Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Kinko's Spy Case Illustrates Public Terminal Risk 383

tealwarrior writes "CNN reports in this story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.
This discussion has been archived. No new comments can be posted.

Kinko's Spy Case Illustrates Public Terminal Risk

Comments Filter:
  • by jkrise ( 535370 ) on Friday July 25, 2003 @06:52AM (#6530614) Journal
    Sometime back, Passport passwords were hacked: Muhammed from Pakistan.

    Adobe's eBook reader was cracked : Skylarov.

    and now, Jiang.

    Why isn't it Rob or Pete or Chris, ever??

    -
  • by rat7307 ( 218353 ) on Friday July 25, 2003 @06:53AM (#6530617)
    For us non-US'ers:

    What is a Kinkos????

    Thanks!
    • I believe it's a photocopying/printing shop.

      Don't quote me on that though.
      • Native Japanese speakers new to the US *used* to think it was a bank (the word for bank in Japanese is "ginko"), so I'd have some fun screwing with them, taking them to Kinko's and telling them to ask to open an account. But now they have Kinko's in Japan so that little joke doesn't work anymore.
      • by mblase ( 200735 ) on Friday July 25, 2003 @07:35AM (#6530832)
        Kinko's stores are ridiculously popular in the US, especially near colleges and universities. Photocopies and printing, many are open 24 hours, and they offer computer terminals for rent with graphics and publishing apps already installed. They're so common now that they're practically an entry in the dictionary.
    • by lewiz ( 33370 )
      It's a good question, actually.

      Google finds quite a lot. My guess is it's http://www.kinkos.com/:

      Document Solutions - Done Right, Anytime, Anywhere

      Core Values

      1. Alignment and accountability: We accept responsibility for our actions. We make and support business decisions through experience and good judgment.
      2. Customer Service Excellence: We are dedicated to satisfying customer needs and honoring commitments that we have made to them.
      3. Teamwork: Our team is supportive of each other's effor
    • by volsung ( 378 )
      Photocopying, document printing, and some have public access Internet terminals (for a fee).
    • by skurk ( 78980 )
      What is a Kinkos????

      My first thought was like "Huh? Kino Kiosk?", because that's what it sounds like to me, but if you check out http://www.kinkos.com/ [kinkos.com] you can see that they offer a service where they print and ship documents (or photos) for you. Apparently they have a set of terminals around in the US where you may log on to, download and e-mail them your documents, and pay by credit card.
    • The short answer: It's a photocopy store.

      The better answer: It's like a business office you can rent by the hour.

      I think they started doing "just photocopying jobs," but they'll also print large glossy posters and other stuff too. They have basically offices for rent -- you can videoconference from a Kinkos, and you can use computers to access the Internet, etc.

  • by fadeaway ( 531137 ) * on Friday July 25, 2003 @06:55AM (#6530625)
    Why would anyone consider using public access points to access private/secure data? That's just asking for trouble.

    It's amazing. 99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal. Online Banking however, why not. Silly.
    • by squaretorus ( 459130 ) on Friday July 25, 2003 @07:25AM (#6530767) Homepage Journal
      99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal

      Are you sure? I've been sitting on a train as a guy opposite sat with his card on the table shouting the numbers into his mobile phone (he was ordering flowers for his wife - anniversary - £100 bunch - no ribbon - she hates ribbon - thinks its a waste - and nothing with those really thick stems - she always complains about those too - and just put 'hey' on the card - yes - just 'hey') gave his address for delivery, his postcode, his home and mobile numbers and his wifes name (Ruth - kind of old fashioned a name I thought) and a few other bits. Practically enough to get a passport with!

      Maybe he was the 1%. So far as I could tell I was the only one logging all this info into a palm at the time tho - so no harm done!
    • An ATM is a public terminal.
    • "It's amazing. 99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal. Online Banking however, why not. Silly."

