A new "warning" about using Internet Cafes.
 

Here's something most of us probably never think about. As you are aware, most computers "remember" you and the sites you visit.

I used an internet cafe one day in a busy little place in Montepulciano. I wanted to access my online banking. Well, imagine my surprise when I typed in www.bankofamerica.com, and the page opened up revealing someone's checking account. There before me was all their personal information including the checks they had written and the deposits. Now I know that normally those sessions automatically close after 10 minutes or so, so I suspect this was the record from the person right before me who happened to have visited that site.

Also in Paris I used Access Academy almost daily for a week. I usually accessed this site while there. So again, imagine my surprise when one day I typed into a computer www.fodors.com and when I got it, I was automatically at the Europe board and was alread logged in as Patrick! Seems it was the same computer I had used several days before and I had not logged off Fodors, but just logged off the computer. So anybody using that computer, could have been entering posts under my name. (Well, worse things could happen I suppose,but it was quite an eye-opener).

The bottom line? Always make sure you log off each site, don't just log off the computer.

I'll even attempt to drop down Tools and try to delete 'cookies', 'files', and 'history'. I've been in some places that didn't have this blocked.
And 'logoff' as you suggest.

All good advice. I guess I just try not access anything sensitive -- I don't do internet banking in an internet cafe, for example. My worst offense is probably forgetting to log off various websites. I guess if my body double starts posting as 111op it's not the end of the world. :-)

111op: When you're gone for 3 to 5 months at a time, online banking and checking your credit card statements on line becomes a normal part of life! Don't know how I managed before!

Access Academy in the 6th is a great internet cafe though: clean, easy to use, lots of machines, vending machine, clean restrooms, etc.

That could definitely be a problem. I'm never really gone for more than a week. I do check my accounts at work, as I assume that work computers can't be vulnerable to attacks (it could be a wrong assumption, of course).

I actually bank with Citibank and am sometimes obsessive enough to insist on taking cash out from a Citibank ATM. The ATMs all basically look alike, so I get to check on my accounts as well (not that there's much to check :-) ). A few years ago, I had an interesting adventure taking the subway out to Prague's Citibank branch. Upon arrival, I discovered that it would only allow commerical banking. At least I saw a part of Prague I'd never have seen. :-) I wonder if Prague now has Citibank ATMs in the city center.

One of the reasons I like the EasyEverything Cafes. When your session is done they actually re-load the entire Windows operating system on the PC before someone else uses it. This way all your cookies, the sites you visited, everything is erased.

Well, they did the last time I checked about a year ago.

Interesting. I didn't know about that.

But I love the way they charge based on how busy the cafe is at the moment. And they've always seemed quite cheap to me.

Patrick, this is a very good warning to people. My husband and I are both privacy freaks and he works in the internet world... so he knows all the "worst case scenario" situations with online banking.

One thing he mentioned last night when I asked if we would check our online banking while travelling, he said probably not unless we use a friend or family's laptop. He did say that people can install trojan horse programs on the internet cafe computers that track keystrokes, so there's a theoretical risk someone could go in after you leave and get that information including your password. Just wanted to add it to this post.

At the very least, though, logging off is essential and if you're savvy enough with a mac or PC you should be able to figure out how to delete the cookies and history.

Thank you for the warning.

Good topic and good thing to remind people of. Please, allow me to pontificate profusely... ahem.

The computers in internet cafes are not secure. Period. Free wi-fi access points are only marginally better. Yes, people can and do install key loggers on public pc's, just as skatterfly said. It's actually very easy to do. If someone has, it doesn't matter if you log into a "secure site" or not. Every keystroke you've pressed, including your bank account password, would be recorded for later playback. Deleting cookies would make no difference.

In cases where people bring their own laptop, but choose to connect in where wireless access is free, they're taking their chances. Free wireless usually requires that you disable all encryption with the host network. This means the guy next to you could be "sniffing" every thing you type.

Sound paranoid and far-fetched? It's all just odds - like pickpockets and such. I'm not one to worry that much. I'll actually send my CC number in a single email. I'd check my hotmail account from a public PC. What, they might read all my spam? But I wouldn't do banking from an unsecured location. At the very least, make sure to use a PC that has no floppy drive, no CD drive and no active USB ports. That would have made it harder for a person off the street to install anything.

Still think I'm over the top?

Wagamama - the London noodle chain. I think it was last year when local geeks with laptops discovered that the little handheld devices that staff use to ring your credit card were wireless - and not encrypted back to the little hub behind the counter. These guys sat there in the shop, slurping their noodles, "working" at their laptops. Working on recording every credit card number swiped through the store's handhelds.

You hear these little stories (and you even know people like those guys) when you've been in IT and dealing with IT security issues as long as I have. Weird stuff, but a lot more common than you might think.

Oh, but the deleting cookies suggestion is a good one. Didn't mean to say that it wasn't. It would keep the average user from stumbling upon your private info and being tempted.

That's why you always have to make sure that you "log off" after you finish your transaction. Don't just go off the page, if you log off, access to the previous page shouldn't be available. Try it at home on your own computer.

So what do you do if you are traveling for several months and need to pay bills online? Sometimes you have no internet access except at a public location.

Well, I guess everyone needs to decide the risks they want to take for themselves. If I were going for several months (no time soon, I assure you. People have been trying to re-arrange my few weeks from the moment we bought our tickets) I'd do one of two things. Bring my laptop and only use by plugging into either a hotel network, dial-up from the room or PAID wi-fi access somewhere that an encryption key is supplied with my payment. OR I'd occasionally book into a hotel that had a business center with internet access for guests. That's just my feelings on it though.

oh, forgot. Mostly I'd setup pre-pay where I could though. A lot of our stuff is setup to auto-pay on a schedule. We can move money back and forth from account to account through an automated phone system at our bank. I'd likely setup the static amounts as auto-payments (basically electronic check releases) and the variables, like utilities, as an amount greater than average and just have a credit balance on return.

