How secure is the typical public library computer?

I wonder if this question can be answered with any certainty:

What if I want to conduct some financial business using a computer at a medium/large USA city public library computer–are these publicly available computers secure?

I know that library admin persons/staff keep the computers running, but I don’t know anything about their attention to security–

Thank you for info–

I certainly wouldn’t count on it. They weren’t secure 10 years ago, but perhaps they are better these days.

Not secure. Any public access computer is not to be trusted.

It would astonish me if any computer that other people had physical access to could even be made secure. You might guard against script kiddies but likely not even that.

Most libraries in a major city are going to run something like Deep Freeze on their computers, so rebooting the computer should erase any personal information. That said, it’s a question I would ask of the library, and I’d ask it something like “I need to do some financial business. Do you use any software such as Deep Freeze” on your machines?"

Even then, most libraries will say you access sites (including conducting financial business) on their computers at your own risk. Check the policies for the library you’d go to.

Also, FWIW, I work in a library and I wouldn’t access my financial info from one of the public computers here unless I had no other options.

I know for a fact that my local library runs all the computers through a monitor, and they have called the police when they glanced at the monitor and saw someone doing something pedo-philish. So even setting aside the question of malware, the library staff has the ability to see everything you do.

My college library has a couple of public computers set aside that are dedicated to specialized uses, and the librarian will open one up for patrons upon request. But I have no knowledge about what security enhancements they might have. But I was once referred to one when the regular bank of computers was unable to process a print job that got blocked.

At my library when you log in the system creates a brand new virtual machine for you. You do all your stuff, and when your session ends the VM shuts down. And when the next user logs in, a brand new VM is created for them.

You shouldn’t assume that any public computer is secure.

One risk is something called key loggers. These are programs which save every keystroke you enter. They can be installed on the computer to save everything you type. Some of them aren’t even in the computer. A hacker unplugs the keyboard, puts a USB key logger on the plug of the keyboard, and then plugs it back into the computer. The hacker comes back hours or days later to collect the key logger and has a record of every character typed on that computer.

And you never really know how well the IT team at the library are at managing security. If they do it poorly, it’s easy for hackers to get on the computers. And there’s always the chance that someone in IT is a criminal and is hacking the computers himself.

And we can vouch for the cleanliness of the VM how? And of the hypervisor how? And of the hardware how?

I work in a private university library but we do get a wide variety of patrons, including the general public.

Deep Freeze does a bunch of things, but securing a web session isn’t one of them. It also can’t know if a hardware keylogger has been connected. (And yes, this exploit has happened on a computer at our institution.) It also doesn’t prevent any hacks or previous sessions from affecting you. Its primary function is to return the computer to the state it was in the last time the computer state was frozen. This can wipe out all kinds of software exploits, even root kits, but it’s just one tool.

If you urgently need to process a financial transaction, do it at home or call them on the phone.

(I’m not an IT security guy, just been doing computers for 35 years or so.)

I am an IT security guy. :slight_smile:

Never use a public computer for anything sensitive like accessing your financial information. As others have said, you may not be able to trust that the library staff has implemented effective security and privacy controls. They may have the machine locked down very well, or they may not. Even if the software is locked down, there is always the possibility of someone installing a hardware keylogger (as noted upthread). The only thing I would ever use a library PC for is casual web surfing.

Some people have no choice. If you turn on two factor authentication then you’re fine. Eg a lot of banks have an option to send an SMS passcode to your phone to logon as well as using the password. If you have this enabled then even in a worse case that someone captures your password with a keyboard sniffer they still can’t do anything unless they also rob you and steal your phone.

I’ve had to use internet cafes while travelling on occasions to access internet banking. I always have two factor authentication and I’ve never had a problem

This is highly irregular. I’ve worked for libraries for 20 years and I have never heard of any library doing Internet access this way.

And I’ll echo others that some combination of Deep Freeze and/or VMware is a pretty standard setup for the vast majority of public libraries. They make things pretty secure, but if you can avoid using a public computer for financial stuff, I’d go with that option.

I can think of two ways to defeat a keylogger, but I don’t know if they would work of not. One way would be to use an onscreen keyboard. Another way would be to email myself (from another location) my logon user names and passwords for financial accounts, and then open my email and copy/paste those into the text entry fields to access my account.

That’d work to defeat a hardware keylogger plugged in between the keyboard & PC. It would do nothing to defeat surreptitious keylogging software.

Um two factor authentiction defeats keyboard sniffers as I said above . Use it . You bank will know what it is even if you don’t .

Not all sites offer two factor authentication. 2FA does provide protection against password exposure (as long as the second factor is an unpredictable one-time code). That’s not the only risk of using untrusted machines, though.

If your bank doesn’t offer 2FA for your online banking thats a good reason to change to another bank. Every bank in Australia and Thailand that I’ve used offers 2FA. Google Apple and PayPal now also have the option for 2FA if you turn it on. Yes there are other risks, but this is the main one people are concerned about when using a public computer.