You’ve made an easy passage, and after a quick stop at customs, you’re all checked in, and it’s time to swing by the local market and start reprovisioning, but first, a quick stop at the ATM to get local currency. “Transaction canceled,” reads the machine when you ask for a withdrawal. Checking your balance, you find that the bank account has been cleaned out over the past 10 days. Every cent is missing, but you’ve been at sea! Someone has access to your bank account and has been withdrawing money by sending checks to an address in some far off place. But your ATM card has never left your possession, so how could it happen?
Managing the complexities of modern life in the early 21st century really became easier — particularly for those doing some extended voyaging — with the advent of the Internet. Want to stay in touch? Email. Need to order some spare parts? The Web. Need to transfer some funds from your brokerage account to your debit card? No problem, just pop down to the local Internet café and log on. Your broker offers a secure connection with the latest 128-bit encryption, and you’ve got a really secure password, so nothing to worry about, right? Well, maybe not.
If you’ve done your homework, you know that having a good password is the first line of defense in keeping your online persona secure, and that a website with 128-bit secure sockets layer (SSL) encryption is generally considered unbreakable, but there are more nefarious ways to compromise your security, and they’re generally not very well known outside the “cracker” or computer science communities.
One of the most dangerous things you can do is use a public access computer, even if you’re going to an SSL secured site. It’s just too easy for the owners of the Internet café, or even the previous customer — without the knowledge of the café owner — to install a small piece of software known as a “keylogger” onto the system. This software and its even stealthier cousin, the hardware keylogger, are designed to do just one thing: spy on the computer user.
Keyloggers are designed to be stealthy. They’re very small pieces of computer code, and when they’re installed and running, they are essentially invisible. There is no easy way to detect a keylogging program running on the computer, and there is no way to detect a hardware keylogger. They sit silently and capture every keystroke you make. They bundle this in a file and periodically send the file to an address that the person who installed the keylogger has predesignated.
Since keyloggers capture raw keystrokes, the encryption used to send passwords and the encryption of the website’s SSL itself is of absolutely no value in protecting you. When you log onto your bank’s secure site, you will be asked to enter your user ID and password. This will be encrypted by the web browser’s SSL software and transmitted in a very secure way to the bank. Unfortunately the keylogger will have captured the plain text you keyed into the keyboard and the URL, and your information will be available to the person who installed the software.
Hardware keyloggers are even more insidious, since it is impossible to detect them. They have their own memory and are designed to record every keystroke the keyboard makes. So when you log into your bank’s website, then enter your user name and password, it will all be recorded on the memory chip in the hardware keylogger. Later, a timed program or a remote request will download all of the keystrokes recorded. Someone can also come back to retrieve a hardware keylogger and bring it to their own machine to inspect. In this case, the owner of the computer may not even be aware that the keylogger was attached.
Keylogger hardware always plugs in between the keyboard and the computer, so it’s easy to spot. Follow the keyboard cable between the keyboard and where it plugs into the computer. The cable should not plug into anything else. Most computer keyboards have a unit called a ferrite bead on their connector cable. Keyloggers, however, are designed to mimic the look of these ferrite beads. The difference is that the keylogger will have a connection into which the keyboard will plug. A true ferrite will be a physical part of the cable. If there is a device plugged in between the keyboard and the computer, remove it.
Unfortunately, however, this method is not foolproof. There are companies now selling keyboards with keyloggers built into the keyboard, and these are undetectable. Hardware keyloggers cannot currently be attached to laptop keyboards, so if you’re using a laptop, you’re safe from the hardware keylogger but not the software keylogger. This could change, so the only foolproof way to avoid a keylogger is to use your own computer.
In addition to keyloggers, there are currently more than 385 spyware programs, all designed to monitor the use of the computer, record what is being typed, and forward the information to someone else. Some of this software is used by private investigators, police, and even jealous spouses to monitor the use of computers. Unfortunately it also can be used for more nefarious purposes.
So how do you protect yourself and still remain part of the wired world? Here are a few tips.
1. Use your own computer if possible. Internet cafés are really convenient, and they generally offer a higher-speed connection than you could get yourself, but they are very high risk. Avoid them if possible, and don’t use them for any access to financial sites like your bank or broker. If you have to, use them only for email. It would be better if you brought your own computer and asked to use their connection. You should invest in a network card for your computer and a cat-5 cable. This looks like a phone cable but uses the larger RJ-45 connector. You can also use a wireless card to get access to public “open” wireless networks. These are not quite as secure as wired networks, though, because they can be monitored without anyone’s knowledge. Generally, if you’re going to an SSL secured site, you will be safe even on a wireless network, because the information transmitted is encrypted end to end.
2. Invest in spycatcher software. If you’re forced to use an Internet café computer because they won’t let you use your laptop, or you don’t have a laptop, then you need to arm yourself with the latest spycatching software. It is designed to detect the signatures that spyware programs leave when they’re installed. (See Spycatching software above). Buy a copy and burn it onto a CD; carry it with you any time you’re going to use an unknown machine. Run the software before you use the machine, which sometimes can take as long as 30 minutes, but you will be assured that the machine is clean. You will have to update the software regularly with new spyware signatures, which, like virus signatures, are constantly being updated by the manufacturers to keep up with the miscreants who write this stuff. If you own a laptop, install it on your laptop and run it religiously, along with your virus-checking software.
3. Never let anyone have unmonitored access to your computer. Never let anyone access your computer without watching them. Never let anyone install software on your computer unless you are absolutely positive of their identity and you trust them. It takes less than a minute to install keylogger software. And unless you have a spycatcher installed, you’ll never know. This software can sit dormant, capturing keystrokes, until it gets a connection to a network, or you send and receive email. It’s not a bad idea to run the spycatcher software after anyone you wouldn’t trust with your bank pin uses your computer.
Information technology is wonderfully liberating, but like any of the inventions throughout history, it can be misused, and we all need to protect ourselves. Following these three steps can save you from identity theft or from having your financial data compromised.