Public Library computers

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
User avatar
Topic Author
Mr. Potter
Posts: 1048
Joined: Wed Mar 18, 2015 7:50 pm
Location: Undisclosed Lake, MN

Public Library computers

Post by Mr. Potter »

I have deep concerns about accessing my accounts at say a coffee shop with free wireless WiFi but what about a public library with hard wired data? Anyone had issues?
Last edited by Mr. Potter on Thu Jan 31, 2019 1:14 pm, edited 1 time in total.
Rupert
Posts: 4122
Joined: Fri Aug 17, 2012 12:01 pm

Re: Public Library computers

Post by Rupert »

I'd be willing to bet the internet security at Starbucks is better than at your public library.
User avatar
Topic Author
Mr. Potter
Posts: 1048
Joined: Wed Mar 18, 2015 7:50 pm
Location: Undisclosed Lake, MN

Re: Public Library computers

Post by Mr. Potter »

I thought wireless was easier to hack
02nz
Posts: 10510
Joined: Wed Feb 21, 2018 2:17 pm

Re: Public Library computers

Post by 02nz »

There are vulnerabilities in both scenarios, I wouldn't recommend doing either. But keep in mind that any online account access you do with Vanguard, Fidelity, BoA, whatever, will itself be encrypted. Even if somebody hacked the wifi and captured all of the data sent through it, or you did all of that over open, unencrypted wifi (like at Starbucks), they'd still only see your encrypted transmissions. They'd have to also crack your browser's encryption. Not absolutely impossible, but a lot harder than just cracking the wifi.

In the other scenario (library), if that computer has been infected with malware (like a keylogger that captures your password), you're far more vulnerable.
Last edited by 02nz on Thu Jan 31, 2019 1:23 pm, edited 2 times in total.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Public Library computers

Post by 2015 »

I never access my accounts anywhere but a dedicated laptop at home. In my view, accessing accounts away from home is asking for trouble.
Iridium
Posts: 768
Joined: Thu May 19, 2016 10:49 am

Re: Public Library computers

Post by Iridium »

Oak&Elm wrote: Thu Jan 31, 2019 1:13 pm I have deep concerns about accessing my accounts at say a coffee shop with free wireless WiFi but what about a public library with hard wired data? Anyone had issues?
The risk is low in either case, but you are more vulnerable using a library computer than using a coffee shop WiFi. In the former case, you are actually typing your password into a device that you do not own; you have to trust that security at the library is very good and that the keyboard is actually just a keyboard.

Is the 'avoid coffee shop WiFi' even still relevant advice? Websites now encrypt the entire site, rather than just the login page, browsers are pretty robust against attack, and Windows is doing a better job of not being vulnerable to machines on the same network.
User avatar
RickBoglehead
Posts: 7877
Joined: Wed Feb 14, 2018 8:10 am
Location: In a house

Re: Public Library computers

Post by RickBoglehead »

I would never use a public computer to access anything related to my finances.

When I use public WiFi, I use a VPN, which my university provides free to alumni, students, and faculty.
Avid user of forums on variety of interests-financial, home brewing, F-150, EV, home repair, etc. Enjoy learning & passing on knowledge. It's PRINCIPAL, not PRINCIPLE. I ADVISE you to seek ADVICE.
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Public Library computers

Post by jebmke »

I only use my desktop connected to my router with a wire. I would never use a public device or a mobile device.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
GoldStar
Posts: 959
Joined: Wed May 23, 2018 10:59 am

Re: Public Library computers

Post by GoldStar »

Iridium wrote: Thu Jan 31, 2019 1:49 pm
Oak&Elm wrote: Thu Jan 31, 2019 1:13 pm I have deep concerns about accessing my accounts at say a coffee shop with free wireless WiFi but what about a public library with hard wired data? Anyone had issues?
The risk is low in either case, but you are more vulnerable using a library computer than using a coffee shop WiFi. In the former case, you are actually typing your password into a device that you do not own; you have to trust that security at the library is very good and that the keyboard is actually just a keyboard.

