Slashdot Mirror
Protecting Your Personal Info While Traveling?
AdEbh asks: "I was just listening an interesting article on a local radio station regarding computer security. In it a member from the AFP cybercrime unit mentioned that they are starting to see keylogger software installed on public access terminals, such as internet cafes. With friends & family overseas at the moment or soon to be what advice should I give them? Is this a real concern?"
If I am forced to use a public terminal I like to check the tasks that are running in the background, to see if there is anything suspicious. It has saved me a few times, of course not all kiosks will let you use that command.
[n8.r0n] http://petesweb.spymac.net/
I am becoming increasingly paranoid about typing passwords in public terminals... I am even reluctant to type my password in a friend's computer... Generally avoid typing your password for anything you don't need while at a public terminal, and if you're REALLY paranoid you could have it written in a file in a USB keychain and pasted (keyloggers don't log pasting, do they?).
Send email from the afterlife! Write your e-will at Dead Man's Switch.
You wouldnt give your credit card # to someone over the phone in a public place.
You dont throw away check stubs without shredding them.
You dont give strangers your home address.
I guess I dont understand how people can not connect the dots.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
If you want to keep in touch with friends and family during travel, create an email address with one of the many free webmail services available.
Then use only this adress while traveling, and only for casual messages, nothing important. Specify to your correspondants that this adress is temporary, and subject to be "stolen", so they should be suspicious regarding messages coming from it.
But in order to log into your e-mail account, you would need to supply your password. One way to get round this is to type the first few letters of the password, switch to an other app, type some gibberish, and then switch back to your web-browser / telnet-session (doing more switching if you're feeling insecure). If this is one of those hardware devices that sit between the PC and the keyboard, it cannot know what belongs where, but there might be some software out there that can detect app-switching and record kepresses on a per-app basis.
If you want to access your email remotely, and you want to be sure it won't be hacked, bring your own computer. Otherwise, just accept the risk that your password will be sniffed, and change your password when you get home.
Ideally, you should change your password before you leave, and then change it back when you get home, because if you're like most people there are lots of things online for which you use the same password.
Oh, and if you need to do any kind of transactions _other_ than email while you're abroad, definitely bring your computer. Doing serious transactions on a public workstation is about the same as writing your PIN on your bank card and leaving it stashed near your favorite ATM so you don't have to carry it in your wallet.
When you are on a public terminal you can type in your username and/or password by typing in the last half of it then use your mouse and go the front of the text box and type in the 1st half. It's not full proof but at least someone won't have your password in plain view in front of them.
:wq
While in Hawaii on vacation last September I prepaid for an hour of web cafe time. After answering all my emails and checking what news I felt like reading, I still had a good chunk of time left over and my GF was still in the same strip mall shopping. I decided it might be interesting to download and install ad-aware. (They were old windows 98 machines, so there was absolutely NO security.) In the 15 minutes or so I hung around watching and chatting with the clerk running the place, ad-aware ticked off over 2,000 spyware items found, and it wasn't anywhere near done!
If you're using a public machine, you shouldn't do any financial activities like banking, paypal etc., at all.
Try and find a bank that requires one-time passwords. I don't know how common such systems are internationally, but over here in the Netherlands, it's pretty much standard.
My own bank provides its users with a small calculator that, when unlocked with your PIN, will also generate one-time login numbers. For extra security every transaction requires an extra one-time number keyed to that particular transaction (so highjacking the connection after the login is provided is mostly harmless).
I'm sure it's still not 100% safe, but crackers will definitely have to work for their money.
Don't worry about hardware keyloggers. They cost more than software loggers, so they won't be there. Cops and spooks break in to install them on dissidents' machines; they are probably very rare otherwise. Just bring along an Ubuntu LiveCD, and boot from it. If you can't do that, and you can arrange to produce your own web site, have web-page javascript password-entry scheme that uses just the mouse, unrepeatably. (That is, each time the page is (re-)loaded the buttons appear in different places on the screen.) Or, bring along a USB key with a pile of temporary-use private keys in it, and a copy of ssh configured to use only those key files. Be sure to delete the corresponding public key after each use. Even if they log keystrokes they won't copy the entire contents of every USB key plugged in; and it doesn't matter so much if they do, anyway.
not to use the public machines for any financial or private communications.
;)
:)
Agreed. When I travel what I do is change my password on all my accounts to one which I will throw away when I return home. Yes, there's still a risk of abuse, but the window is hopefully small enough if you're only gone for a few weeks that it won't be a problem.
What I also do is forward all my email accounts to a throw-away Gmail account. Again, so I can read and respond to email but not be concerned someone could try and break into my box. It also means I'll avoid at all costs trying to ssh into my machine.
The final really geeky thing I sometimes do is setup an almost honeypot box. A machine that I can ssh into with a throw-away password that is on an isolated network. I then place an ssh key somewhere on this box and use it to ssh to one of my other boxes if needed. This way the only password I will type will be to this honeypot box, not to the actual machine I need access to (being a sysadmin, sometimes you need to pop in to a machine while away, but I'll never 'su' - I'll ask whoever is covering for me to actually do that 'work'). Again one great advantage of this is you can then just erase the key from that honeypot box, so even if the keylogging person is somewhat techno-savvy, they can't get access to that key. If you hide about 3 keys on the machine, you can do this use/erase method 3 times over your trip.
And I know others will probably suggest an ssh-key on a usb key, another very good idea - as long as you're going somewhere that has a high enough level of computing to be able to use this method. Most of my trips have been to the developing world, where machines are still running win98. USB keys don't exactly work too well on those machines, if they even have USB slots.
The key takeaway message is - use a one-time password and create a throw-away email account for communication. And I agree, no banking! Leave your online banking info with someone at home and email them to do it for you. Nothing wrong with being a little paranoid.
I've heard that some European banks do one-time passwords - you just print out a sheet and bring it with you. This would be the ideal solution if you don't care about privacy, but of course if, like me, you live in the U.S., you probably don't have this option.
Nobody has mentioned the simple way to limit your losses. Open a travel account at another bank. Set up automatic weekly transfers. Use it for gas and such. My travel account gets $200/week. If it gets hit, I contact my bank. My potential loss is very limited. The checking account is not backed up with overdraft protection. Keep track of your balance and use the bank ATM whenever possible. The rest of the bills are set up from the primary account at another bank with auto payments. If the electric is a little off one month, it can be adjsted upon my return. They are happy to receive a regular payment even if it is a little over or under. Let them know what's up. They are very good working with you to get paid.
The truth shall set you free!