Feb 21

Keyloggers in Public Internet CafesIf you are traveling without your own laptop for an extended period of time – chances are you will use Computers in public Internet Cafes to stay in touch with loved ones and friends around the world.

Using a computer in any Internet Cafe in Shanghai, Vientiane or Fiji sounds like a comfortable form of getting things done, considered you have decent connection speed and bandwidth. Sure, sometimes those places feature outdated equipment and the comfort factor isn’t on par with your hotel room – but hey!

Unfortunately there are much darker dangers lurking in the shadows of those locations, some not clearly visible to the unsuspecting eye:

When the Internet started out more than a decade back – not everyone had access right away. Not all of us owned a computer or ever planned of buying one. The needs of those were soon catered for by smart businesses – setting up a couple of outdated machines in a room or empty factory hall, connecting them to the net and charging potential users per minute, hour or via prepaid packages.

So far so good.

With the growing popularity of Online Banking, Blogging and sites and services like Paypal, Amazon and eBay, personal data grew more and more important. Even to a point where it’s becoming valuable and like money in the hands of shady subjects. Nigerian Internet Mafia or Identity Theft anyone?

These days everyone has at least one e-mail address and a half dozen accounts with social network sites like Facebook, LinkedIn or MySpace.

Most people I know also prefer Internet Banking to taking a cue number in a bank branch – if there is any at all in the country you are traveling.

Sending money via Paypal or bidding on your favorite backpack or GPS device on eBay is another common phenomenon; with the data and money involved things could be very painful if your account credentials were accessible by a criminal mind.

Over the last few years you could hear more and more travelers complaining that suddenly they didn’t have access to their e-mails accounts anymore or that their blog was hacked or scrambled and they didn’t know what and how that happened.

Be aware but not paranoid

Unfortunately the reputation of Internet Cafes came quite a bit down over the recent years. With all that valuable data transported via their computers and networks and increasing competition – quite a few Internet Cafe Owners were thinking of options to exploiting these even further and improving their income – in shady ways. Sometimes even the users of said Cafes abuse its computers of fostering their own agenda – getting access to e-mail, blog or banking accounts of the many users who pass through them during the day.

If an Internet Cafe isn’t well maintained – basically everyone can install malicious applications or other scamware on those computers. They are sometimes detected only weeks or months later or worse – not at all – and could wreak havoc with your personal data or submit account credentials via the permanent connection through the internet to the ones who will surely exploit them to your disadvantage.

The most common evils you can find on Public Computers are

  • Keystroke Loggers (or short Keylogger – record the letters you type on the keyboard – including your account details and passwords – and submit them for further abuse)
  • Viruses (most of them have the simple purpose of infecting your documents, applications or destroying what comes in their way with a maximum effect)
  • Trojans (similar to Keyloggers – spying out your personal data or redirecting you to pages which could download more malicious software with unpredictable effects)

While the last 2 kinds of Malware are affecting you only indirectly and are easily avoided (just don’t open any unknown or untrusted websites, mail attachments or applications) Keyloggers are working in a more subtle and not so easily spottable way. Yet they can cause you more troubles or even cost you money, if your account details get abused.

So what can you do to avoid them like the plague they are on public computers?

1. Bring your own Computer!

BYI - the safest way to surf in public places!Seriously – while plenty of people refrain from bringing a fragile electronic gadgets with them during traveling – more and more people do so. It’s simply easier working while traveling and you have full access to all your favorite programs and files. This way you can use your own protection and security features like Firewall, Antivirus and Spyware Programs, while only transmitting your Data Stream in an encrypted way via the Internet Cafes wireless network. Of course it’s still possible to intercept and unscramble that data – but it’s much more difficult and requires time and probably brute force (more computer power) than it’s worth while there is much easier prey around. Some more links regarding Traveling with Laptops I had in this post as well.

A Computer for travels doesn’t have to be necessarily big and bulky. While there are many nice and small notebooks around – the current trend is to getting an even smaller device, so-called subnotebooks, like the Asus Eee PC or similar. Check for some of the rave reviews for the Eee here. These small machines are simply for connecting to the internet, writing that document or memo to your parents, friends or employer and storing or uploading you pictures or videos.

Hardware Keylogger Keydevil in Action2. Check for Hardware Keyloggers

If you don’t want to carry a laptop or subnotebook around you have to use other ways of making sure that you are using a secured connection. The first step should be to check for Hardware Keyloggers.

These are devices plugged between the keyboard and the computer and are most easy to find. Simply look behind the computer you are using. If you see any kind of adapter or device between the keyboard and the motherboard connector – switch the computer or the Internet Cafe!