Is the 'avoid coffee shop WiFi' even still relevant advice? Websites now encrypt the entire site, rather than just the login page, browsers are pretty robust against attack, and Windows is doing a better job of not being vulnerable to machines on the same network.
The threat with open WiFi is primarily still man-in-middle attacks from what I understand - you might think you are connecting to "Starbucks" but you missed the fact that it was spelled "Starbuucks" which is a wifi I set up while I'm in your coffee shop. So now you are on my wifi and I have a server that let's most traffic through but mimics popular banks and brokerages if you go to one of them. My server is set up to look just like your banks login page (I will set up one for Chase, Bank-of-America, etc. along with Schwab, Vanguard, Fidelity- all the big ones). Even on the coffee shops own wifi I might be able to get into the path other ways and do this {change the DNS records on the local network provider's DNS server, IP Spoof, etc). As you try to log into your account you are actually logging in with me so I can capture you login info. I will just error out (while collecting your login info) - you think the site is just having issues - I will then go access your account before you realize it.
Perhaps less of a threat these days as there are now many other protections in place (if you set up 2FA, alerts, etc.) - but still there.

I agree the library computer is even worse - who knows what's running on that machine.
User avatar
Will do good
Posts: 1138
Joined: Fri Feb 24, 2012 7:23 pm

Re: Public Library computers

Post by Will do good »

Hackers can hide keystroke logs in public computers, anything you type will be available to them such as your logins and passwords. Only thing that could save you is maybe 2FA, so please be careful.
User avatar
Topic Author
Mr. Potter
Posts: 1048
Joined: Wed Mar 18, 2015 7:50 pm
Location: Undisclosed Lake, MN

Re: Public Library computers

Post by Mr. Potter »

Got it, best to only access accounts from home on my IP address on my computer. Thanks
Iridium
Posts: 768
Joined: Thu May 19, 2016 10:49 am

Re: Public Library computers

Post by Iridium »

GoldStar wrote: Thu Jan 31, 2019 2:08 pm The threat with open WiFi is primarily still man-in-middle attacks from what I understand - you might think you are connecting to "Starbucks" but you missed the fact that it was spelled "Starbuucks" which is a wifi I set up while I'm in your coffee shop. So now you are on my wifi and I have a server that let's most traffic through but mimics popular banks and brokerages if you go to one of them. My server is set up to look just like your banks login page (I will set up one for Chase, Bank-of-America, etc. along with Schwab, Vanguard, Fidelity- all the big ones). Even on the coffee shops own wifi I might be able to get into the path other ways and do this {change the DNS records on the local network provider's DNS server, IP Spoof, etc). As you try to log into your account you are actually logging in with me so I can capture you login info. I will just error out (while collecting your login info) - you think the site is just having issues - I will then go access your account before you realize it.
Thank you for the reply. I agree that there are a great variety of ways for an attacker to redirect your traffic (even outside of wifi, ARP poisoning would very likely work if an attacker was able to connect to the same network as you). However, if an attacker setup a page that looks like a bank login they still will not be able to obtain a valid certificate for it, so my browser won't display the padlock, and, increasingly, will just error out and refuse to display the page at all (due to HSTS).
KyleAAA
Posts: 9498
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Public Library computers

Post by KyleAAA »

Iridium wrote: Thu Jan 31, 2019 1:49 pm
Oak&Elm wrote: Thu Jan 31, 2019 1:13 pm I have deep concerns about accessing my accounts at say a coffee shop with free wireless WiFi but what about a public library with hard wired data? Anyone had issues?
The risk is low in either case, but you are more vulnerable using a library computer than using a coffee shop WiFi. In the former case, you are actually typing your password into a device that you do not own; you have to trust that security at the library is very good and that the keyboard is actually just a keyboard.

Is the 'avoid coffee shop WiFi' even still relevant advice? Websites now encrypt the entire site, rather than just the login page, browsers are pretty robust against attack, and Windows is doing a better job of not being vulnerable to machines on the same network.
It's relevant advice in that there is minor incremental risk, but you are correct that the risk is extremely small. I don't bother avoiding coffee shop wifi or anything like that. Browsers have gotten pretty good at warning users of man-in-the-middle situations. I would think the library computer would be exponentially more dangerous because you can't be sure there aren't keyloggers installed.
Last edited by KyleAAA on Thu Jan 31, 2019 3:11 pm, edited 2 times in total.
Fclevz
Posts: 651
Joined: Fri Mar 30, 2007 11:28 am

Re: Public Library computers

Post by Fclevz »

The Vanguard and Fidelity apps are both good.
I'd just use my phone.
GoldStar
Posts: 959
Joined: Wed May 23, 2018 10:59 am

Re: Public Library computers

Post by GoldStar »

Iridium wrote: Thu Jan 31, 2019 3:02 pm
GoldStar wrote: Thu Jan 31, 2019 2:08 pm The threat with open WiFi is primarily still man-in-middle attacks from what I understand - you might think you are connecting to "Starbucks" but you missed the fact that it was spelled "Starbuucks" which is a wifi I set up while I'm in your coffee shop. So now you are on my wifi and I have a server that let's most traffic through but mimics popular banks and brokerages if you go to one of them. My server is set up to look just like your banks login page (I will set up one for Chase, Bank-of-America, etc. along with Schwab, Vanguard, Fidelity- all the big ones). Even on the coffee shops own wifi I might be able to get into the path other ways and do this {change the DNS records on the local network provider's DNS server, IP Spoof, etc). As you try to log into your account you are actually logging in with me so I can capture you login info. I will just error out (while collecting your login info) - you think the site is just having issues - I will then go access your account before you realize it.
Thank you for the reply. I agree that there are a great variety of ways for an attacker to redirect your traffic (even outside of wifi, ARP poisoning would very likely work if an attacker was able to connect to the same network as you). However, if an attacker setup a page that looks like a bank login they still will not be able to obtain a valid certificate for it, so my browser won't display the padlock, and, increasingly, will just error out and refuse to display the page at all (due to HSTS).
Provided you don't have a dated browser or don't simply hit "Advanced" in your browser and have it ignore the error or simply don't notice you got redirected to some other domain name.
KyleAAA
Posts: 9498
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Public Library computers

Post by KyleAAA »

Oak&Elm wrote: Thu Jan 31, 2019 2:56 pm Got it, best to only access accounts from home on my IP address on my computer. Thanks
If by "best" you mean "0.00000001% better," then sure. In reality, wifi is fine. Logging in on a machine you don't control (like at a library) is a no-no.
RudyS
Posts: 2821
Joined: Tue Oct 27, 2015 10:11 am

Re: Public Library computers

Post by RudyS »

Fclevz wrote: Thu Jan 31, 2019 3:07 pm The Vanguard and Fidelity apps are both good.
I'd just use my phone.
Does this mean to disable wifi and force the phone to use data?
Broken Man 1999
Posts: 8626
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, near Champa Bay !

Re: Public Library computers

Post by Broken Man 1999 »

The computers in my local library aren't under the watchful eye of library staff. They are arranged back to back in a horizontal line running in front of the check-in/out counter. So, from the counter one only sees the backs of users, though they can see the heads of people on the back row of the bank of computers.

But, library staff can't see the users hands or screens for those closest to the counter, as they are blocked by the back of the individual. And, though the staff can see the heads of the users in the back row, their screens and hands are also shielded.

They used to have you sign-in when you needed to use one, but that was more of a traffic issue, as there were more people wanting to use the computers than the number of computers available. The sign-in list just controlled who got the next computer that became available.

I would use one of their computers if I were researching something, and wanted to seek out reference books and such. I would never take my laptop/Chromebook into the library for any reason, as it might develop legs and walk away whilst I was looking for stuff in the stacks. Also, I would be afraid of having something slipped into my PC, or picking up a virus.

And, I would never, never, never access any financial account, email account, or any of the accounts I have that require a log-on. Nope! Nope! Nope!

Nor would I do so at any place outside my home, for that matter. Nope! Nope! Nope!

I do read the Boglehead forum outside my home sometimes, like when a game is boring (and believe you me, my alma mater's football team played some yawners this past season), but I don't sign in or post on the forum.

Never had any issues, but I try to practice safe surfing at all times.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go." - Mark Twain
User avatar
quantAndHold
Posts: 10141
Joined: Thu Sep 17, 2015 10:39 pm
Location: West Coast

Re: Public Library computers

Post by quantAndHold »

The Starbucks wifi is generally fine. Banking websites encrypt the data going back and forth. A bad guy might be able to see that you're going to Vanguard's website, but they can't see what you're actually doing or what your password is.

The library computer, though. Ewwww. Any computer that a stranger has physical access to...no. There is much a bad guy can do if they can touch the computer. I use the library computer for historical research or other projects that have to be done at the library. But never financial stuff, or email, or anything that I wouldn't want to be public.
shunkman
Posts: 667
Joined: Mon Feb 26, 2018 8:59 pm

Re: Public Library computers

Post by shunkman »

It has been my understanding that connecting to ones own mobile hot spot is considered a relatively secure connection. Is this not the case?
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Public Library computers

Post by Epsilon Delta »

Oak&Elm wrote: Thu Jan 31, 2019 2:56 pm Got it, best to only access accounts from home on my IP address on my computer. Thanks
The assumption here is that your ISP is better behaved than a random scuzzball running a fake access point.
I'm not buying it.
gtd98765
Posts: 952
Joined: Sun Jan 08, 2017 3:15 am

Re: Public Library computers

Post by gtd98765 »

shunkman wrote: Thu Jan 31, 2019 4:00 pm It has been my understanding that connecting to ones own mobile hot spot is considered a relatively secure connection. Is this not the case?
Yes. Just make sure your router uses encryption, especially the current standard, which is called WPA2. Every router sold in last five years at least includes this standard.
dink2win
Posts: 527
Joined: Tue Jan 15, 2019 5:53 pm

Re: Public Library computers

Post by dink2win »

gtd98765 wrote: Thu Jan 31, 2019 4:50 pm
shunkman wrote: Thu Jan 31, 2019 4:00 pm It has been my understanding that connecting to ones own mobile hot spot is considered a relatively secure connection. Is this not the case?
Yes. Just make sure your router uses encryption, especially the current standard, which is called WPA2. Every router sold in last five years at least includes this standard.
I would never use a library computer for financial stuff. Heck I would not even access my email or social media from it. All I would do are google searches or browze the net.
likegarden
Posts: 3181
Joined: Mon Feb 26, 2007 4:33 pm

Re: Public Library computers

Post by likegarden »

I do not even use my own Wifi, neighbors or someone from the street could use it, but turn Wifi communication off at my PC and only use Ethernet hardwired for financial communications.
User avatar
GerryL
Posts: 3902
Joined: Fri Sep 20, 2013 11:40 pm

Re: Public Library computers

Post by GerryL »

RudyS wrote: Thu Jan 31, 2019 3:22 pm
Fclevz wrote: Thu Jan 31, 2019 3:07 pm The Vanguard and Fidelity apps are both good.
I'd just use my phone.
Does this mean to disable wifi and force the phone to use data?
This is my MO when I am traveling and need to access a financial account, which I only do rarely. (Please, no one tell me that I am deluding myself.)
YeahBuddy
Posts: 2504
Joined: Tue Oct 31, 2017 12:55 pm

Re: Public Library computers

Post by YeahBuddy »

When I am on public wifi and need to access one of my accounts, I turn the wifi OFF and ensure my PAID VPN is ON.

Nord is one of the better rated VPNs at a reasonable price. $100 for 3 years I believe. I try to keep it on at all times.
Light weight baby!
User avatar
teen persuasion
Posts: 2327
Joined: Sun Oct 25, 2015 1:43 pm

Re: Public Library computers

Post by teen persuasion »

We have installed Deep Freeze on the public computers in my library. We scanned them all for viruses and malware before freezing them. Every time they are rebooted, they return to that state (anything downloaded in the interim is wiped). So at least once per day they are rebooted. If a patron wanted to be assured that a past user had not installed something, they could simply reboot before using the computer. They can also reboot after they are done, to remove traces of their history.

This software means that I need to thaw each computer and manually update them while in the thawed state, or all updates would be wiped the next time they are rebooted. So I am regularly checking each computer to see what updates are available: thaw and reboot, search again for updates (because they were wiped on reboot), install updates, reboot, freeze, reboot. It gets tedious, but it's necessary.
User avatar
Earl Lemongrab
Posts: 7270
Joined: Tue Jun 10, 2014 1:14 am

Re: Public Library computers

Post by Earl Lemongrab »

likegarden wrote: Thu Jan 31, 2019 6:44 pm I do not even use my own Wifi, neighbors or someone from the street could use it, but turn Wifi communication off at my PC and only use Ethernet hardwired for financial communications.
How would someone else use your home WiFi? You aren't running it open are you?
likegarden
Posts: 3181
Joined: Mon Feb 26, 2007 4:33 pm

Re: Public Library computers

Post by likegarden »

I read that crooks have figured out how to read Wifi passwords. We noticed that our Wifi is strong enough 2 houses away to be used by others. So I want to keep my financials very safe by using Ethernet only.
gtd98765
Posts: 952
Joined: Sun Jan 08, 2017 3:15 am

Re: Public Library computers

Post by gtd98765 »

likegarden wrote: Sun Feb 10, 2019 6:10 pm I read that crooks have figured out how to read Wifi passwords. We noticed that our Wifi is strong enough 2 houses away to be used by others. So I want to keep my financials very safe by using Ethernet only.
I believe that is not exactly correct. There was a scientific paper describing how the password could be intercepted during the handshake when a computer associates with a router. I have never read an article stating that this method has been used in real life. In addition, many router manufacturers have updated their firmware to eliminate this problem, as have computer and handset manufacturers.

In any case, the https encryption used by all financial institutions is still secure and would protect your username/password, etc.
michaelingp
Posts: 936
Joined: Tue Jan 17, 2017 7:46 pm

Re: Public Library computers

Post by michaelingp »

teen persuasion wrote: Thu Jan 31, 2019 7:34 pm We have installed Deep Freeze on the public computers in my library.
Good for you! In the old days, when home Internet was unusual, there were "Internet Cafes", particularly not in the U.S., and most I went to rebooted to a known (presumably safe) state after each use. However, I have gone to public libraries all over the U.S. and I've never seen a library computer set up to reboot to a safe state. I'm not sure I would trust a public library computer with my financial password regardless of Deep Freeze, though, since I don't have any way of knowing how versed the staff is in computer security.
miamivice
Posts: 2973
Joined: Tue Jun 11, 2013 11:46 am

Re: Public Library computers

Post by miamivice »

I really am not concerned about hackers or keystroke loggers if I were to access Vanguard at a public library.

I would be far more concerned about people looking over my shoulder to see my net worth and my individual investments. Since the library is a public space, anybody is free to shoulder surf at will. Wouldn't want that to happen.
Spirit Rider
Posts: 13977
Joined: Fri Mar 02, 2007 1:39 pm

Re: Public Library computers

Post by Spirit Rider »

If you have to access financial sites away from home either use cellular data from your mobile device or WiFi via a VPN. I would never use a third party device anywhere.
User avatar
quantAndHold
Posts: 10141
Joined: Thu Sep 17, 2015 10:39 pm
Location: West Coast

Re: Public Library computers

Post by quantAndHold »

michaelingp wrote: Sun Feb 10, 2019 8:02 pm
teen persuasion wrote: Thu Jan 31, 2019 7:34 pm We have installed Deep Freeze on the public computers in my library.
Good for you! In the old days, when home Internet was unusual, there were "Internet Cafes", particularly not in the U.S., and most I went to rebooted to a known (presumably safe) state after each use. However, I have gone to public libraries all over the U.S. and I've never seen a library computer set up to reboot to a safe state. I'm not sure I would trust a public library computer with my financial password regardless of Deep Freeze, though, since I don't have any way of knowing how versed the staff is in computer security.
It doesn’t take much for someone to plug a key logger into a USB port on the back of the machine, then come by later to pick it up. No amount of freezing and rebooting is going to help if a bad guy has physical access to the computer.
User avatar
librarianaire
Posts: 35
Joined: Mon Dec 04, 2017 4:15 pm
Location: New Jersey

Re: Public Library computers

Post by librarianaire »

As a librarian, I recommend making an appointment to speak to the person who maintains the computers. Library workers take pride in their work and they’re generally happy to answer questions, especially if you make an appointment and direct your questions to someone who is trained to answer them.

If the person who maintains the computers provides good answers and inspire sufficient confidence, use the computers. If not, no one will mind if you prefer to access your information in other ways.
“Our own experience provides the basic material for our imagination, whose range is therefore limited.” Thomas Nagel, What is it like to be a bat?
tibbitts
Posts: 23728
Joined: Tue Feb 27, 2007 5:50 pm

Re: Public Library computers

Post by tibbitts »

shunkman wrote: Thu Jan 31, 2019 4:00 pm It has been my understanding that connecting to ones own mobile hot spot is considered a relatively secure connection. Is this not the case?
Yes, but your data service is relatively very expensive compared to free wifi.
4nwestsaylng
Posts: 516
Joined: Thu Jun 15, 2017 2:03 am

Re: Public Library computers

Post by 4nwestsaylng »

Biggest risk is the germs on that keyboard and mouse. Really.
MathWizard
Posts: 6561
Joined: Tue Jul 26, 2011 1:35 pm

Re: Public Library computers

Post by MathWizard »

Keyloggers are the biggest concern, so the library would be less secure.

I assume anything with a login is using SSL encryption ( https:// ) so presumably the traffic on the
wifi is encrypted both by your browser before being broadcast on the wifi.

That said, I only use my home wifi with its own WPA2 password for any financial transactions.

I use MultiFactor authentication for many sites, not yet all, but am leaning that way.
6Pack
Posts: 175
Joined: Tue Oct 20, 2015 12:28 pm
Location: In a van down by the river

Re: Public Library computers

Post by 6Pack »

I wouldn’t ever access my private accounts from a public computer (library) or a public network (Starbucks). Heck, I don’t even access them at work where computer security is taken very serious (feds).

If a computer network is using a hub instead of a switch, you can still capture network data just like WiFi. I have experimented with this in my free time at home.
User avatar
teen persuasion
Posts: 2327
Joined: Sun Oct 25, 2015 1:43 pm

Re: Public Library computers

Post by teen persuasion »

michaelingp wrote: Sun Feb 10, 2019 8:02 pm
teen persuasion wrote: Thu Jan 31, 2019 7:34 pm We have installed Deep Freeze on the public computers in my library.
Good for you! In the old days, when home Internet was unusual, there were "Internet Cafes", particularly not in the U.S., and most I went to rebooted to a known (presumably safe) state after each use. However, I have gone to public libraries all over the U.S. and I've never seen a library computer set up to reboot to a safe state. I'm not sure I would trust a public library computer with my financial password regardless of Deep Freeze, though, since I don't have any way of knowing how versed the staff is in computer security.
True, users should always be cautious when using public computers, and seek the safest access they can find. Some have little choice or options. We are trying to keep things as safe as possible.

We opted to install Deep Freeze to limit the issues with viruses/malware being introduced to the public computers. Library computer users tend to be less sophisticated in their browsing safety, so I spend less time cleaning up after curious patrons find virus attack pop ups. Reboot, things are back to baseline, and we have a little chat about safer browsing and where they were attempting to go. Not judgemental, just trying to help them find the info they were after safely, and to see where they were getting into trouble. They learn (hopefully) how to avoid scammy sites and not to click on misdirection buttons. I learn what our patrons use the library computers for, and where they need assistance, and what pitfalls are out there for the less tech savvy.

And for another poster pointing out biological viruses as a threat - yeah, I wipe down the keyboard and mouse of every computer in the building weekly, including the OPAC, as part of my update schedule.
Strayshot
Posts: 833
Joined: Thu Mar 05, 2015 7:04 am
Location: New Mexico

Re: Public Library computers

Post by Strayshot »

I would never use a computer I didn’t completely control for any transaction where I was logging in to an account that had access to my personal information. It’s not an issue with the network, it’s an issue with the unknown software running on the machine that I don’t have time to mess with.

The easy answer to all of this is to use a VPN any time you are on a network you don’t control on a computer that you completely control (own and manage).

There are always opportunities for data to be stolen, even on a VPN you only encrypt the traffic to the VPN server and then it goes off to the ether. At home you are trusting the data until it hits your service providers server, at which point it also goes off into the ether.

Get VPN service from a reputable provider and call it good.

If you are worried about getting your personal computer hacked while on an uncontrolled network, there are lightweight boot-to-browser distros like JustBrowsing. Load a memory stick, boot from the stick (requires you know how to get in bios and change booting preference, easy) and go about your web-based work in Firefox. This could be an option for library computers as well assuming the bios is not password protected and you can change the boot order. Then there is no concern about unknown software.
User avatar
tennisplyr
Posts: 3703
Joined: Tue Jan 28, 2014 12:53 pm
Location: Sarasota, FL

Re: Public Library computers

Post by tennisplyr »

I never access personal financial accounts from outside of my home.
“Those who move forward with a happy spirit will find that things always work out.” -Retired 13 years 😀
michaelingp
Posts: 936
Joined: Tue Jan 17, 2017 7:46 pm

Re: Public Library computers

Post by michaelingp »

tennisplyr wrote: Mon Feb 11, 2019 7:40 am I never access personal financial accounts from outside of my home.
Not even on your phone? I think we learned a while back that iPhones can be very secure, given what the FBI had to pay to crack one.
badger42
Posts: 614
Joined: Thu Apr 09, 2015 9:01 am

Re: Public Library computers

Post by badger42 »

teen persuasion wrote: Thu Jan 31, 2019 7:34 pm We have installed Deep Freeze on the public computers in my library. We scanned them all for viruses and malware before freezing them. Every time they are rebooted, they return to that state (anything downloaded in the interim is wiped). So at least once per day they are rebooted. If a patron wanted to be assured that a past user had not installed something, they could simply reboot before using the computer. They can also reboot after they are done, to remove traces of their history.

This software means that I need to thaw each computer and manually update them while in the thawed state, or all updates would be wiped the next time they are rebooted. So I am regularly checking each computer to see what updates are available: thaw and reboot, search again for updates (because they were wiped on reboot), install updates, reboot, freeze, reboot. It gets tedious, but it's necessary.
Deep freeze does nothing for hardware keyloggers, which are one of the easiest attacks against a public machine. Find out what keyboard model they use, buy one, add a logger, swap with one of the ones in the library. Swap back a few days or weeks later.

Public machines are best never used, or if used, for totally non-authenticated uses only (e.g. browsing news, library card catalog searches)
badger42
Posts: 614
Joined: Thu Apr 09, 2015 9:01 am

Re: Public Library computers

Post by badger42 »

6Pack wrote: Mon Feb 11, 2019 7:13 am I wouldn’t ever access my private accounts from a public computer (library) or a public network (Starbucks). Heck, I don’t even access them at work where computer security is taken very serious (feds).

If a computer network is using a hub instead of a switch, you can still capture network data just like WiFi. I have experimented with this in my free time at home.
If it's a switch, you can still capture data if you have configuration access to the switch and can enable a tap port. Or for that matter a simple MAC flooding attack will, from a security POV, turn a switch into a hub.

But unless you're getting MitM'd, a reasonably secured wired or wireless network with a reasonably secure host is "probably fine".

