spy Case Illustrates Public Terminal Risk

tealwarrior writes "CNN reports in this story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.

Out-of-order username & password entry

[G4from128k]

I use out-of-order username and password entry on public terminals. I type a couple of letters of either username or password, click in the middle of the typing entry in the other field, type more letters, etc. It only takes a bit of concentration to remember which password letters I have typed. Unless the logger is doing a full scan of exactly where I click, they get a disordered, mixed version of my username and password broken up by numerous mouseclicks.

Stupid users, Stupid Kinkos

[jsailor]

You might be amazed at what people save on the hard disks. I've found all sorts of stuff including insurance letters complete with SSNs, addresses, etc. (of course, I've found similar stuff left on the copy machines - lower tech stupidity)

Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware. This doesn't seem like it would be too hard for Kinkos to do as well. If you've been to a Kinkos in NY, you would know that the copy specialists in the stores are not maintaining the machines.

Am I the only one not surprised?

[xThinkx]

I mean, come on, there have to be tons of computer geeks like me out there that look at public libraries, kinkos, office max, internet cafes, etc; and think that a keystroke logger could be infinitely damaging.

Considering any schmuck could pick up a completely software undetectable and almost completely visually/physically undetectable hardware keystroke logger for under $100, this doesn't surprise me. Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

Again this brings me back to the opinion that allowing any idiot to do whatever they please on a computer is a rediculous idea. I know this is beating a dead horse, but, do we let people drive a car or fly a plane without a license? Before you jump on my case I'm not saying people should need licenses to use computers, or that computers can physically kill a boatload of people like a car or plane could. What I am saying is that banks might require some for education or training, or even just provide literature, something, ANYTHING to let people know that it's probably not the best idea to do your internet banking from KINKOS!.

I'd also like to point out that gotomypc.com sucks, if I see one more ad for them, I'm going to gototheirpc and smash the living crap out of it

Re:Am I the only one not surprised?

[xpulsar87x]

Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

Why is it that the general idea of most people that how much you get paid is directly related to how much effort you put into the job? I worked at Staples in high school, i was paid 6.25 an hour, and I did a pretty damn good job I might say. I didn't mope around my whole shift, I'd help people out, learn about things i didn't know (like printers, i don't print anyhting ever so i didn't know much about the technology in em), took time to learn how do work the machines in our copy center, etc etc. You trying to say that becuase Kinko's employees get paid x amount of dollars they won't bother with this stuff? They could be a budding geek like you and me, still in high school or college something, and they certainly would take an interest in it.

Some help, but not 100% effective

As does the strategy of opening Notepad (or some other app), typing a couple of characters into the password box, clicking to Notepad and mashing down the keyboard awhile, etc. until you've completed the password. An intelligent keylogger will only hook certain window classes, but most keyloggers are "all-or-nothing."

The real solution, though, is don't enter your passwords on an untrusted machine! I went to visit my aunt, uncle, and cousins in Nebraska last month. They know I work online and were totally perplexed as to why I wouldn't use their computer to check my email, my PayPal account, etc. "Well it's gonna take awhile to charge your laptop back up, why don't you just use our computer till then?"

"Because I don't trust your computer" isn't the kind of thing your relatives want to hear, so I emphasized the fact that I have no idea what's running on their computer. We did have a good discussion about spyware, and I downloaded Ad-Aware and showed 'em how to use it. They actually came up fairly clean (just that "satellite" program, I forget who makes it) but I still wouldn't use their machine for anything sensitive.

Passwords are an obsolete form of authentication

[Dratman]

Even before the Kinko's case, the recent proliferation of fraudulent emails, supposedly from ebay and similar sites, which ask for passwords to be re-entered on a web site, illustrate that passwords are no longer an adequate form of security.

The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM. Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense. Probably the most significant barrier to their widespread adoption is the lack of standard protocols and software packages.

This is why some banks...

[xneilj]

This is why some banks do not request full information for login.

For example, here in the UK, NatWest bank's online service will ask you for the following secure information to login:

Three digits from your four digit online PIN (in a random order, like second, first, fourth).

Three characters from your password, again a random selection in a random order.

While it initally irritated me that logging on to the system took a little more thought than normal (I have a long password and it's easier to type it out in full than work out what the eighth, fifth, and eleventh characters are), it's probably a much more secure system when people are going to be using public terminals.

It also makes people less liable to some sort of 'sniffer' attack, since the system dictates which characters to ask for and locks you out after several incorrect attempts. It would probably require somebody to observe more than one login session before they had enough information to do repeat it themselves, and unless you know which order the characters and PIN were requested, a plain keyboard capture program would be ineffective.

Comment removed

[account_deleted]

Comment removed based on user account deletion

More info on this case

[dki]

...can be found at SecurityFocus.

Bring your own OS?

[dschuetz]

One of the initial selling points for NeXT computers, way back when (has it really been 15 years? sheesh...) was the Optical drive. It was a 256 MB, 5"x1/4" hunk of plastic, and the intention was that you could carry your entire NeXTSTEP OS, home files, etc., around with you. Bring it to the public terminal in your dorm's basement, slap it in, and reboot.

Now, obviously, that didn't work (they were big, slow, and buggy). But today it should be even easier, almost trivial, to do something. Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive). If you can fit it on a business card CD, you can even keep it in your wallet.

They could even do this at the system-provider level -- have branded, mass-produced, customized versions of Knoppix in each machine, and encourage people to check the CD and reboot before they use it. Of course, this wouldn't work as well with the systems intended for graphic editing, etc. (with AI, Photoshop, etc.), but for simple internet access systems, it'd be pretty good...

easy everything solution

[straybullets]

last time i went to an easyeverything cybercafe i noticed that on logout the pc would reboot and re-install a fresh image of the whole os on the disk. I think it got the image from the network but i can't recall what soft they used to do it (it had a strange name)...

Of course it takes some more time on rush hour (like 10-20mn) but they have lots of pc so ...

and also, too bad for installing key loggers then ..

From a Kinko's employee

[catfishmonkey]

I'm a manager at Kinko's.
You really would be shocked to see the kind of stuff people leave behind on the hard disks and in the copy machines. At least a dozen I.D. cards, birth certificates, credit cards, confidential company files, etc.. are left every day.
Just yesterday a customer came in and asked if we'd found her credit card. She said she'd left it in the copy machine a week ago and just noticed it gone. We couldn't find it and told her she'd probably wanna go ahead and cancel the damn thing. She replied, "nahh... too much trouble.. it'll turn up someplace".

What a world.