Top 5 threats when using a public computer

Hotel-Computer

Recently I wrote an article highlighting steps to take if you provide public computer access to your customers to ensure their security. The news then broke out that hardware key loggers were found at public libraries in Manchester.

Public libraries are an obvious target for people trying to steal confidential information as this is where people without a computer at home will go to conduct online business such as accessing their bank accounts.

The previous article outlined steps to take if you’re providing the service but what if you need to use a public computer service and cannot avoid it, how can you protect yourself then?

First I want to stress that there is no method that is 100% safe; you have to keep in mind that you’re using a public computer so you cannot verify whether it has been tampered with or not. My ideal recommendation would be to avoid using a public computer at all; however, if this is not an option I will illustrate the type of attack you could be subjected to while using such a computer and how best to counter the specific attack.

1. Hardware key logger is the first threat as well as the most obvious. These devices installed at the back of computer between the keyboard connector and the computer itself can be small and inconspicuous. They also come in different shapes. If the computer has easy access to the back then peeking to check for such a device might be an option. If it is not easily accessible it is probably not advisable to check for key logger as staff might think you’re trying to tamper with the machine or even installing one yourself. A safer option would be to use an onscreen display keyboard and click the required letters using the mouse when typing in confidential information such as passwords.

2. Software Key logger is just like a hardware key logger but is installed as a software program. Unlike the hardware version there is no easy way to know if one is installed or not. The onscreen display keyboard is probably your best chance against this threat; however, there is nothing stopping such software from taking screenshots of every mouse click event of the windows on the screen keyboard application, meaning that there is no 100% effective way to protect yourself against this sort of threat.

3. Shoulder surfing is an activity were a person looks over your shoulder to see what you’re typing on the screen. This is an insidious threat especially if you’re using the onscreen display keyboard. The other person will easily be able to tell what you’re typing even if the text is scrambled on screen such as when you’re typing in a password field. Just being aware of your surroundings is generally enough to mitigate this risk.

4. Network sniffer is a program that will record all network activity from the infected computer to the internet. Like a software key logger it is hard to verify whether one is in use or not. This threat however can be mitigated by ensuring you only type in confidential information in sites that offer an encrypted link back to you.

5. The final threat is phishing/misdirection. A malicious user could change the internet settings of a public computer to have it go through another remote computer that the malicious user has control over in order to spy on all the traffic before sending it to the intended destination. This is called a man in the middle attack. This attack could potentially apply to any website. If you are going to access your bank from such a public computer take note of any prompts you get. Your bank will generally try to establish a secure connection with you and this procedure has safeguards against this sort of attack. The bank will ensure that it’s connecting directly to you while your web browser will ensure you’re connecting directly to the bank. If someone is between your web browser and the bank, the web browser will issue an error regarding the security certificate. If that happens don’t go any further. Do not click okay, instead walk away from the computer in question and advise the staff.

Apart from protecting against threats there are also good practices to follow. Do not connect to a bank if your online banking isn’t protected with a two factor authentication system. Generally this means having a token that generates a different pass code each time you want to log in. With such a system if someone manages to copy your pass code it will not be of use to him as these are not reusable.

While inconvenient it is a very good idea to change the password of any accounts you log into from a public machine. This should be done as soon as you got access to a secure computer. This procedure will ensure that if your credentials are compromised those compromised credentials will not be of use to the hacker. Alternatively if you own any of the systems that you log into use ‘one time use’ passwords. This will avoid you having to change the password after each login whilst not leaving you vulnerable until you’re able to change the password.

These are just basic precautions and following these tips will still not make you completely safe because the truth of the matter is that there is no way to be 100% safe when using a public machine, so if this can be avoided all the better. Alternatively a safer way would be to connect to a public network with your own computer.

Emmanuel Carabott CISSP heads security research at GFI Software. He has over 12 years’ experience in the security field and is a regular contributor to several websites and blogs. For more information about the benefits of using email usage reporting.