      Banks should know better as well. Over here, banks are liable to some extend when a customer's online account is hacked or accessed illegaly. That is why all banks go to some lengths to prevent simple password sniffers to gain access to online banking services. They all use some sort of challenge-response system with a small device that turns the cha
  • by squarefish ( 561836 ) * on Friday July 25, 2003 @06:56AM (#6530628)
    I used a NYC Kinko's during H2K2 last year on 7th Ave. I've been unable to find it now due to dilution of the story, but I found on online article the other day that said this had actually gone on for two years and that the person that discovered it had used a computer at one of their stores on 7th Ave, but they have two. I used the one at 500 N. 7th, store # 0961

    I called their customer support line on Wednesday as soon as I saw this article, and they said they didn't know anything about it- the person I spoke to called me back and said that their corporate office would get back to me by the end of the day.... I'm still waiting.

    I called the store directly last night and the manager, sounding like he was lying through his teeth, told me that they were absolutely not one of the stores.

    So, I've very interested in knowing if this has class-action lawsuit potential since Kinko's was prosecuting this case and obviously had no intentions of notifying their customers of the risk they were at while using their store. If there is an existing lawsuit, how do I find it? Thanks!!!!
    • by Anonymous Coward
      yep, you went to the hacked store. Jiang says your password was "lutefisk" but fortunately you only used it to access nude pictures Cowboy Neal.
    • by Anonymous Coward
      I dunno, do you keep track of your finances? If you balance your checknook, occasionally check your credit rating (which shows open accounts), etc, you would have some clue whether or not you were affected.

      If you don't do the above, why should Kinko's clean up your mess for you?
  • by G4from128k ( 686170 ) on Friday July 25, 2003 @06:56AM (#6530629)
    I use out-of-order username and password entry on public terminals. I type a couple of letters of either username or password, click in the middle of the typing entry in the other field, type more letters, etc. It only takes a bit of concentration to remember which password letters I have typed. Unless the logger is doing a full scan of exactly where I click, they get a disordered, mixed version of my username and password broken up by numerous mouseclicks.
    • I bet they're after you aren't they?
    • by Anonymous Coward on Friday July 25, 2003 @07:02AM (#6530666)
      As does the strategy of opening Notepad (or some other app), typing a couple of characters into the password box, clicking to Notepad and mashing down the keyboard awhile, etc. until you've completed the password. An intelligent keylogger will only hook certain window classes, but most keyloggers are "all-or-nothing."

      The real solution, though, is don't enter your passwords on an untrusted machine! I went to visit my aunt, uncle, and cousins in Nebraska last month. They know I work online and were totally perplexed as to why I wouldn't use their computer to check my email, my PayPal account, etc. "Well it's gonna take awhile to charge your laptop back up, why don't you just use our computer till then?"

      "Because I don't trust your computer" isn't the kind of thing your relatives want to hear, so I emphasized the fact that I have no idea what's running on their computer. We did have a good discussion about spyware, and I downloaded Ad-Aware and showed 'em how to use it. They actually came up fairly clean (just that "satellite" program, I forget who makes it) but I still wouldn't use their machine for anything sensitive.
      • Magic Lantern (Score:3, Insightful)

        by Anonymous Coward

        An intelligent keylogger will only hook certain window classes

        It is rumored that the FBI's Magic Lantern key logger does just this, and has specific hooks for the password entry dialog of known `terrorist` applications like PGPdisk, BestCrypt, KGB, etc.

        You`re right that most key logging programs are stupid, though. The best way to detect a key logger is to go in Windows Explorer, do a search for files modified in the last day, then sort the list by modification date descending. Open any unusually named fil

        • by Anonymous Coward
          They could keep the log in RAM and then as long as the computer didn't crash but instead shut down normally, flush the buffer to dis.... ...oh it's a windows app hey. damn. kills that idea.
        • Re:Magic Lantern (Score:5, Insightful)

          by lfourrier ( 209630 ) on Friday July 25, 2003 @07:34AM (#6530827)
          After all, key loggers have to keep a log somewhere!
          but not necessarly on the PC.

          http://www.thinkgeek.com/gadgets/electronic/5a05 /
      • by Anonymous Coward
        And it's great that you have the option of only using your own computer. Many people do not.

        For a lot of people, places like public libraries are their only Internet access. They have to use them to file unemployment claims, check their email, apply for student financial aid, look up medical information, apply for jobs... You get the idea.

        In such cases, people essentially have to trust the security and/or take as much evasive action as possible.

        The best way to handle this? Educating people how to

    • by Anonymous Coward on Friday July 25, 2003 @07:04AM (#6530675)
      Curiously as you are using a mac-looking name, 2 of the most popular keystroke loggers for macs (when I used them, which was up until just before the OSX days) would take note of exactly this, and still get your password and your random typing as separate strings. I have no experience with PC loggers as I haven't investigated them since, I've learned to never trust a machine with details I couldn't afford to lose.

      I used to use this exact same technique, then tried it on a couple of loggers I suspected. Some coders have too much time on their hands
    • by jmichaelg ( 148257 ) on Friday July 25, 2003 @07:10AM (#6530703) Journal
      Under Windows, logging clicks isn't any harder than logging keystrokes. My macro program, mgSimplify [greenes.com] uses the same dll to keep track of both events.

      Instead of trying to be clever, you're probably better off not trusting a publically accessible computer.

    • Seeing you go to such great lengths to sidestep key-logging s/w; have you considered the enormous risks using Windooze PCs at kiosks? You .Net Passport Password - gateway to Hotmail is stored in plain text, it only gives you a false sense of security.

      Recently, you'd have read about the Passport Password reset bug - how can you be sure if it isn't secret any longer? The best thing, I guess, is to keep using the internet normally, at home, stay with Linux, Mozilla Firebird, stop the pop-ups and stay secure.
    • They'd have a still list of exactly the characters you use. That'd take all of 30 seconds to crack.
      You'd better just copy and paste the letters from around the page you're looking at. I mean if you're going for paranoid you might as well go all out.
    • Tinfoil Hat Linux (Score:4, Interesting)

      by mikeee ( 137160 ) on Friday July 25, 2003 @09:00AM (#6531501)
      Tinfoil Hat Linux [shmoo.com] is designed for just such a case. Boots of a CD-ROM, randomized keyboard for password entry, tempest-resistant fonts, PGP encryption and decryption (also of random files, in the background, to thwart timing attacks), and in a pinch "output console text to keyboard LEDs in morse code" mode.
  • At the last 2600 meeting I attended, we joked about installing a chip to catch keystrokes into a keyboard. What if this was done instead of a piece of software? And who knows if something like this has been done or not. The "man on the street" does not understand one iota of computer security, so why should a public kiosk computer be any different than his home PC? As long as it does not affect them in any way they do not care! This is a wakeup call for "joe sixpack", do not trust any public PC (I don't)
  • by jsailor ( 255868 ) on Friday July 25, 2003 @06:59AM (#6530643)
    You might be amazed at what people save on the hard disks. I've found all sorts of stuff including insurance letters complete with SSNs, addresses, etc. (of course, I've found similar stuff left on the copy machines - lower tech stupidity)

    Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware. This doesn't seem like it would be too hard for Kinkos to do as well. If you've been to a Kinkos in NY, you would know that the copy specialists in the stores are not maintaining the machines.

    • I've found all sorts of stuff including insurance letters complete with SSNs, addresses, etc.

      If those addresses are valuable to you, I could probably sell you a book or two full of them. I'll even throw in the phone numbers for free!
    • Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware.

      That works great, unless the Bad Person has installed a hardware keylogger. They are pretty cheap these days ... as low as $80 [thinkgeek.com].

      Some neat features of this gadget:

      * Records more than 130,000 keystrokes
      * 64K of non-volatile memory. Now with 128K memory ($100)!
      * It is Portable - move it from computer to computer

  • Virutal keyboards (Score:5, Interesting)

    by bogado ( 25959 ) <bogado.bogado@net> on Friday July 25, 2003 @06:59AM (#6530649) Homepage Journal
    Banks in brasil are using virtual keyboards, they are a numeric pad that apear in the screen with the numbers in a random order and/or in a random position. You must then click the password with a mouse. Of course if you own the machine you can save the HTML and mouse clicks to analise it latter, but it makes the life of keyloggers harder.
  • by xThinkx ( 680615 ) on Friday July 25, 2003 @07:00AM (#6530657) Homepage

    I mean, come on, there have to be tons of computer geeks like me out there that look at public libraries, kinkos, office max, internet cafes, etc; and think that a keystroke logger could be infinitely damaging.

    Considering any schmuck could pick up a completely software undetectable and almost completely visually/physically undetectable hardware keystroke logger for under $100, this doesn't surprise me. Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

    Again this brings me back to the opinion that allowing any idiot to do whatever they please on a computer is a rediculous idea. I know this is beating a dead horse, but, do we let people drive a car or fly a plane without a license? Before you jump on my case I'm not saying people should need licenses to use computers, or that computers can physically kill a boatload of people like a car or plane could. What I am saying is that banks might require some for education or training, or even just provide literature, something, ANYTHING to let people know that it's probably not the best idea to do your internet banking from KINKOS!.

    I'd also like to point out that gotomypc.com sucks, if I see one more ad for them, I'm going to gototheirpc and smash the living crap out of it

    • I spend alot of time at my local kinkos. They do get paid at least 1/2 more than you suggest. It requires experience and training to deal with some of these copiers...as well as lots of patience for the many customers who know even less. (or don't even know what they want. They are one employer that is likely to keep many employees around for a long time to come despite the heavy automation. Sadly the training for the normal coworker doesn't seem to include internet security...which is fundamentaly the
      • by BitchHead ( 464271 ) on Friday July 25, 2003 @08:57AM (#6531469)
        I worked at a Kinko's as a second job for a brief stint, and while I'll agree with you on the wages, I can't say as much for the training that most employees receive. The general guidelines that are given to employees are that the self-serve machines are just that: Self-serve. Don't spend a lot of time trying to explain things on the machines. If someone wants a job done, and can't figure it out on the self-serve machines, they can get it done behind the counter. The same rule holds true for the computers. It's part of the self-serve area. Help people only to the extent of not being discourteous, but the copy associates are not there to tell people how to work their email or perform tasks on Photoshop.
        The majority of the training goes into learning how to work the supplementary process machines (folders, tape and coil binders, bookletizers, etc.) because those are the large batch jobs that bring in the most money. Very few employees, depending on the location and the shift, will actually know how to set up specialized features on the large DocuCenter machines. Day shifters and second shifters will typically run the small batch jobs that need to get out that day, and leave the rest of the work for the night shift. If you want the job done right, bring it there at 3am for a morning pickup. The night shift is usually only 2 people, many times just one (as was the case when it was my shift) and they need to know how to work everything in the shop.
        The computers, however, are not upkept by the individual branch employees. There are regional network engineers who do the initial installation at a branch. After that, there is a Kinko's central hub help desk to take care of any questions that the manager/employees have, and a central station for remote administration of branch networks for a region. The managers are expected to be able to follow a colour coded wall chart in the network closet if they want to move equipment or add machines. Ours was an absolute nightmare. Serious technicolour spaghetti, and totally misconnected according to the wall chart. The managers and employees receive zero training on any network essentials, so don't expect them to know anything about security measures. The manager at the branch I worked at couldn't tell you the difference between a keystroke logger and a timber logger.
    • by xpulsar87x ( 305131 ) on Friday July 25, 2003 @07:29AM (#6530786) Homepage
      Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

      Why is it that the general idea of most people that how much you get paid is directly related to how much effort you put into the job? I worked at Staples in high school, i was paid 6.25 an hour, and I did a pretty damn good job I might say. I didn't mope around my whole shift, I'd help people out, learn about things i didn't know (like printers, i don't print anyhting ever so i didn't know much about the technology in em), took time to learn how do work the machines in our copy center, etc etc. You trying to say that becuase Kinko's employees get paid x amount of dollars they won't bother with this stuff? They could be a budding geek like you and me, still in high school or college something, and they certainly would take an interest in it.
  • There's no mention in the article of how he managed to install the software on the system. I'd assume that any public terminal would be logged in as a user with virtually no priveleges beyond access to internet, word-processing etc and a small temporary storage partition that is wiped on log-out. Or does kinkos just run win98 boxes?
  • When there were green screen termninals a student wrote a simple program that took a username and login told the user it was incorrect and logged him out.

    He left it running on the lab on the VT100s. It worked. He used the first account to get more accounts. He didn't do anything with the accounts.. (I think the worst he did was some inflamitory emails to some band fan club..)

    It did get traced back to him however, but he denied denied denied and they just took his account away.

    Ever since then I always
    • Re:Back in the day.. (Score:3, Informative)

      by Torne ( 78524 )
      This is why secure operating systems use an SAK, system attention key. Windows NT and its brethren require you to press ctrl-alt-del to log in because that key sequence cannot be trapped by an application (though there are other problems with the NT logon process unrelated to the three-fingered salute). Linux has an SAK too; unfortunately, it's only available through the kernel magic debug keys by default (alt-sysrq-k if you have magic keys enabled) - the SAK under Linux will kill all programs on the curren
    • This was about the oldest trick in the good ol' days of the VAX and mentioned on page 3 (or so) of the VMS Security Manual.

      You where supposed to always press [5F] (break) before opening a session on a VT terminal.

  • Sloppy. (Score:5, Interesting)

    by MImeKillEr ( 445828 ) on Friday July 25, 2003 @07:04AM (#6530673) Homepage Journal
    When I worked in support, I was responsible for publicly available PCs. The first thing I did when I took over supporting these was to set policies in place BLOCKING the ability to install ANYTHING by anyone other than the administrator.

    Whoever was doing support for Kinko's didn't do their job.

    Same goes for any other publicly available PCs. Slap policy editor on the system and lock down the ability to install any additional applications, as well as the ability to change the look of the computer. How fscking hard is that to understand?

    Failure to do so leads to incidents like this, as well as makes it easier for someone to install pirated software, pr0n, etc. on your systems.

    • And yet, this stops nothing. There are keyloggers that you can plug into a PS/2 port and then polug the keyboar dinto the logger. They have built in memory. They are small. They would not be noticed. They work on any OS. SO explain what you did to "lock down" these machines again?

      • Easy. Put the CPU in a locked drawer or cabinet, put the keyboard and mouse cables through something that prevents the user from being able to pull them out. Not only would this prevent installing a hardware keylogger, this would also keep the users from being able to put anything in the disk drive or CD tray.

        Where MY PCs were, they were in a 'library' of sorts at my company. Someone (the admin) was *always* in the room when the 'library' was open.

    • Re:Sloppy. (Score:2, Insightful)

      by Anonymous Coward
      First of all, blocking ability to install doesn't mean jack if they still have the ability to run any application they want. Locked down the shell pretty good with poledit?(hah!)

      Don't forget about the ability to click a link to an executable in a browser and run it from location rather than saving it. Bottom line is that if someone has physical access to a machine, if you can't stand behind them and watch them as they use it, it's insecurable. Best bet for a safer internet terminal is a custom diskless
    • Re:Sloppy. (Score:3, Interesting)

      by antv ( 1425 )
      Good idea, but won't help in Kinko's case.
      They offer MS Word as a legitimate app. They let users open .doc files. There is a way for VB to export and invoke any win32 api function, including malloc() and CreateThread(). Therefore, a .doc file could be turned into keylogger.
  • by Fallen Kell ( 165468 ) on Friday July 25, 2003 @07:04AM (#6530676)
    Jiang did not sign people up for GoToMyPC. That is just how he was caught! Someone HAD GoToMyPC and because Jiang logged on and did what that person had done, he wound up starting the GoToMyPC services, with which, actually controls your home PC. The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities. That is how they caught him... Not him signing people up for GoToMyPC...
    • Who did he call? (Score:3, Interesting)

      by PCM2 ( 4486 )

      The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities.

      I'll bite -- who are these "authorities"? Just curious ... so here I am, sitting at home in front of my computer, I've got my bag of corn nuts on one side and my 40 oz. of Olde English 800 on the other ... and my cursor starts moving by itself. OK, I establish that somebody is using my

  • by Dratman ( 552554 ) * <ralph&maxsoft,com> on Friday July 25, 2003 @07:06AM (#6530686) Homepage
    Even before the Kinko's case, the recent proliferation of fraudulent emails, supposedly from ebay and similar sites, which ask for passwords to be re-entered on a web site, illustrate that passwords are no longer an adequate form of security.

    The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM. Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense. Probably the most significant barrier to their widespread adoption is the lack of standard protocols and software packages.
    • Yes they can. We're going to use a PC to authentica credit cards and the mag stripe reader just piggybacks onto the keyboard. There are also USB varients out there as well.
    • And magnetic strip writers are now just as easily obtanible. Its not too much more difficult to log a magetic strip on a system then it is to log a password.
    • Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense.

      By anyone. Most banks are moving away from magnetic stripes exactly because the readers are so inexpensive and easy to install on public terminals and ATMs. In addition to the official readers. The smartcards are coming.

    • The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM.

      What you refer to is known as multi factor authentication, IIRC. I agree that deploying authentication using the "need to have" and "need to know" dualism is way more secure than simple password authentication in principle. Besides that, the Kinko incident suffers from the problem that a public terminal cannot be trusted, and it wouldn

    • Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense. Probably the most significant barrier to their widespread adoption is the lack of standard protocols and software packages.

      USB is even more ubiquitous. Almost all (if not in fact all) new hardware comes with USB, and all modern operating systems support it. It is cross platform, accessible to GNU/Linux, OS X, and even that other obscure operating system from Redmond, WA.

      Banks have to provide thei
    • by hackstraw ( 262471 ) * on Friday July 25, 2003 @08:58AM (#6531473)
      Everytime passwords get mentioned on slashdot, I say they suck with little to no moderation. Regarding the lack of standard protocols and software packages try:

      Multos [multos.com]
      EMV (Europay-Mastercard-Visa) Specifications [visa.com]
      JavaCard [sun.com]
      OpenCard [opencard.org]
      PC/SC Workgroup [smartcardsys.com]
      Standards Committees and Standards Related to Smart Cards [demon.co.uk]

      I attended the 10th annual smartcard convention in 1999, yet have not seen a smartcard outside of the places I used to work programming them. Maybe its time... The cards then were 1 or 2 dollars and the readers were about 6 or 7, hardly an expensive periferal on your computer.

      Let me reiterate. Passwords have nothing to do with authentication, they only say that someone knows your password. Even having a magstripe card at least says that you know a password and were able to obtain phyisical access to the card. The best is a biometric reader with a smartcard. I think bioreaders are about 50 dollars.
  • root permissions? (Score:2, Insightful)

    by millenium ( 689108 )
    In order to install a keystroke logger, it seems to me that you would need root permission to do it on linux or else be able to (re-)boot such linux terminal from floppy or CD.

    By taking out floppy/CD drive and simply applying user privileges, I can't imagine that anybody would be able to pull this off on linux terminals.

    Therefore, isn't this typically a windows problem? Insecurity by design?
  • by xneilj ( 15004 ) on Friday July 25, 2003 @07:18AM (#6530731)
    This is why some banks do not request full information for login.

    For example, here in the UK, NatWest bank's online service will ask you for the following secure information to login:

    Three digits from your four digit online PIN (in a random order, like second, first, fourth).

    Three characters from your password, again a random selection in a random order.

    While it initally irritated me that logging on to the system took a little more thought than normal (I have a long password and it's easier to type it out in full than work out what the eighth, fifth, and eleventh characters are), it's probably a much more secure system when people are going to be using public terminals.

    It also makes people less liable to some sort of 'sniffer' attack, since the system dictates which characters to ask for and locks you out after several incorrect attempts. It would probably require somebody to observe more than one login session before they had enough information to do repeat it themselves, and unless you know which order the characters and PIN were requested, a plain keyboard capture program would be ineffective.
  • by dki ( 597803 ) on Friday July 25, 2003 @07:19AM (#6530737) Journal
    ...can be found at SecurityFocus [securityfocus.com].
  • by starX ( 306011 ) on Friday July 25, 2003 @07:20AM (#6530744) Homepage
    Never ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever NEVER access any critical data from a public terminal under any circumstances EVER.

