Be Careful With Your Password Away From Home

March 8, 2008 – 4:14 PM

The US Federal Deposit Insurance Corporation (FDIC) is asking banks to warn their customers against logging into their accounts on public machines. Many computers used for public internet access have surveillance spyware installed on them. The spyware might take screenshots, record keystrokes and monitor web addresses visited; … then send all of that data to the person who installed the spyware on the machine. This is no theoretical problem. It has happened before.

I think the safest thing to do is to assume that someone IS watching your net traffic when you are on a public machine, whether they really are or not. Assume that someone is peeking and don’t give them anything valuable to peek at. I wouldn’t even log into a Hotmail account from a public computer, much less a bank. Logging into a bank or into Paypal or anything that controls money is something you should never do from a public computer. Ever.

If you are traveling and have no other way to check your email, a public machine in an internet cafe might be your only option. There are a few steps that you can take to make that a little safer, though it still is not “safe”. Before doing anything else, go into the options of the browser to disable autocomplete. In Internet Explorer, go to the Tools> Internet Options > Content tab and disable all autocomplete options there. In Firefox, go to Tools > Options > Privacy. In Opera 8 or above, go to Tools > Preferences > Wand.

Now you need to verify that it has actually stopped recording autocomplete information. Go to your email site and try to log in with a fake password. If it offers to save the password, something wasn’t done correctly. If it doesn’t offer to save the password, close the browser and then go right back to the site. If it has saved the previous fake password you used, something wasn’t done correctly. Go back and try to turn off autocomplete again. If it continues to save the password no matter what you do, do not use that machine.

Next, you can check for spyware. You may or may not be able to install programs or access a floppy or CD drive on the computer. Chances are, you can’t. Go to SpywareInfo’s online scanning page instead. That uses an ActiveX version of X-Cleaner which will do a scan for spyware and adware. Since it is ActiveX, it will work only with Internet Explorer. If the computer is using a different browser, try the online scanner at Trend Micro Europe.

If it finds spyware, you may not be able to remove it, depending on what has been done to the computer, so don’t try. You may not be able to reboot a public computer anyway. If the scanner does report spyware, either move on to another machine or just go elsewhere. Be sure to report the problem to the manager of whatever business is providing the computer if possible.

If it doesn’t find any spyware and you have successfully disabled autocomplete – and you are certain that you really want to log into an account from there – then go ahead and log in. If it has an option such as “this is a public machine” or “save your password on this machine” or similar, make sure you take the option of not saving the password. Afterward, close the browser window, then go into options again and delete all temporary files, as well as all cookies. Then go right back to the site you just used and make certain it doesn’t log into your account automatically.

Don’t assume that you are safe even if you are using your own laptop. For one thing, you are using a strange network and who knows what may be monitoring that network. For another, you can never know if the person in the next room or parked outside is sniffing at your wi-fi signal.

Once you return home to your own PC (which hopefully is spyware-free), you might want to change the password at any site you logged into while traveling. If all of this sounds a little paranoid, just remember, it’s not paranoia if someone really is watching.

http://www.spywareinfo.net/july31,2005#fdic

You must be logged in to post a comment.