by Jens Porup
Doing your internet banking in an email cafe, anywhere in the world, is a bad idea. It is very easy for a dodgy cafe owner to learn your login/password by installing keystroke loggers on all his machines. By taking several precautions, however, you can protect your personal details from prying eyes.
A keystroke logger, or ‘keylogger’, like the name suggests, records every keystroke you type. So it doesn’t matter that your bank uses an encrypted SSL link, the keylogger will capture your username/password as soon as you type it, before it is encrypted over the wire.
The first thing you should do when scoping out an email cafe is to check what sort of setup they have. Some of the more advanced, industrial size (100+ seat) email cafes these days use a “thin client” setup. That is, there is not a desktop computer next to the monitor, instead you are communicating directly to a server in the back room. Thin client setup is great for the cafe owner, as it’s much cheaper and far more reliable. But if the owner, or a cracker who has broken into the owner’s server, has installed a keylogger on the server, then your online banking will not be secure. Avoid thin client setups. Find a different email cafe.
Find a cafe that has the desktop box right there next to the monitor. Now turn the computer around. Yes, turn the computer around, and inspect the connection between the keyboard and the computer. Does the keyboard cable plug directly into the computer? Or is there a small device that sits between the cable and the computer? If there is, it could be a hardware keylogger. There’s a chance it’s a USB-to-serial cable adapter for the keyboard, but if you don’t know the difference, or if you’re not sure, do NOT use that computer. Go somewhere else.
Once you’ve found a cafe where you are confident there is no outwardly obvious hardware keylogger (there could still be one inside the computer case, but this is much less likely), whip out your favorite Linux Live CD, such as Knoppix, the Ubuntu Live CD, or Anonym.OS. (If you’re a non-geek, I recommend Ubuntu. You can get one here.)
A Live CD is a compressed, scaled-down version of Linux that runs completely independently of any software – malicious or otherwise – that may be installed on the computer. Now, pop the CD in and reboot the machine. We are going to take complete control of the box, thus rendering any software keyloggers irrelevant.
Once you reboot, you will be running Linux off of the CD. There’s a small chance it will fail to boot automatically from the CD. If this happens, try hitting f12 at the very beginning of the boot process – most PCs will then prompt you to select which boot device you want to use. If for some reason f12 has no effect, you may need to alter the boot sequence in the BIOS, depending on the PC manufacturer. You can do this by pressing the < esc > key at the start of the boot sequence. Follow the menus, and then toggle to boot from CD first, before the hard drive. (All this may sound hard, but in most cases it will work automatically.)
Once you have the Live CD booting successfully, you will see something that looks like this screenshot. If you’ve never used Linux before, don’t worry. It’s very similar to using Windows or a Mac.
Now, the CD may seem a bit slow at first, and may take several minutes to load. This has nothing to do with Linux, but the fact that you’re running it off of a CD. This also means that you will have read-only access to the hard drive. But this is good, because it means that you and any programs you run cannot accidentally save any sensitive information to disk, where it could be recovered by a snooper later on.
Now you’re ready to do your online banking. Launch Firefox from the menus, and away you go. When you’re finished, simply reboot the machine, being sure to take the CD out of the drive. You’ll want it again, for next time.
A general word of warning: be absolutely sure that you do not use your online banking password for any other sign-on. If a snooper learned, say, your fastmail.fm password, and it turned out to be the same as your online banking account, then your bank account is about to go on a holiday of its own, probably to a country ending in “-stan”.
What if an email cafe owner catches you using a Live CD and objects to this? Be calm, explain to him what you are doing and why. Point him to this article, if you want. If he knows anything about computers, he should have a healthy respect for security, and will be completely cool with this. You aren’t cracking his systems, you just want to safely access yours. It’s even possible that he’s already using Linux himself- many, many email cafes are moving toward Linux, because it’s much more secure than Windows, and it’s free.
The final word? Avoid internet banking, if possible, when you travel. But if you have to, the above steps can drastically minimize the risks of having your identity stolen or your bank account compromised.
Jens Porup is a computer programmer, freelance writer, playwright, and ex-pat Yank currently living in Melbourne, Australia.