I'd like to know if there are any tips when using Internet cafes for banking use or money transfer.
I know the best method is to have your own computer/laptop, but unfortunately I can't take one along with me, and I'll be needing to do some quick banking online while away.
Are there any tactics to trick keyloggers or anything? Any signs to look out for before using the computers of a dodgy place?
That really is the best advice I can give. The only advice that I can give in good conscience. There's 'tricks' to defeat outdated generations of keyloggers, like copy/pasting characters and switching between programs - but any modern keylogger will be able to keep track of such things, and so that only increases your "security" marginally - which means that the risks are still too great.
Give your login details to a trusted family member back home, and let them do the banking for you.
(Of course, you're sure to next get a dozen reactions from people who have done online banking in internet cafes, and have not (yet) seen any dodgy transfers as a result. As the saying goes, however, "the plural of anecdote does not equal data". Statistically speaking you still have a large chance of not being at risk when using any given computer; but the percentage of infected public computers is creeping ever upward, and the resulting damage is just too large to risk. (Especially since most banks these days have policies where you are responsible for safeguarding your own login details, and won't be covered for unauthorized transfers if you didn't.))
If you abso-, abso-, absolutely must do the online banking yourself, switch to a bank using one-time pads or a token based challenge-response system (like those keypads which need your debit card and your pin), and be paranoid on every single page where you enter the data from this to make certain it shows both the padlock and has the right domain in the URL bar. (To prevent man-in-the-middle attacks, which are the major remaining real risk when using such non-repeatable authentication. However, even with that you're still at risk, as an attacker could have poisoned the DNS cache, and added an exception for the faulty certificate in the browser. That's just a much less likely scenario than merely having installed a keylogger, but as far as I'm concerned, it's still way too realistic to ever risk it.)
Sander, what about systems that, on top of username+password, require you to authenticate every single transaction with a TAN code? Or does the middle-man scenario still hold in such cases?
I am constantly on the road. At one stage without a laptop. And had to use online banking. It really was not a god experience. Not that anything happened to my account. But like Sander said accessing through a public computer is not safe. During that time my flash drives and memory cards all got viruses from public computers. Only when I bought a new laptop could I handle the problem.
Another possible solution is to use an online bank that has telephone access. Though I have heard bad things there like, phone taps monitoring what keys you press. I have a cc company that emails me a statement every month. It's blank and contains no account info. I can at least see there if anything is up.
Another option is to tell you bank manger where you are doing, most banks have call centers these days which can answer your questions, but maybe not conduct transactions.
Another option again is an account that does not allow transfers.
A PDA might help, as it might be more affordable to buy and allow internet access. But then there are people who say never conduct online banking over a wireless network too.
So perhaps the safest option is to get someone at home to do it if possible!
A :S topic if there ever was one. (as in a scary one, not a crappy one)
what about hostels? i know internet cafes can be dodgy, but what about computers in hostels? are they silghtly better? i have to do online banking, as well. my parents can do it for me, but there will be times when they won't be able to..and i'll have to do it myself. also, i heard of people going to the closest library to use a computer...what about those? or is it all just as bad? i haven't had problems using alien computers at home, yet (like ones in libraries and things like that, i mean), so i don't know much about it.
do memory cards get viruses easily? or often? i've got one for my camera, i didn't think it would be affected if plugged into the usb.
Any "public" computer (that is a computer which people can use without there being a trail of who did what on the computer; so yes, hostel and library computers also count) has a highly elevated risk of being infected. Hostel computers are safer on the one hand, in that it's harder for someone not staying at the hostel to use them - but much worse on the other hand, as the people running the hostel generally speaking have no idea about how to secure a computer, and so a previous user could've easily gotten the computer infected by a keylogger just by downloading and opening the wrong attachment from his hotmail account. (Most people running internet cafes also don't have a clue about security, but at least there's some internet cafes run by knowledgeable people. Still, those remain at risk of being purposefully targetted by someone with even more knowledge and the ability to really hide the keylogger, which is a much more threatening scenario than random keyloggers spread by various viruses.)
If you plug in a memory card through a card reader with USB cable, or if your camera acts as a "portable harddisk" for the computer (most do), then yes, there's a risk of viruses spreading through the memory card. It's really no different than a floppy disk was, and before the internet, that used to be the primary medium through which viruses spread.
Of course, that's virus (worm, properly) in general. I don't know what the primary mechanism is through which keyloggers spread.
bentivogli: I'm not certain what you're referring to with "TAN code". If it's different for each transaction (and you have to use them in sequence), then that's close to what I referred to as "one-time pad". However, yes, that remains at risk for man-in-the-middle attacks. Basically you don't connect to the bank's website, but rather to a website controlled by the attacker, which most of the time just requests pages from the bank's website themselves, and shows them to you. So you're basically using your bank's website through an intermediary, and that all stays the same right up to the point where you make a transaction... then the attacker changes the data that gets sent to the bank (including your TAN code), for example the amount of money that you're transferring and the account it's getting sent to.
On trusted computers, the protection against this is using an encrypted and authenticated connection (the padlock / gold URL bar) to a domain (with the encryption/authentication ensuring that you're really connected to that domain, and not to someone in the middle). However, a browser on a public computer could be subverted in such a way that that protection doesn't work anymore. As I said, that's a much less likely attack (at this point in time it would be almost certainly dedicated criminals purposefully targeting those computers; although I suspect common viruses will be taking this route within the next couple of years) - but its consequences are the most dire...
At least 2 banks in the US allow for virtual account numbers (you don't use your real credit card number when purchasing online). I don't know if these cards can be used by non-US residents. Read about it here:
[ Edit: Edited on Jul 31, 2008, at 11:21 AM by Daawgon ]