Wednesday, June 01, 2005

using public computers abroad - beware!

On a recent trip to China, I was reminded of the precautions one should take when checking online accounts that require usernames and passwords on a public computer.

In the middle of a two-week trip to China, I decided to send email to some family and friends from Hongzhou, a beautiful resort town south of Shanghai. My 4-star hotel's Business Center had one Dell Computer for hotel guests. The computer's browsers were Chinese versions of FireFox and Internet Explorer, with the browser names written in English beneath the desktop icon. I selected FireFox, under the impression that it is "more secure" the IE. Earthlink's email was down for maintenance, so I could not use my personal email account.

I went to my university account, typed in my username and password, sent off two email messages, and closed FireFox. Then I opened up Yahoo Messenger to see if any of my buddies were online, then closed Yahoo Messenger when I realized I had forgotten to send a good friend a message. I re-opened FireFox and went to my university webmail login page. Much to my surprise, my username and password were already there. I clicked on the login button and got into my account again. Anyone could have gotten into my account.

I was upset. The university does not have a little checkbox to "remember my email login on this computer." And, as far as I remember, I did not click "yes" if/when FireFox asked me if I wanted its Password Manager to remember the login and enter it automatically the next time I returned to the site. (If I did, the pop-up was in Chinese and clicked naively.) The address menu pull-down arrow listed my university webmail page - and all the web pages that other hotel guests had visited recently. One could go to any of these pages, and the username and password were filled in automatically.

All of FireFox's menu's were in Chinese, so I could not figure out how to go into FireFox's preferences and clear the saved passwords and history, nor uncheck the "Remember Passwords" box. The person running the Business Center did not understand my concern and called for help. Eventually, a more technically savvy gentlemen from the hotel cleared the saved passwords and history - and the saved form information. He seemed to understand the problem clearly - and how to fix it. I re-opened the browser, went to my university webmail account, and my username and password were gone.

I was somewhat relieved, certainly glad that I had not visited my online banking account to move funds around. After returning home, I changed my university password. Any public computer can have a keystroke logger that collects keystrokes (the keys you type) and saves it as text.

RECOMMENDATIONS

* If you want to communicate with friends and family while on vacation, send postcards or buy a pre-paid phone card and call them.
* If you want to send email from a public computer while on vacation, set up a free account for the trip. Yahoo! Mail or GMail from Google are good choices. You can send email from this account by using the service's web-based login page, and check replies and change your password when you return home.
* If you are on vacation, read your email when you get home. Enjoy your vacation from technology.
* For business traveling that requires email, bring your own laptop. Make sure the laptop's firewall is working properly, and that your operating system, antivirus and spyware detection programs are up-to-date before you leave.

No comments: