Internet Cafe

[jimjom]

Hi there. i will be spending some time in thailand soon and i will be managing my finances over the internet, what i wanted to know is would it be safe for me to do this in an internet cafe or should i wait untill i get my own computer?. Thank's in advance for your answers.

Jimjom.

[Thaiquila]

Not safe. KEYLOGGERS!

[monochaser]

People are getting burned all the time in net cafes. I knew one guy who this happened to down in Nana, had 40K USD transferred out!

[Thaiquila]

Keyloggers also commonly capture data in the cut and paste buffer, so that trick doesn't fool them. And some of them take screen shots too.

Edited June 4, 2006 by Thaiquila

[LaoPo]

Hi there. i will be spending some time in thailand soon and i will be managing my finances over the internet, what i wanted to know is would it be safe for me to do this in an internet cafe or should i wait untill i get my own computer?. Thank's in advance for your answers.

Jimjom.

I do it all the time....can't get wrong! Absolutely foolproof!

WHY?

My bank (Europe) has a so called e.dentifier given out to every single client.

The steps:

1. you insert your bankcard into the e.dentifier

2. you have to install your personal code first into the e.dentifier

3. log-into your bank website and log-in your bankaccount number PLUS special card-number (which is now in the e.dentifier)

4. AFTER you do a payment the website asks to re-insert the bankcard again and do a whole lot of steps again, up to 3 times.

5. every time you get a new number; if you type the wrong number you will get a signal to start over.

6. Log-out from website.

Even in the case someone is 'scamming' the process and even if they would steal the e.dentifier AND your bankcard they would have to know the special code and coding-system.

Assuming they do that.....than they would have to read the website in my Mother-language ( ) and do the whole (complicated) process themselves

I'll tell you....it took me quite some time to get used to the system.

Apart from that...if they would steal my e.dentifier and card.....1 call to the bank and the account is blocked straight away.

I'm doing this for years; no problems whatsoever.

PS: I lost (or it was stolen) my bankcard on Samui 2 years ago....phoned the bank and through a friend (the bank NEVER send the card abroad) I had a new card in a few days by courier.

We have a very sophisticated (unless the US and other countries) banking system, far ahead of most countries!

LaoPo

Edited June 4, 2006 by LaoPo

[Rice_King]

I have been in your situation JimJom. As a minimum, I carry a USB thumb drive that I have installed two utilities on. One is Torpark and the other is Password Safe . Both of these utilities are FREE.

From the Torpark FAQ:

Torpark can be used to circumvent censorship firewalls, like at work or in China. It can also be used to substitute a current proxy configuration, such as if a DNS server refuses to allow resolution of some domains. And best of all, if there are no key loggers secretly installed on the machine, nobody is going to know where you went, what you saw, who you spoke to, or what you said. It is all encrypted in a tunnel between your computer, and at least three others somewhere in the world. Only after your data has passed through the encrypted and constantly changing tunnel (a tor circuit) will it reach the internet as unencrypted. The data from surfing the internet goes through the same tunnel as well, passing back to you encrypted, where your computer uses Tor to decrypt it to the Torpark browser. When you need a secret and secure tunnel to surf the internet, Torpark is your mobile solution.

Now if you read the above paragraph, you'll see where it says, "if there are no key loggers secretly installed on the machine, nobody is going to know where you went..." To ensure no key loggers will log my bank passwords, I use the second utility on my thumb drive, Password Safe.

Password Safe is a password database utility. It will keep your passwords securely encrypted. A single Safe Combination unlocks them all. Key loggers will be thwarted because you "cut & paste" your passwords instead of typing them. As an added precaution, when you close Password Safe, the Windows clipboard is cleared.

Just be sure your Password Safe password is unique. Do NOT use the same password for it that you use for your banking, mail, etc.. As stated earlier, the key logger will be able to log anything you type. This could include the password you type to open your Password Safe!

Also, be aware of where you sit and who may be looking over your shoulder, mirrors, windows, etc..

Granted, there will always be crooks. But at least they'll have to work at it if they're going to rip me off. I'm not going to roll over and give it to them.

DISCLAIMER: Please take this post as a security PRIMER. Not an "end-all" solution.

--RK

Edited June 4, 2006 by Rice_King

[silvero]

Rice, I would agree that a portable browser, especially tor, greatly improves privacy and security, however as for the password solution, I considered this method but I was concerned that if the Password Safe password was keylogged, and the actual Password Safe file copied from the USB key while inserted (not really hard), then you've totally had it? Haven't you?

[Rice_King]

Rice, I would agree that a portable browser, especially tor, greatly improves privacy and security, however as for the password solution, I considered this method but I was concerned that if the Password Safe password was keylogged, and the actual Password Safe file copied from the USB key while inserted (not really hard), then you've totally had it? Haven't you?

Not at all. The actual passwords are encrypted in the Password Safe database.

[Thaiquila]

As I said before, a common feature with keylogging programs is the ability to capture CUT AND PASTE data.

The system desrcibed where the bank issues you a one time password would of course be ideal, but most people aren't equipped that way.

[silvero]

Excuse me Rice, I might be a bit slow this AM, but if they have the Password Safe master password (keylogged) and the Password Safe database (copied from the USB key when inserted in a dodgy machine) how does this method protect you?

[Rice_King]

I think we can probably all agree that keyloggers are a serious issue, especially when using public systems.

I would like to add to my thumb drive "arsenal" a good keylogger removal application. If anyone here would like to recommend one, especially a "portable" solution that could be installed on a mobile device, it would be of high value to many folks including myself.

[Thaiquila]

I think we can probably all agree that keyloggers are a serious issue, especially when using public systems.

I would like to add to my thumb drive "arsenal" a good keylogger removal application. If anyone here would like to recommend one, especially a "portable" solution that could be installed on a mobile device, it would be of high value to many folks including myself.

Wouldn't net cafe owners object to installing your own program onto their machine?

[Rice_King]

Excuse me Rice, I might be a bit slow this AM, but if they have the Password Safe master password (keylogged) and the Password Safe database (copied from the USB key when inserted in a dodgy machine) how does this method protect you?

No, I think it is ME who is the slow one here today Silvero.

The answer should have been YES, with prejudice to the following:

IF the "*.dat" file were stolen from the flash drive whilst inserted into the public computer, and IF the thief knew what specific application (in this case Password Safe) or the exact encryption method used (blowfish, AES, Triple DES, twofish, etc.) then YES your password database could be compromised.

My mistake.

--RK

[Rice_King]

Wouldn't net cafe owners object to installing your own program onto their machine?

The keylogger remover / blocker would not be installed on their machines. It would be on the thumb drive and it would just remove or block the logger from working.

Besides, many cafe owners probably don't even know or realize that someone has installed the keyloggers on their machines in the first place. I am certain many are clueless or just don't care.

Edited June 4, 2006 by Rice_King

[xyz]

Hi there. i will be spending some time in thailand soon and i will be managing my finances over the internet, what i wanted to know is would it be safe for me to do this in an internet cafe or should i wait untill i get my own computer?. Thank's in advance for your answers.

Jimjom.

I do it all the time....can't get wrong! Absolutely foolproof!

WHY?

My bank (Europe) has a so called e.dentifier given out to every single client.

The steps:

1. you insert your bankcard into the e.dentifier

2. you have to install your personal code first into the e.dentifier

3. log-into your bank website and log-in your bankaccount number PLUS special card-number (which is now in the e.dentifier)

4. AFTER you do a payment the website asks to re-insert the bankcard again and do a whole lot of steps again, up to 3 times.

5. every time you get a new number; if you type the wrong number you will get a signal to start over.

6. Log-out from website.

Even in the case someone is 'scamming' the process and even if they would steal the e.dentifier AND your bankcard they would have to know the special code and coding-system.

Assuming they do that.....than they would have to read the website in my Mother-language ( ) and do the whole (complicated) process themselves

I'll tell you....it took me quite some time to get used to the system.

Apart from that...if they would steal my e.dentifier and card.....1 call to the bank and the account is blocked straight away.

I'm doing this for years; no problems whatsoever.

PS: I lost (or it was stolen) my bankcard on Samui 2 years ago....phoned the bank and through a friend (the bank NEVER send the card abroad) I had a new card in a few days by courier.

We have a very sophisticated (unless the US and other countries) banking system, far ahead of most countries!

LaoPo

I've been doing this for a long time also and haven't gotten into any trouble yet. I use the ATM in LOS to withdraw money from my USA checking account, which I access through the internet cafes. This account cannot be used to wire money. It is possible to mail a check online to a person but only in the USA and only to those with a valid address and phone number. If someone associated with an internet cafe was able to sign in and send a check online to a contact in the USA, I could stop payment on it because I usually check my account at least every two days and I have 14 days to orally stop payment on a check.

Edited June 4, 2006 by xyz

[giffarine]

Hi there. i will be spending some time in thailand soon and i will be managing my finances over the internet, what i wanted to know is would it be safe for me to do this in an internet cafe or should i wait untill i get my own computer?. Thank's in advance for your answers.

