- The Washington Times - Tuesday, July 22, 2003

NEW YORK

Juju Jiang, for more than a year, was secretly recording information that Internet customers at several New York Kinko’s stores typed into computers, paying particular attention to their passwords.

Mr. Jiang had secretly installed, in at least 14 Kinko’s stores, software that logs individual keystrokes. He captured more than 450 user names and passwords — using them to access, and even open, bank accounts online.

The case, which led to a guilty plea earlier this month, after Mr. Jiang was caught, highlights the risks and dangers of using public Internet terminals at cybercafes, libraries, airports and other establishments.

“Use common sense when using any public terminal,” said Neel Mehta, research engineer at Internet Security Systems Inc. “For most day-to-day stuff like surfing the Web, you’re probably all right, but for anything sensitive you should think twice.”

Mr. Jiang was caught when, according to court records, he used one of the stolen passwords to access a computer with GoToMyPC software, which lets people remotely access their computers.

The GoToMyPC subscriber was home at the time and suddenly saw the cursor on his computer move around the screen and files open as if by themselves. He then saw an account being opened in his name at an tencing, admitted installing Invisible KeyLogger Stealth software at Kinko’s as early as Feb. 14, 2001.

The software is one of several keystroke loggers available for businesses and parents to monitor their employees and children.

The government even installed one such program to capture a password that the son of jailed mob boss Nicodemo “Little Nicky” Scarfo used to access files on his computer.

Earlier this year, a former Boston College student pleaded guilty to using similar software on more than 100 computers around campus to collect passwords and other data to create a campus ID card for making purchases and entering buildings illegally, authorities say.

Mr. Mehta said that although millions of people use public terminals without trouble, they should be cautious.

“When you sit down at an Internet cafe, ask the owner or operator about the security measures in place,” he said. “If they don’t know or don’t have anything in place, you could consider going somewhere else.”

Encrypting e-mail and Web sessions does nothing to combat keystroke loggers, which capture data before the scrambling occurs. But encryption can guard against network sniffers — software that can monitor e-mail messages, passwords and other traffic while it is in transit.

Data cookies also contribute to the risk of identity theft. Cookies are files that help Web sites remember who you are so you won’t have to keep logging onto a site.

But unless you remember to log out, these files could let the next person using the terminal to surf the Web as you.

Furthermore, browsers typically record recent Web sites visited so users won’t have to retype addresses. But such addresses often have user names and other sensitive information embedded.

Secure public terminals should by default have provisions for automatically flushing cookies and Web addresses when a customer leaves, Internet security experts say.

Kinko’s spokeswoman Maggie Thill said the company takes security seriously and believes it has “succeeded in making a similar attack extremely difficult in the future.”

Nonetheless, Miss Thill said customers have a responsibility to “protect their information as they would a credit-card slip.”

At one Kinko’s that authorities said Mr. Jiang targeted, a sign attached to individual $18-per-hour stations says: “Be safe. Protect your personal information.”

Richard M. Smith, a security consultant in Cambridge, Mass., said customers could also use certain techniques to foil keystroke loggers. When typing in sensitive information, for instance, he suggests cutting and pasting individual characters from elsewhere to form the password.

No keys depressed, no characters logged.

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times is switching its third-party commenting system from Disqus to Spot.IM. You will need to either create an account with Spot.im or if you wish to use your Disqus account look under the Conversation for the link "Have a Disqus Account?". Please read our Comment Policy before commenting.

 

Click to Read More

Click to Hide