3. Use an USB Stick to secure your Personal Data

USB Stick - your data and applications travel with youNow – instead of simply typing ahead – bring at least an USB Thumbdrive or Flashdisk with some pre-installed essential security programs. There are even ways of booting your own Operating System from a USB stick or setting up you own complete suite of applications like this service called Portable Apps. While this probably doesn’t get you the connection to the internet (it can – if the Internet Cafe manager provides you the IP addresses used for his LAN ports) – it’s still good to have some essential applications with you.

This way you can make sure, that the public PC you are using is virus-free and make use of your own set of useful applications, which can save your day – but fool those malware and spy programs. You can even run your own favorite full-blown Firefox on it, or run smaller brethren like Firefox Portable Edition or Opera USB from it, with all your bookmarks or favorites right at hand. Here is a list of programs especially designed for running from an USB stick.

4. Use Anti-Keylogger or KeyScrambler Programs on your USB drive

Here is one good example of a Free Anti Keylogger Program and here an extended list of even more, which would make sure that the PC you currently use isn’t infected with any known Keylogger. The key here is to update those programs regularly, as Keylogger Programmers do everything of staying ahead in this cat and mouse game. Add to that a good Antivirus and OnScreen Keyboard (see paragraph 8 below) and you are set to go and most likely be secure. A KeyScrambler basically encrypts the letters you type with the keyboard. A free version for personal use can be found here.

Another tip I read somewhere is to have your Passwords saved in a Password Manager Software installed on your USB stick and then simply drag and drop the password into the web form. Most Keyloggers are said of being unable to cope with Drag & Drop. But then – some of them even take a snapshot of the whole screen from time to time, so that could end up even more disastrous, having many more of your passwords exposed. Although it seems unlikely in Internet Cafes with plenty of users and data generated in a short time – it’s still not recommendable.

5. Set a Tripwire for E-Mail Hackers if you suspect your Mail Account was compromised

If you suspect that your e-mail account was hacked, you should get proof. While it is certainly easy for someone reading your e-mail to disguise his/her action by simply setting the read mails to ‘unread’ again – there are ways to find out for sure. You could use other services which log your login date/time and inform you if anything unusual happened. Here you can find a guide on how to do it.

If that all sounds too complicated – there is an even easier method:

Simply change your password often and regularly to lock out unwanted people who gained access to your password one way or the other.

6. Subscribe for OTP – One Time Passwords for Online Banking

HSBC OTP Token for Online Banking LoginMost Banks around still make use of the antiquated PIN/TAN system. With the PIN you login to your account. The TAN is usually a transaction password which you take from a long list of approved codes which should secure you from fraudulent transactions. The only problem is that your PIN to login to your account stays the same for most of the time. It may prevent identity thieves from transferring your money out of your account – but still it’s easy to gain access when your account credentials are exposed. Ask your Bank if they provide OTP Tokens to login to your account!

An OTP (One Time Password) device is basically a quartz which shows a different login password (number) every few minutes.

7. Use Mail Forwarding for simply checking your Yahoo or Gmail

While more and more banks these days switch to OTP devices, One Time Passwords for E-Mail Accounts are unfortunately not so common at all. Is there any way of securing your main e-mail account from being spied out and hacked?

Thankfully most Webmail programs (Yahoo, Gmail and even Hotmail) allow a ‘Mail Forwarding’ option these days for free.

Simply create another free Webmail account and let your main account forward a copy of your mails to that address. This way you still can’t answer using your main account, yet you can stay updated and check for ‘that important mail’ you are expecting almost anywhere without giving up too much privacy. If you are in need for a reply you then have to make sure using a safe PC.

8. If all else fails – check out these tricks to fool Keyloggers

If you must access a public computer and have none of the other choices at hand – fear not! There are ways of fooling installed Keyloggers. It will take a bit of effort but is surely worth the while.

While basic Keyloggers do just that – logging your keys – you could use an OnScreen Keyboard to copy/paste the letters and put in your credentials this way. Windows comes with it’s own built in (Character Map); but it isn’t the best of ways and will trick only the simplest one, as it uses the copy/paste method via the Clipboard.

More sophisticated Keyloggers also record and monitor your Clipboard, the place where you copy and paste text or pictures or the letters from Windows’ OnScreen Keyboard. Gotcha again!

Neo's Safekeys OnScreen KeyboardIt’s better to download and use an OnScreen Keyboard to that Public PC which prevent copy/paste recording as well. The smallest program in this list is only 8 kbyte which should be possible to download and start in most Internet Cafes.

