You’ve just checked into your hotel and gotten situated in your room. All that time on the plane has left you feeling a bit out of touch so you head down to the business center to do a quick check of your email. You’re in luck — there’s a free workstation just waiting there for you. You log in to your account, read a few, respond to some, delete some spam, log off and head for the gym feeling that everything is now in order. But is it?
Turns out that the person using that same PC a few hours ago opened an attachment that contained malware that installed itself on the system and has been recording every keystroke entered ever since. Making matters worse, all those email responses, web site addresses, credit card numbers and logins have also been surreptitiously forwarded to someone on the other side the world who now has everything they need to take over your email, raid your bank account and run up charges on your credit card.
Krebs on Security has a good post on this threat along with a discussion of some preventative measures your hotel could have taken to protect you. The problem is, as the author points out, all of them can potentially be circumvented.
Of course, you could enable all your accounts to use 2-factor (a.k.a. two step) authentication where a seemingly random set of numbers are texted to your phone that you then have to enter after entering your account name and password (and you should!), but most people don’t want to be bothered with this extra step and they are precisely the ones that the bad guys are counting on.
The bottom line is, if you don’t control the system you’re using (and you never do with a public terminal), you really have no idea who else might be listening in so you should consider that anything you type (including your password) is now public information.
The best thing you can do to avoid this scenario is simply to not use public workstations. It may be a pain to lug along your own laptop but it beats the alternative.