    The corallary to this maxim is to make sure that the password of an account that you access from a public terminal is different from any password that you access from a non-public terminal. Then again, the truly paranoid have different password anyway....
  • Keyboard Loggers... (Score:5, Informative)

    by BJZQ8 ( 644168 ) on Friday July 25, 2003 @07:24AM (#6530757) Homepage Journal
    There are PS2-connector keyboard loggers sold in various places on the internet...although they're a bit more conspicuous, how often do you check for the presence of one? In a public-access machine, they can be set to record only usernames and passwords...It's just something you have to accept...that someone is probably watching, somewhere.
  • Bring your own OS? (Score:5, Insightful)

    by dschuetz ( 10924 ) * <davidNO@SPAMdasnet.org> on Friday July 25, 2003 @07:26AM (#6530770)
    One of the initial selling points for NeXT computers, way back when (has it really been 15 years? sheesh...) was the Optical drive. It was a 256 MB, 5"x1/4" hunk of plastic, and the intention was that you could carry your entire NeXTSTEP OS, home files, etc., around with you. Bring it to the public terminal in your dorm's basement, slap it in, and reboot.

    Now, obviously, that didn't work (they were big, slow, and buggy). But today it should be even easier, almost trivial, to do something. Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive). If you can fit it on a business card CD, you can even keep it in your wallet.

    They could even do this at the system-provider level -- have branded, mass-produced, customized versions of Knoppix in each machine, and encourage people to check the CD and reboot before they use it. Of course, this wouldn't work as well with the systems intended for graphic editing, etc. (with AI, Photoshop, etc.), but for simple internet access systems, it'd be pretty good...
    • Kinkos is a print shop. What are you going todo? Take over their boxes, setup all the drivers for the printers, network, then print?

      Here's a tip. If you have to use a kinkos to print something [e.g. massive quantity] just burn a copy to a CD [or put it on a floppy disk] and bring it with you instead remotely logging into something to fetch it.

      Tom

      Ham the can man? Troll.
    • by nochops ( 522181 ) on Friday July 25, 2003 @07:37AM (#6530840)
      This would stop a keylogger application, but not a hardware logger between the keyboard and PS2 connector on the motherboard. They're small, and cheaper than software, and will work across any operating system.

    • by Hecateus ( 628867 )
      I be seeing many frustrated customers here at kinkos in this regard. It is surprising how many don't know about ThumDrives. The Dell black boxes they have here even have USB ports accessible on the fronts...not sure which version. As for bigjobs, one can goto http://weborder.kinkos.com/ and upload files there. They can also use the Print2Kinkos service 1-800-2-kinkos for quick service with LIVE cust rep.
    • by Kaa ( 21510 )
      Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive).

      Won't help you against hardware loggers.

      Do you really check that the keyboard cable plugs directly into the keyboard socket on the motherboard on each public machine that you use?
  • South African users recently got nailed by a similar type of scam. Check out http://www.news24.com/News24/Finance/Companies/0,, 2-8-24_1390144,00.html for more detail
  • by lfourrier ( 209630 ) on Friday July 25, 2003 @07:28AM (#6530778)
    Kinko's spokeswoman Maggie Thill said the company takes security seriously and believes it has "succeeded in making a similar attack extremely difficult in the future." She would not provide details, saying that to do so could make systems less secure .

    They obviously really understand security...

    note (for the humour-impaired) : this is irony

  • One time passwords? (Score:5, Informative)

    by cras ( 91254 ) on Friday July 25, 2003 @07:31AM (#6530797) Homepage
    Aren't all banks using them? Pretty effectively makes the keyloggers useless. At least the largest banks in Finland do that before giving access to anything important.
  • OP is wrong (Score:5, Informative)

    by nochops ( 522181 ) on Friday July 25, 2003 @07:34AM (#6530821)
    The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts.

    No, the article does not mention that. The article says that Jiang used a keylogged password to gain access to someone's home machine via GoToMyPC. He then took control of the machine and used it to open a bank account. Similar, but wrong enough to warrant correcting.

