No surprises here! If it's sensitive, *don't* do it from a public computer or via a non-secure (wireless *or* wired) network. Use your bank's telephone banking system instead.

If you must log in to sensitive systems in public, minimize your exposure by:

- Limiting the number of uses
- Explicitly logging off each service when you are finished
- Clearing the history and the cache (where possible)
- Selecting made-up user names (where you are allowed to choose a user name)and strong, hard-to-guess passwords
- Segregating the services you use (for example, creating a Yahoo e-mail account that's separate from your main e-mail account, or deciding to access only one of your banks online)

Years ago I had argument with one of the major U.S. banks. I didn't want to use my Social Security number as my user name for their fancy new online banking system. The bank insisted that there was no security risk, because the Web site used encryption. But the bank's security "experts" hadn't thought about keystroke logging programs, which capture everything you type at the keyboard. A few months ago the bank finally made Social Security numbers optional and let customers make up their own user names.

Paul Marcelin-Sampson
Santa Cruz, California, USA

Perhaps this specific example has been mentioned (if so, please forgive me for being redundant) but last week while in the Netherlands I used a "mom and pop" internet cafe to book hotel reservations on Expedia. After closing the window, I decided to go back into the Expedia site to check something else. As you might have guessed, my user name and password popped up after I typed the first letter of my user name. I deleted it from the drop down window and afterwards went into Internet Options to purge the cookies, internet and history files. I went back to the site and thankfully it did not reappear. I'm glad that I don't use the option of saving my credit card number with Expedia for convenience purposes. At the EasyInternet Cafe, they shut down and reload the system after someone completes a session (provided the user shuts down the system as they are supposed to). It was a good learning experience, to be sure. I just hope that there will not be any further ramifications.

Interesting thread as a daughter who is in charge of security for a court stystem as told me the same thing. But always good to read others experience.

This is the very reason that you need internet banking with proper security. My solution works like this: To be able to use the bank I need a Bank certificate (general) and a Personal Certificate. To download the personal certificate you need to enter your social security number (or personal ID number as we have in Norway), your pin code AND a randomly generated security code that is sent to me on my cell phone as SMS. This will let me create a single use certificate and let me log in. So when I then close down the browser the personal certificate is useless, and you need my cellphone to be able to access it assuming there was a key logger on that machine. Of course the bank uses encryption between the machine and you, that's what those certificates are for.
It's not foolproof but it's good enough that I've got a VERY strong case against the bank should anyway manage to get money out of the account.

People that complain about unencrypted wireless access, do you scramble the data that goes through the standard network cable as well ??
As long as the site you are connecting to uses decent encryption if anyone sniffs out the data from your wireless data they are still getting encrypted data, that's the entire point of transmitting encrypted data. Of course your login at fodors and other message boards is usually not encrypted so THAT kind of data is in the open when you use wireless unencrypted. Though as a last comment on wireless encryption, there are easy-to-use utilites that let you decrypt that on the fly, so that security is only to filter out the morons. After all you assume the persons running the Internet cafe knows their stuff, so if they want to they can install all sorts of "interesting" things, including keyloggers.

So to summarise, if your banking does not use a system for generating single use passwords do not use them on internet cafes, and ask your bank to implement them. (My GF/wife's bank uses a calculatorlike device to generate those codes, after typing in a PIN). And for non-essential stuff, log out, clear cookies and then close browser and go to the website and see if you are remembered.

Sindre