Now simply copy/paste your password letter by letter into the password form. Add some difficulty by copying it from back to front or even in another than the original direction. For example, if your password is ‘Snoopy23′ – copy and paste it like n-o-s-o-p-3-y-2, just simply put the letters to the right spot before you press ‘submit’.

One way to do it without all preparations is this:

Just open the page you want to login to and navigate to the login form. Type the first letter of your user credentials and click somewhere else outside the form (but not outside the current window!), so the cursor disappears. Now type a series of random/meaningless characters. Those will not appear in the form, but will still be recorded by the Keylogger. Now click back to the input field and type the second character. Click out again type a few more random character. Continue this until you are finished and press submit. The method is described in detail here (pdf).

Conclusion: for best results – preparation is the key!

Don’t go unprepared into any Internet Cafe – if you are planning to access your E-mail, Social Networking sites or Bank Account. While there isn’t any bulletproof way of fooling the most sophisticated of Keyloggers which record everything from mouse movements, window positions, focus changes or even take snapshots of open windows – every little step helps in camouflaging your online credentials and making it more difficult to get readable data out of the stream of logged inputs for the Hacker.

It might be enough already to fool the harvesting program or a quick manual scan through the logfiles to leave you out of the misery. Oh yeah – and make sure you log out completely from the account you open. Sometimes closing the active window is not enough, right Yahoo?

If you really want to be on the safe side there is only one way – use your own computer or device and and don’t rely on Public Computers at all.

What do you think? Ever had your E-Mail Account exposed and hacked while traveling? What methods do you use to protect your account information from Hackers, Keyloggers and Identify Thieves?

Please help to find the best ways for savvy travelers by sharing your knowledge using the comment form below.


Nigerian Internet Mafia or Identity Theft anyone?

If you enjoyed this post, make sure you subscribe to my RSS feed!


or save article to your Facebook with 1 simple click:

Share

written by Chris



29 Responses to “8 Tips to Fool Keyloggers in Public Internet Cafes”

  1. James PongNo Gravatar MALAYSIA Says:

    Great tips. What about without using any software like typing the password in random order by using left and right key? Also, I think that the usage of an online keyboard for password input on Citibank Online is a great method since it’s very secure.

  2. Marco Barulli - ClipperzNo Gravatar ITALY Says:

    Great post Chris! Very informative and well written.
    May I suggest a different strategy to defeat keyloggers?

    Clipperz is an online password manager that also offers an optimal protection from keyloggers: one-time passphrases combined with one-click logins!

    Clipperz users can save the details of their online services into Clipperz and quickly create a “direct login” link for each of them: just one click to authenticate and access the online service without typing any username and password
    .
    Therefore avoiding keyloggers is very easy. It works like this:

    1. Login to your Clipperz account using a one-time passaphrase.
    2. Click on the webmail direct login. Click on your bank direct login.
    3. Enjoy your exclusive online safety!

    Learn more about using one-time passphrases in Clipperz.

    Marco
    Clipperz co-founder

  3. digitalnomadNo Gravatar UNITED STATES Says:

    Chris-

    This is good stuff. I am looking for info for online banking. Have you written anything on this topic? Anything about your experience with living in one country and banking in another country.

    Thanks

  4. ChrisNo Gravatar INDONESIA Says:

    James Pong and Marco Barulli, thanks for the additional tips! James, I’m quite sure your method will work as well, as long as the cursor keys aren’t recorded by the Keylogger.

    Marco – if I see that right your system offers OTP One Time Passwords for all kinds of webservices, including Yahoo and Gmail??? If that is the case, then this is a concept I was searching long and wide across the internet, but unable to find. If you are interested, drop me an e-mail, maybe we can collaborate on that topic a bit further? I’m very much interested to find out more about it and maybe we can bring some benefit directly to my readers as well…

    digitalnomad, so far I haven’t written anything about Online Banking directly. I use it for many years though, with Banks in Germany in Singapore. Both PIN/TAN system and the OTP Token one. So far I never had a problem with that, although I change my password for the PIN/TAN system frequently.

    The biggest problem I usually face is getting a Bank Card or new TAN numbers delivered from Germany, as I’m not registered there anymore and even “global banks” have their issues in sending standard mail into foreign countries. I wonder why they never accept authentification in their own branch offices? But then – those are mainly independent businesses as well, more like a franchise under the same umbrella. :D

    Do you have any specific questions regarding that topic? I can try to answer from my own experience or even make it into an article…

  5. digitalnomadNo Gravatar UNITED STATES Says:

    Chris-
    A practical guide based on what is available today would be much appreciated. I am thinking mostly about online banking.