    Well, I guess if the OPs aren't going to read the articles they submit, and the editors aren't going to read the articles they post, why should the rest of us read the articles we comment on? Let's just have one massive offtoipc flame-fest! Yay!
  • by rwa2 ( 4391 ) * on Friday July 25, 2003 @07:36AM (#6530834) Homepage Journal
    At Cornell, the machine would just wipe its hard disk and reimage over the network after the last user walked out. I can't believe this isn't a standard feature for public terminals by now...
  • by straybullets ( 646076 ) on Friday July 25, 2003 @07:37AM (#6530839)

    last time i went to an easyeverything cybercafe i noticed that on logout the pc would reboot and re-install a fresh image of the whole os on the disk. I think it got the image from the network but i can't recall what soft they used to do it (it had a strange name)...

    Of course it takes some more time on rush hour (like 10-20mn) but they have lots of pc so ...

    and also, too bad for installing key loggers then ..

    • by Henry Pate ( 523798 ) on Friday July 25, 2003 @08:57AM (#6531467) Homepage Journal
      I know one piece of software that does they, they used to use it at my high school, it worked pretty well. It's called Deep Freeze, you could do anything you wanted to the computer, and when you rebooted the system was back just the way it was before, with all software installed during the last session gone, everything. You can find it here [deepfreezeusa.com]
  • by catfishmonkey ( 538336 ) on Friday July 25, 2003 @07:51AM (#6530927) Homepage
    I'm a manager at Kinko's.
    You really would be shocked to see the kind of stuff people leave behind on the hard disks and in the copy machines. At least a dozen I.D. cards, birth certificates, credit cards, confidential company files, etc.. are left every day.
    Just yesterday a customer came in and asked if we'd found her credit card. She said she'd left it in the copy machine a week ago and just noticed it gone. We couldn't find it and told her she'd probably wanna go ahead and cancel the damn thing. She replied, "nahh... too much trouble.. it'll turn up someplace".

    What a world.
  • Kinko's Security (Score:5, Insightful)

    by stinkydog ( 191778 ) <sd@@@strangedog...net> on Friday July 25, 2003 @08:15AM (#6531091) Homepage
    I have used a Kinkos machine in Columbus Ohio (near Ohio State) and here is what I found:

    1. Windows 2000 with the user logged in as poweruser or administrator.
    2. Pop up software installed (unknown spyware).
    3. I could not find a USB port so I stood up and moved the PC and plugged in in the back. No comment from staff.

    The only "security" I saw was protecting the billing app.

    SD
  • by 73939133 ( 676561 ) on Friday July 25, 2003 @08:29AM (#6531245)
    The solution to this problem is well-known: use one-time passwords. You can travel with a printed list of passwords, each to be used only once. There are probably some packages for Linux that support this.

    A more sophisticated version are challenge-response systems or time-based systems like SecurID, but they require extra hardware and don't give you any extra security.
  • S/Key OTP (Score:4, Interesting)

    by mackman ( 19286 ) on Friday July 25, 2003 @09:31AM (#6531756)
    After standing at the pulic terminals at a security conference and thinking to myself, "I must be an idiot for typing my password into these", I investigated some one time password (OTP) alternatives. Back in the telnet days, people used S/Key to keep from sending re-usable passwords in the clear. Basically, it sends you a challenge, you type it and your password into your Palm, and type the generated one time password into the computer. If you're Palm-less or lazy, you can print a sheet of your next 100 OTPs and keep it in your wallet. If your wallet gets stolen, just login to your box and you can invalidate those 100 passwords and print a new sheet. It's a lot easier than reporting your credit cards stolen.
  • by gregwbrooks ( 512319 ) * <gregb.west-third@net> on Friday July 25, 2003 @12:25PM (#6533479)
    Gotta agree that using any of the public machines at Kinko's is a fool's errand. OTOH, if you drag your laptop in, many of them have "laptop printing stations" with DHCP and a pipe out to the Internet.

    In a Kinko's that doesn't have laptop stations? You can usually unhook the ethernet cable from one of their pay-for-use machines and use the connection yourself for no charge, as long as it's not busy.

    Why would anyone bother? Well, it's a (relatively) fast connection, and an IP address no one can trace back to you because you didn't pay for it and all the cameras at Kinko's (last time I checked) are pointed at the registers rather than the computers.

    I'd think the warez/Kazaa/terrorist crowds would find that plenty useful.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...