Jimjom.

It is safe but don’t forget to Logout after each session.

[Thaiquila]

Hi there. i will be spending some time in thailand soon and i will be managing my finances over the internet, what i wanted to know is would it be safe for me to do this in an internet cafe or should i wait untill i get my own computer?. Thank's in advance for your answers.

Jimjom.

I do it all the time....can't get wrong! Absolutely foolproof!

WHY?

My bank (Europe) has a so called e.dentifier given out to every single client.

The steps:

1. you insert your bankcard into the e.dentifier

2. you have to install your personal code first into the e.dentifier

3. log-into your bank website and log-in your bankaccount number PLUS special card-number (which is now in the e.dentifier)

4. AFTER you do a payment the website asks to re-insert the bankcard again and do a whole lot of steps again, up to 3 times.

5. every time you get a new number; if you type the wrong number you will get a signal to start over.

6. Log-out from website.

Even in the case someone is 'scamming' the process and even if they would steal the e.dentifier AND your bankcard they would have to know the special code and coding-system.

Assuming they do that.....than they would have to read the website in my Mother-language ( ) and do the whole (complicated) process themselves

I'll tell you....it took me quite some time to get used to the system.

Apart from that...if they would steal my e.dentifier and card.....1 call to the bank and the account is blocked straight away.

I'm doing this for years; no problems whatsoever.

PS: I lost (or it was stolen) my bankcard on Samui 2 years ago....phoned the bank and through a friend (the bank NEVER send the card abroad) I had a new card in a few days by courier.

We have a very sophisticated (unless the US and other countries) banking system, far ahead of most countries!

LaoPo

I've been doing this for a long time also and haven't gotten into any trouble yet. I use the ATM in LOS to withdraw money from my USA checking account, which I access through the internet cafes. This account cannot be used to wire money. It is possible to mail a check online to a person but only in the USA and only to those with a valid address and phone number. If someone associated with an internet cafe was able to sign in and send a check online to a contact in the USA, I could stop payment on it because I usually check my account at least every two days and I have 14 days to orally stop payment on a check.

You bring up an interesting point. If a keylogger gets your password for online banking, what harm exactly can they do? I guess it depends on the power you have on your online banking account. If transfers to outside accounts were possible, the danger is obvious.

Of course, keyloggers are of course interested in credit card transactions, especially when your name, address, and credit card security code are part of it.

Keyloggers are more common than many people realize. And they also quite commonly come onto home computers through malware.

[rishi]

The keylogger remover / blocker would not be installed on their machines. It would be on the thumb drive and it would just remove or block the logger from working.

Besides, many cafe owners probably don't even know or realize that someone has installed the keyloggers on their machines in the first place. I am certain many are clueless or just don't care.

And those, who care, might have a firewall running, that blocks anything but known programs. Any program run from a thumbdrive would be unknown (incl. eg. Firefox in a version identical to the Cafe's). This is because firewalls usually use the whole program-path to identify known programs.

(Consequently, if you can run programs from your thumbdrive - not much protection on that computer).

// deleted a couple of misplaced end-quotes

Edited June 4, 2006 by rishi

[Thaiquila]

There are also cases where the net cafe owners or staff actually install the keyloggers themselves and then sell the captured info to organized crime (a lot of such types are in the Ukraine). It is not wise to trust public computers anywhere, and certainly not in Thailand.

Edited June 4, 2006 by Thaiquila

[peterjackson]

Hey

My company actually sell 'key logging' type programmes, albeit much more powerful than your average key logger. There is basically nothing that we can't capture and we also have the ability to 'control' the programmes parameters remotely.

We focus on licensing our technology to law enforcement agencies around the world and are recognised as being the leaders in this field.

My advice is to treat any computer you don't have 100% control over, as a possible key logging machine.

Regards

Peter

[tjo o tjim]

Another option is to go with something like ###### Small Linux on a thumbdrive and reboot the machine to your thumbdrive to use.

Ther more sophisticated shops might object, especially if screws up their billing system. They might also prevent booting from a usb device.

If you combine this with something like password safe you should be able to even get around any hardware keyloggers- or just play the "type an alphabet and copy qand paste the letters for your password" game.

My US bank has a great feature to protect my account- they show me a pre-selected picture so I know it is really their site! What moron came up with that type of scheme?!

If you can't afford to lose the money, you can't afford to use internet cafes. It's a shame there isn't a universal "e.dentifier" type of device that can be used to authenticate to any site.

[Thaiquila]

Hey

My company actually sell 'key logging' type programmes, albeit much more powerful than your average key logger. There is basically nothing that we can't capture and we also have the ability to 'control' the programmes parameters remotely.

We focus on licensing our technology to law enforcement agencies around the world and are recognised as being the leaders in this field.

My advice is to treat any computer you don't have 100% control over, as a possible key logging machine.

Regards

Peter

Again, copy and paste is NO protection unless the keylogger is a very basic one that only captures typed in data, capturing from the copy and paste buffer is a very common feature!

Peter, I wonder if you know this. Isn't it true that there is no keylogger that captures data that is moved by DRAG and DROP?

[LindsayBKK]

I have been using Internet Banking 7 years and have never had a problem. Yes I use ATM's Bangkok. Like they say just make sure nobodies looking over your shoulder when you use them both. Yes change your pin numbers often. Avoid Wireless internet. Just to add, In Thailand they have scanners to search for mobile numbers. If you make mobile calls make them short.

Use these sort of programs to avoid problems:>

Clean up program link

Spyware program link

[Rice_King]

It is not wise to trust public computers anywhere, and certainly not in Thailand.

Is complete abstinence the answer? What if a tourist is visiting Thailand and doesn't have access to their own PC and they absolutely have to use their online banking service?

I say educate yourself of the risks, take every necessary precaution, and use the tools available. Don't make yourself or your data an easy mark.

Crooks like to target the weak. Make it a little difficult for them and they'll move on to the next potential victim.

--RK

[francois]

hi'

rule of thumb!

NEVER DO PRIVATE THINGS IN AN INTERNET CAFE !!

you can't be sure of :

who's the admin.

who does the maintenance.

how honnest they are.

they can sell infos to others, to avoid problems.

ask to a friend to borrow his com for a few minutes and then clean the cache

and reboot the machine

francois

[Thaiquila]

It is not wise to trust public computers anywhere, and certainly not in Thailand.

Is complete abstinence the answer? What if a tourist is visiting Thailand and doesn't have access to their own PC and they absolutely have to use their online banking service?

I say educate yourself of the risks, take every necessary precaution, and use the tools available. Don't make yourself or your data an easy mark.

Crooks like to target the weak. Make it a little difficult for them and they'll move on to the next potential victim.

--RK

Perhaps, but again, it depends on how sophisticated the keylogger is. If it takes screen shots (less common because it will slow down the machine) and captures copy paste data (very common), not sure it would be much of a challenge to get the data.

[Crushdepth]

I've seen (but not used) some internet banking systems where you need both a password and an access code that is generated by a small piece of hardware you carry around. The access code changes with time, and is only useful to login with for a couple of minutes.

The general idea is that capturing your password (or the code generator) will not enable someone to get into your account. They need to get both.

[LaoPo]

I've seen (but not used) some internet banking systems where you need both a password and an access code that is generated by a small piece of hardware you carry around. The access code changes with time, and is only useful to login with for a couple of minutes.

The general idea is that capturing your password (or the code generator) will not enable someone to get into your account. They need to get both.

See my post #5 where I explain that.

It's absolutely foolproof.

The problem is that many countries (read: Banks) still use old fashioned internet-banking systems.

LaoPo

[Sophon]

See my post #5 where I explain that.

It's absolutely foolproof.

The problem is that many countries (read: Banks) still use old fashioned internet-banking systems.

LaoPo

It's really not so much a question of banks being technologically "oldfashioned" in their choice of security systems.

Yes, for someone using a internet cafe in Thailand one-time passwords and physical devices creating these are definetely more secure. But for the vast majority of people, who log on to their Internet Banking system from their home or work PC, a personal password and a private/public key set-up is safe enough and much more convenient to use. And believe me, the customers do not want anything too complicated.

My own bank gives me an option of either set-up.

Sophon

[Thaiquila]

See my post #5 where I explain that.

It's absolutely foolproof.

The problem is that many countries (read: Banks) still use old fashioned internet-banking systems.

LaoPo

It's really not so much a question of banks being technologically "oldfashioned" in their choice of security systems.

Yes, for someone using a internet cafe in Thailand one-time passwords and physical devices creating these are definetely more secure. But for the vast majority of people, who log on to their Internet Banking system from their home or work PC, a personal password and a private/public key set-up is safe enough and much more convenient to use. And believe me, the customers do not want anything too complicated.

My own bank gives me an option of either set-up.

Sophon

Hi there,

I totally agree that those hand held devices that generate a ONE TIME USE password are incredibly secure! But most people don't have them.

I do not understand what you mean by

personal password and a private/public key set-up is safe

Could you please spell out exactly what you mean by that?

Thanks!