At least that's what I think I'd do. :)

What I will do if I log onto my internet banking site from an internet café is to open Notepad, type in a series of numbers, in which my bank card number is embedded somewhere, and then copy and paste the number into the login window. This defeats anyone trying to capture keystrokes, because he won't know where my bank card number is in this series of numbers. You can even make it more challenging by breaking your card number into chunks among the other numbers.. say your card number is 72837461 (a short one).. so if you typed 782728346197461 in Notepad, you could copy and paste the first part (7283) and then the second (7461) out of this jumble of numbers.

I decided as my sister had known me for 48 years i could trust her to do my internet banking for me. i had an account that i used solely for my travels. and bought as much as i could on credit card. i gave her my access numbers to internet banking and she regularly "topped" up my travelling fund account when it got below an agreed amount from one of my other accounts. of course you have to trust the person you give the task too but if you cant trust your sister who can you trust??? worked fine, we were in touch via email and phone every few days anyway. i was away just over 3 months and used the ATM everywhere to get cash.

BOA explained to me that this is why they provide a toll free phone number and also allow you to call them collect when you are internationally traveling.

THey told me I can do my banking with them on the phone instead of by computer.

Now I know you can tap into the phone also but it seems a little more secure, right?

With Google's recent introduction of "Google Desktop Search", it unintentionally is another means whereby unscrupulous people could monitor your activities on a public computer.

Desktop Search is a WONDERFUL tool to run on your own private PC -- it works similar to Google internet search.

BUT depending on its settings, it keeps cached (and semi-hidden) copy of EVERY email you write and every web page (including "secure" web pages) you visit. Someone could come along later and Google Desktop Search for every occurrence of the phrase "password" on web pages visited.

These cached copies of websites persist within the Desktop Google EVEN if you you clear all cookies and history from within Windows.

No surprises here! If it's sensitive, *don't* do it from a public computer or via a non-secure (wireless *or* wired) network. Use your bank's telephone banking system instead.

If you must log in to sensitive systems in public, minimize your exposure by:

- Limiting the number of uses
- Explicitly logging off each service when you are finished
- Clearing the history and the cache (where possible)
- Selecting made-up user names (where you are allowed to choose a user name)and strong, hard-to-guess passwords
- Segregating the services you use (for example, creating a Yahoo e-mail account that's separate from your main e-mail account, or deciding to access only one of your banks online)

Years ago I had argument with one of the major U.S. banks. I didn't want to use my Social Security number as my user name for their fancy new online banking system. The bank insisted that there was no security risk, because the Web site used encryption. But the bank's security "experts" hadn't thought about keystroke logging programs, which capture everything you type at the keyboard. A few months ago the bank finally made Social Security numbers optional and let customers make up their own user names.

Paul Marcelin-Sampson
Santa Cruz, California, USA

Perhaps this specific example has been mentioned (if so, please forgive me for being redundant) but last week while in the Netherlands I used a "mom and pop" internet cafe to book hotel reservations on Expedia. After closing the window, I decided to go back into the Expedia site to check something else. As you might have guessed, my user name and password popped up after I typed the first letter of my user name. I deleted it from the drop down window and afterwards went into Internet Options to purge the cookies, internet and history files. I went back to the site and thankfully it did not reappear. I'm glad that I don't use the option of saving my credit card number with Expedia for convenience purposes. At the EasyInternet Cafe, they shut down and reload the system after someone completes a session (provided the user shuts down the system as they are supposed to). It was a good learning experience, to be sure. I just hope that there will not be any further ramifications.

Interesting thread as a daughter who is in charge of security for a court stystem as told me the same thing. But always good to read others experience.

This is the very reason that you need internet banking with proper security. My solution works like this: To be able to use the bank I need a Bank certificate (general) and a Personal Certificate. To download the personal certificate you need to enter your social security number (or personal ID number as we have in Norway), your pin code AND a randomly generated security code that is sent to me on my cell phone as SMS. This will let me create a single use certificate and let me log in. So when I then close down the browser the personal certificate is useless, and you need my cellphone to be able to access it assuming there was a key logger on that machine. Of course the bank uses encryption between the machine and you, that's what those certificates are for.
It's not foolproof but it's good enough that I've got a VERY strong case against the bank should anyway manage to get money out of the account.

People that complain about unencrypted wireless access, do you scramble the data that goes through the standard network cable as well ??
As long as the site you are connecting to uses decent encryption if anyone sniffs out the data from your wireless data they are still getting encrypted data, that's the entire point of transmitting encrypted data. Of course your login at fodors and other message boards is usually not encrypted so THAT kind of data is in the open when you use wireless unencrypted. Though as a last comment on wireless encryption, there are easy-to-use utilites that let you decrypt that on the fly, so that security is only to filter out the morons. After all you assume the persons running the Internet cafe knows their stuff, so if they want to they can install all sorts of "interesting" things, including keyloggers.

So to summarise, if your banking does not use a system for generating single use passwords do not use them on internet cafes, and ask your bank to implement them. (My GF/wife's bank uses a calculatorlike device to generate those codes, after typing in a PIN). And for non-essential stuff, log out, clear cookies and then close browser and go to the website and see if you are remembered.

Sindre