    I have been researching information for online banking, but I have not found an online bank that has impressed me to the point that I want to open an account. It also needs to be international in scope for transfer of funds, etc.

  6. lissieNo Gravatar AUSTRALIA Says:

    I use the 1 time password device from my bank and it made me much happier about using internet cafes for online banking in Asia. It is nice to carry your own laptop. I like the look of the new Asus Eee which is a cross between a laptop and a PDA but cheap and small !
    In a cafe you should also be wary of the lot tech solution – people hanging around and looking over your shoulder!

  7. darcyNo Gravatar AUSTRALIA Says:

    Nice tips there. Makes me a bit less worried about using internet cafes…although I still think I’ll bring my laptop anyway. May i ask, what laptop do you travel with? and, more importantly, what size is it?

    Thanks for the amazing, inspiring blog!

  8. ChrisNo Gravatar INDONESIA Says:

    digitalnomad – I’m surely no authority on that area, although I have used about a dozen different banks and stock brokers during the last 10 years, but mainly only in Germany and Singapore.

    The problem I see is that most financial institutes work pretty autonomous. Branches in other countries don’t necessarily recognize accounts or assets you own with them in another region. They offer complete different services too. Citibank in Germany is something completely different than Citi Singapore or Citibank America.

    But yeah – the more I think about it, maybe it’s a good idea to post an article about that topic, if only to start a discussion about the best/worst experiences with Global Banking and Online Finances. Let me think about it and if you want to share some of your research and experiences – I’m more than happy to work with you together on a more substantial article. What do you think?

    lissie
    – oh yes – I totally forgot to mention about that. Glad you did. Thank you!

    darcy – I’m using a quite bulky Asus G1 notebook (15.4 inch). The Asus Eee wasn’t out yet when I got that piece. Another reason I didn’t get a smaller model is that I like to enjoy Computer Games from time to time, like Civilization 4, Silent Hunter 3/4, Far Cry, Bioshock, The Witcher and others. I used to play World of Warcraft (before the expansion) a lot as well, even had my own Guild at a point – ‘Temasek Rayas’ on Elune. Yeah, talking about a great waste of time, hehe. ;-)

    Unfortunately standard laptops make it almost impossible to play current games and I sold my desktop before moving from Phuket to Bali, as it was a pain to bring on a plane (which I did only once when moving from Singapore to Thailand). So far I’m happy with the performance of the notebook, just the build quality is a bit cheap and below par on what I expected from Asus.

    For standard phone features, calendar, notes and surfing at hotspots I use another oldy – the smartphone/PPC described here. It’s big and ugly, but so far the features are more than sufficient for me.

  9. Travel BettyNo Gravatar UNITED STATES Says:

    Another great informative post, Chris! Thanks for the useful info. I brought my own laptop to Bali and luckily had access through the villa I was staying at so I didn’t run into any problems.

  10. digitalnomadNo Gravatar UNITED STATES Says:

    Chris-
    Re; Banking article – I have very little practical experience, although I have been involved in some aspects of banking. I can do some research for your post. This type of banking (the legitimate banking) does not look to be written about much.

    Usually, from what I know it requires some travel to open an account in person, not to mention an introduction and some personal scrutiny.

  11. John StivesNo Gravatar NEW ZEALAND Says:

    Great tips. How about using a pen drive and then putting Portable Firefox on it and have all your passwords saved.

    No keylogger will be able to pick up a drop down list, much safer…

  12. ChrisNo Gravatar INDONESIA Says:

    digitalnomad – you bet they require you to travel. I can’t even get a big Global Bank in Germany to send me my Bank Card. Their standard response is that I have to come by one of their branch offices in Germany. I would for sure – if they send me the flight ticket. :D

    John Stives – that should work comfortable! Great find! =D>

  13. Thai QANo Gravatar UNITED KINGDOM Says:

    Nice post. I do pretty much everything online and have become quite complacent about security recently. I guess it pays to keep your guard up.

