The next time you’re traveling and see a hotel computer, think twice before entering passwords and any other sensitive data into the machine. In fact, avoid doing it at all.
Public computers aren’t safe or secure, the U.S. Secret Service says, and criminals have been loading keystroke-logging malware onto hotel computers in order to steal anything at all that a guest types, security expert Brian Krebs reported.
The Secret Service and Department of Homeland Security recently issued a broad warning to the hospitality industry about multiple keylogging attacks in hotels in the Dallas and Fort Worth area of Texas.
“The attacks were not sophisticated,” the July 10 warning letter reads, “requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software.”
Instead, the recently arrested suspects “utilized a low-cost, high-impact strategy” in order to record and access everything hotel guests carelessly typed into the compromised public computer.
The letter says that hotels allowed guests administrative access to their computers, essentially giving them free reign over the machine and allowing them to easily install any program—malware included—that can attack subsequent guests.
“The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”
Krebs, an excellent information security journalist, is not optimistic about any fix.
“The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer,” he wrote.”
The trick, then, is to act accordingly. Treat any public computer, especially those that allow users USB or CD access, as potentially compromised. Avoid entering passwords and private data because there is no way of knowing whether or not they’ll be easily stolen.
Public computers are often essential, especially to travelers who might be a world away from their own machines. But unless hotels start lending out loaner computers that have been wiped and audited—fat chance—you’re never going to be even close to 100 percent sure about the security of the screen in front of you.