Protect your password in a cyber cafe and on public computers

Sometime you must have gone to a cyber cafe or used public computers to access the internet or mail.

Public computers are most prone to password hacking. Anyone can simply install a keylogger software to hack your password. Keylogging is one of the most insidious threats to a users personal information. Passwords,credit card numbers,etc.

It is very easy for the keylogger to harvest passwords. Each and every keystroke (whatever you type on the keyboard) gets recorded in the keylogger software and the person installing it can easily view what you have typed in.

For example,if you go to hotmail.com and check your mails. Say your ID is aaabbbccc@hotmail.com and password is snoopy2,the keylogger software records your usename and password in its log file as

www.hotmail.comaaabbbccc@hotmail.comsnoopy2

Risky isnt it???!!!

Theres a solution to this problem and you can easily fool the software!!

The keylogger software sees and records everything,but it doesnt understand what it sees,it does not know what to do with keys that are typed anywhere other than the password or user name fields.

So between successive keys of the password if you enter random keys,the keylogger software wont ever come to know where you typed in what..

In the process of recording the keys,the string that the keylogger receives will contain the password,but embedded in so much random junk that discovering it is infeasible.

So...

1. Go to hotmail.com or yahoo.com or any other site where you need to insert a password or PIN.

2. Type in your user ID.

3. Type in the first character of the password.

4. Click on the address bar in the browser,type in some random charachters.

5. Again go to password field and type in the second character of the password and probably third too.

6. Again go to the address bar and type in a few more random characters.

7. Back to the password field and the next characters of the password.

Keep on repeating the process till you type in the full password in the password field.

Instead of the password snoopy2,the keylogger now gets:
www.hotmail.comspqmlainsdgsosdgfsodgfdpuouuyhdg2

Heres a total of 26 random characters have been inserted among the 7 characters of the actual password!!!

No doubt it takes a little bit of more time than the usual process,but you are safe and secure that way!!!

 

I know that people can use monitoring software like keylogger on the target computer, and then they can know all activities on the computer, including password and keystrokes.
How does this defeat the loggers that also record screen captures?

 

I dunno if this would work on those!! (It may (Depending on WHAT APPS are monitored))

 

You should not use a public computer to access any personal identifiable information. Those steps wouldn't be effective against modern maleware. If it was a traditional keylogger, in windows accessibility you can make a little keyboard pop up so you don't have to type any password.

Using a public computer you could install a flash drive with a linux os, and then you would not be using any software installed on the public computer.

For accessing your email or banking on a public network, you should connect to a vpn.

 

a keylogger could easily be written to record delete keypresses and other non textual ascii characters. then you could write a script to quickly go through the output file and look for patterns, like removing delete characters along with whatever character preceeds it

an attacker would also capture form data, or reverse engineer the forms by sitting in or near the public hotspot and running an access point and web server on their machine and pretending to be the access point and sending packets to d eny legitamate connections to the real gateway and forcing you to connect to their machine which would route traffic to the access point. some pages or even page elements could be local on the attackers machine and if they had planned this they could easily have the network set up in such a way that it would be pretty hard to tell.

 

That's like a version of what's called the "man in the middle" attack. It's not difficult to use a packet sniffer to find an ip number, spoof that number to pretend that you are another user, then conduct a man in the middle attack. Its the same concept, kinda. As far as key loggers go, Ace is right. They can record anything, including mouse activity.

 

i would imagine that the attacker could set it up in such a way to resolve certain host names, such as those of popular banks and financial instutions to the web server running on their own machine, where a version of the login page is stored which looks identical or very similar to the legitamate page. The forms are of course rewritten and the attacker could be running a script that takes the form data and appends it to a file, and also loads the legitamate form and submits the form with the information the user entered on the fake login form. The script would then cause the users browser to seamlessly redirect to the legitamate site, the user would then be logged into the site, not knowing that any phishing had taken place.

if they lived in an apartment above an internet cafe they'd be set, they could run that shit 24/7 and collect credentials, then sell that shit in IRC channels