  14. Olina PizzaNo Gravatar UKRAINE Says:

    All my friends who adore traveling prefer to take their laptop with them whenever they go. At first, I supposed that they work during their journeys and just don’t want to waste time on searching some Internet cafe. Your post makes me think another way about it. :-? Thanks for the tips

  15. DaveNo Gravatar HONG KONG Says:

    I just bought the Asus Eee PC while in Hong Kong after seeing a fellow backpacker with one. It’s less than a kg in weight, and has sufficient screen size to draft blog posts, and surf the net. Love the wifi capability. Not sure I really needed it, but what would a trip to Asia be without some technology shopping. :)

  16. ChrisNo Gravatar INDONESIA Says:

    Dave, at least you can tick off that ‘spending on electronics’ point off your list. I’m sure you got a great bargain in HK. Which version of the Eee did you buy, the Linux version or the Windows one? I read that the Linux version has a pretty neat interface and the usability is great. The license alone should make the Windows version significantly more expensive… :-/

  17. ChampDogNo Gravatar MALAYSIA Says:

    Nice tips but the safest is still not to use the public internet cafe at all. Add one more tips that may missed out is to “clear the browser’s cache – including cookies and any temporary files” after using. It is also better to login the site that has secure connection (e.g. https).

  18. AndyNo Gravatar GERMANY Says:

    The service at http://kyps.net turns normal passwords into one-time passwords. Works with Hotmail, Yahoo Mail, Google Mail, and others….

  19. ChrisNo Gravatar INDONESIA Says:

    Andy – that service looks really nice and interesting! But how can you ensure that the account data is safe with that service? Maybe they have to let themselves buy by one of the big players…

  20. DaveNo Gravatar SLOVAKIA Says:

    There is also an excellent utility to safely enter passwords on web sites bypassing keyloggers called HashPass. Find it at http://www.kagi.com/fantasy

    It is built with protection against keyloggers, mouseloggers, screen capture as well as clipboard loggers so despite being similar to Neo’s SafeKeys goes much further. I rank it as number one as it uses a well conceived and well implemented concept. With zero effort you can safely enter a password up to 128 characters long! I have not seen anything like that before and can only recommend it, especially when travelling.

  21. DigitalnomadNo Gravatar UNITED STATES Says:

    Kagi looked good until I saw it does not work for Linux. Someday maybe.

  22. careyNo Gravatar PHILIPPINES Says:

    This is why I am wary about using public computers. I wanted to use my laptop in an internet cafe but they don’t allow it since their computers are installed with a tracking program which logs your time in and time out. Another option is to get a pricey coffee at Starbucks so you can avail of their free wifi. :)

  23. ChrisNo Gravatar INDONESIA Says:

    Thanks for the additional tips to all of you! =D>

  24. Goodbye Asus Eee PC! The Uber Gadget for Travelers is something else | nomad4ever UNITED STATES Says:

    [...] use a Netbook in Internet Cafes without exposing your personal data to Keyloggers and [...]

  25. Travelers - Check Your Browsers! « Passpack Blog UNITED STATES Says:

    [...] against keyloggers, which you create before traveling. And there are numerous other tips available (here are a few from Nomad4ever) to ward off potential [...]

  26. Tokezone WebmasterNo Gravatar AUSTRIA Says:

    Many of the portable applications listed here – plus some more – are included on my own software bundle, which you can load onto a USB drive before you travel.

    The applications are contained in a launcher and include my own help file. It’s all free and mostly open-source software and contains no spyware or advertising at all.

    More information here.

  27. The DudeNo Gravatar NEW ZEALAND Says:

    http://www.pendrivelinux.com might be another good alternative, you install a linux on a usb stick and boot from your trusted usb stick – however there is a bit of work involved getting it up and running.

  28. JurgenNo Gravatar ITALY Says:

    I agree completely with John Stives! It’s many years now that I only use Portable Firefox even on my home PC. I let him store all my passwords that are on their own protected by a very long and difficult to guess Master Password. Now when I open Portable Firefox it asks me first for the Master Password and after that fills in automatically everything you need on a Webpage. Problems arouse only with some so-called secure Bank websites which use a small Java application for their login-field. In that case you have to enter your Pin again manually making it unsafe again :(
    The second good thing about Portable Firefox is that you always have every Bookmark and open Tabs with you.

  29. jimmaqualinNo Gravatar UNITED STATES Says:

    A software keylogger would probably record keystrokes from an O/S soft keyboard like Microsoft, depending on where exactly it hooks into the operating system.
    See more about How to Detect If a Keylogger is Installed:
    http://www.myjad.com/detect-installed-keylogger.html

Leave a Reply

Hey, if you want a picture to show by your comment, why not get a gravatar?

;-) :twisted: :roll: :oops: :mrgreen: :lol: :idea: :evil: :cry: :arrow: :?: :-| :-x :-o :-P :-D :-? :) :( :!: 8-O 8)