Having used a couple of hotel lobby computers the past weekend… I’m wondering how safe they are or how one can protect himself.
Was it unwise to log into ebay and PayPal?
I did delete the cookies, temp files and history each time I was done but I’ve got the feeling that if someone wanted to pre-arrange for bad things to happen he could.
I see that the OP asked about the risk. On the one hand it is certainly possible to packet sniff, or install key logging software on a public computer.
It is often pretty much all these folks can do to keep the machines working in the first place. As a result, they often contract with an outsider to recover from problems. This might be a professional, or it might be the owners h4x0r nephew.
One partial solution would be carrying a portable applications USB thumb drive. This can be encrypted if you like, and password management solutions might (and well might NOT) foil keystroke loggers. If nothing else, it lets you use Firefox, or Opera instead of IE.
I would call logging into any confidential or financial site on a public computer a clear no-no. If you like, I can point you at dozens of instances where such computers were compromised, and with them, the passwords of their users. For every instance where the compromise was covered in the media (usually only the larger and self-acknowledged cases) there are probably a hundred where the direct evidence is silently erased by a daily/weekly/monthly reimaging, leaving only dark suspicions in the minds of long-gone patrons when they get their next month’s statement.
What is “reimaging”? It’s the simplest way to “clean up” a computer: create a disk image of the OS/settings/software, save it to a bootable CD/DVD, and use it to periodically restore the computer to a pristine state. As noted, most public terminals are run by organizations with limited resources to devote to them. They aren’t the primary business of a hotel, library or copy shop – and even Internet cafes generally take this easy way out.
Though a computer can be “locked down” to reduce the risk of a compromise, this also limits its usefulness. The business loses the benefits of offering a computer if it won’t do what the would-be user wants, in a manner that is immediately obvious. It’s an eternal conflict in computer administration everywhere.
The bottom line is that any computer you do not physically control, may be compromised. Solutions like portable apps, VPNs, encryption, etc. will work but not if someone has already installed or rootkitted the machine with a keylogger.
There are even hardware keyloggers that sit in-line with the keyboard plug that can be essentially undetectable. I’ve heard the suggestion of using the windows keymapper to essentially type with your mouse. This too, could be defeated if someone worked hard enough.