InfoSecurity India's First Magazine on Comprehensive IT Security
Menu Bar
InfoSecurity March 2010
Security Basics

Surfing online at a Cyber Café? – Take Precautions

Online surfing in a cyber café is almost a common happening everyday. But have you ever thought of securing your personal data while at a cyber café? Have you ever thought of probable security threats while you are in action in a cyber café? Author in this article has unfolded and demystified the security challenges while surfing online in a cyber café and also shared his valuable opinions as solutions to address the challenges.

Computers located in public locations can be subject to criminals working to install software on vulnerable machines to capture users’ personal information. The compromised usernames, passwords, credit card information, bank account information and address book entries can then be used in fraudulent and criminal activities.

For example, Ram is a regular cyber café user, and his personal information is captured without his knowledge.  A series of potential fraudulent activities is then set in motion:

  • His username and password can be used to login to his email accounts or social networking sites like Facebook or Orkut, at which point the criminals access his address book contacts and target them for junk email messages with profane content or social engineering attacks. 

  • Or, emails with criminal intent like terror emails can be sent from Ram’s account, potentially resulting in Ram’s name being dragged into criminal investigations. 

  • Or, Ram’s username and account details could be used to access his e-banking ore-brokerage Web sites, and fraudulent money transfers or stock trades can be executed on his behalf.

  • Or, Ram’s credit card number can be used to make fraudulent purchases at e-commerce sites. 

As you can see, there are a multitude of ways that compromised credentials can be used fraudulently—and without the end-user’s knowledge.  It is very important to also note that these activities might not occur immediately after the information is captured. The information could be sold to different parties and can be used over a long period of time. This makes it all the more important to be aware of the various ways in which personal information can be captured and take precautions to lower the risk.

What are some of the ways personal information can be collected?

  1. Spyware: Spyware is malicious software that gets downloaded to a computer without a user’s knowledge when he or she visits a Web site. Such a download could take place from a malicious Web site or even a legitimate, but compromised Web site. The spyware could be downloaded to a public computer or a user’s home computer. Spyware programs run in the background and can record information in real-time as it is being typed into a Web site by a user. The software can store the information locally on the computer or forward it to a remote malicious computer. Typically, spyware applications collect information about a user’s session, such as the particular sites visited, login names and passwords, credit card numbers, dates of birth – information malicious organizations can leverage for fraudulent activity.

  2. Key logger applications: These are slightly more sophisticated spyware applications that can record a user’s key strokes as they are being typed on the keyboard. They can capture sensitive information like passwords (which typically show up as “*” when typing) or credit card numbers even when a Web site and browser have set up a secure, encrypted channel of communications.

  3. Proxy servers at cyber café sites: Proxy servers are like filters through which all the Internet connections in a cyber café will be sent. Based on the various settings within the proxy server, data from unencrypted browsing sessions can be captured. This could lead to personal user information tracking that can be extracted from Web sites and stored for later use.

What are some basic precautions for lowering the risk of personal data theft at cyber cafes?

  1. Ideally, try to restrict browsing to information-only Web sites like news sites. Avoid using public computers for accessing any e-banking, e-brokerage, e-commerce Web sites which require you to divulge personal information like usernames or passwords.

  2. Check virus protection on the machines; make sure there is antivirus software running (if needed ask the cyber café attendant) by checking systems tray toolbar at the bottom right of the desktop. Make sure the antivirus data files are updated on a regular basis. Most antivirus software shows the update status of the data files when the user clicks on the application in the systems tray toolbar.

  3. Make sure the Web site you are visiting has an “https” prefix before entering the username, password or any sensitive personal information. This will ensure that all the data going from the browser to the Web site will be over a secure encrypted channel.

  4. Do not click on any links that look suspicious in an email even if they are from a known contact. Since the security and antivirus protection of the machine is not under your control, you could be exposing your logged in email session to spyware attacks.

  5. Never store usernames or passwords when Windows or Internet Explorer prompt you to save the information.

  6. Make sure to logout of all Web sites that were visited during a session. Also, make it a point to clear out the browser cache. On Internet Explorer, go to the Tools menu, choose Internet Options and then click on Delete Cookies, Delete Files and Clear History buttons and press OK on subsequent popup windows.

  7. If you notice any unusual activity or pop up windows during your browsing sessions, logout of all applications, clear your session, and inform the cyber café attendant.

What are some additional steps to avoid the loss of personal data?

  1. To minimize impact of key logger applications, use the virtual keyboard displayed on Web sites. A number of banking and ecommerce Web sites provide the user the option of using a virtual keyboard. Enable this for cyber café sessions. The keyboard layouts keep changing for each session, making it extremely difficult for an application to track the key a user has clicked.

  2. Another way to reduce the clarity of the data collected by key loggers is to enter data in multiple fields in a random order (e.g. enter one character in the name, one in the address, one in the phone number and go back to the name), enter additional data than what is expected in fields.

  3. Visit sites that require multiple factors of authentication. This will lower the risk of personal data loss even if the username and password is compromised. A number of sites not only accept username and password but also require users to enter additional information, such as entering a one-time password (OTP) that is generated by a token, smart card or SMS-enabled mobile device.

  4. Reduce the risk of being exposed to phishing attacks by verifying that the sites you visit bear the “https” prefix and display a green colored browser address bar. Phishing sites are fraudulent sites setup to look like original sites but, in actuality, act as a middleman to steal personal data. The green address bar means that a technology known as Extended Validation SSL (EV SSL) certificates have been installed to verify that a particular Web site truly belongs to the entity it claims to represent. If the browser address bar turns to the color yellow, this means that the browser cannot verify that the certificates are up to date and valid. If the browser bar turns to the color red, this means that the browser suspects a fraudulent and unsafe Web site is being visited. You can review information about the Certificate Authority (CA) that issued the EV SSL certificates and, ideally, you will recognize the CA vendor through visual signs and online trust marks such as the VeriSign Secured Seal.

What are some other good security practices to follow for frequent online users?

  1. For Web sites that do not offer security measures such as EV SSL or one-time password authentication, be sure to change your passwords on a regular basis, especially after a cyber café visit.

  2. As a good security practice, do not keep sensitive information like usernames, passwords, bank account details, credit numbers, and credit card statements in your emails. Most email sites do not provide additional security measures such as EV SSL or one-time password authentication, meaning that it is up to the user to lower the risk of personal information loss by not storing sensitive information in such accounts.

  3. Periodically check your banking account, credit card statement or e-commerce account to identify any potentially fraudulent transactions made on your behalf. Be aware that such fraudulent transactions could occur sporadically over a long period of time.

In summary, be very careful when browsing on any machine that is in a public location. Many of these tips will provide protection wherever you are browsing the Web. While these suggestions should lower the risk of personal data loss, existing and new vulnerabilities of operating systems and browsers are discovered and exploited on a daily basis.

Vigilance and self-education on the latest online security techniques are essential to your ongoing cyber safety.

*Note: Some of the suggestions mentioned above for Internet Explorer can be applied to other browser types as well.

—By: Suhas Prakashkumar, Director of engineering, VeriSign India, Bangalore.


Home   |   Current Issue   |   Archives   |   Subscription   |   Advertisement   |   Contacts

© 2006-07 'InfoSecurity' magazine. All rights reserved.
Website designed, developed and maintained by Fanatic Media