(Note: If your home network is running equipment that does not receive regular - e.g. at least quarterly - firmware updates, your home network should be assumed insecure, wireless OR wired)
bryanm
Posts: 424
Joined: Mon Aug 13, 2018 3:48 pm

Re: Public Library computers

Post by bryanm »

Just to put this all into perspective, who on this board has (or knows someone who has) had their financial information stolen via either:
  1. A physical keylogger installed into a keyboard; or
  2. A hacker successfully bypassing a secure (SSL/TSL), cert. authenticated line to steal data over-the-air?
I'm willing to bet the numbers low or zero. Who on this board has (or knows someone who has) had their financial information stolen via a data breach at a financial institution? After Equifax, I'm willing to bet it's everyone.

If you have access to your own device, logging in with that to a secure site--over wifi or wire, public or private--is good practice. But really, there are bigger security hygiene practices that one should be worried about.
User avatar
vitaflo
Posts: 1905
Joined: Sat Sep 03, 2011 3:02 pm

Re: Public Library computers

Post by vitaflo »

bryanm wrote: Mon Feb 11, 2019 10:51 am Just to put this all into perspective, who on this board has (or knows someone who has) had their financial information stolen via either:
  1. A physical keylogger installed into a keyboard; or
  2. A hacker successfully bypassing a secure (SSL/TSL), cert. authenticated line to steal data over-the-air?
I'm willing to bet the numbers low or zero. Who on this board has (or knows someone who has) had their financial information stolen via a data breach at a financial institution? After Equifax, I'm willing to bet it's everyone.

If you have access to your own device, logging in with that to a secure site--over wifi or wire, public or private--is good practice. But really, there are bigger security hygiene practices that one should be worried about.
This. The likelihood of getting hacked because you're connected to some random wifi is not zero but it's pretty darn close to it. The likelihood of someone nowhere near you cracking your password via data breach or spoofing your cell number is much much higher.
DrGoogle2017
Posts: 2528
Joined: Mon Aug 14, 2017 12:31 pm

Re: Public Library computers

Post by DrGoogle2017 »

I’m reluctant to use it. One time I was in UK, free WiFi with no specific room ID, I booked another hotel using my credit card, that credit was stolen and used elsewhere, but my credit card company blocked the charge and I closed the credit card. Since then, I always closed the credit card that I used overseas. No more fraud after that.
badger42
Posts: 614
Joined: Thu Apr 09, 2015 9:01 am

Re: Public Library computers

Post by badger42 »

vitaflo wrote: Mon Feb 11, 2019 10:59 am
bryanm wrote: Mon Feb 11, 2019 10:51 am Just to put this all into perspective, who on this board has (or knows someone who has) had their financial information stolen via either:
  1. A physical keylogger installed into a keyboard; or
  2. A hacker successfully bypassing a secure (SSL/TSL), cert. authenticated line to steal data over-the-air?
I'm willing to bet the numbers low or zero. Who on this board has (or knows someone who has) had their financial information stolen via a data breach at a financial institution? After Equifax, I'm willing to bet it's everyone.

If you have access to your own device, logging in with that to a secure site--over wifi or wire, public or private--is good practice. But really, there are bigger security hygiene practices that one should be worried about.
This. The likelihood of getting hacked because you're connected to some random wifi is not zero but it's pretty darn close to it. The likelihood of someone nowhere near you cracking your password via data breach or spoofing your cell number is much much higher.
I've had passwords compromised by a physical keylogger (not financial passwords though), and have demonstrated MitM attacks where you find *most* people will just click through for debatable intermediate certificates. I've also seen post-mortems that involved certs from compromised CAs (your browser trusts a LOT of CAs) used for a MitM attack.

A proper 2-factor setup helps a great deal here. If you get my password you still don't get my token / yuibkey. (SMS 2-fac is sort of 1.5-fac)
bryanm
Posts: 424
Joined: Mon Aug 13, 2018 3:48 pm

Re: Public Library computers

Post by bryanm »

badger42 wrote: Mon Feb 11, 2019 11:20 am I've had passwords compromised by a physical keylogger (not financial passwords though), and have demonstrated MitM attacks where you find *most* people will just click through for debatable intermediate certificates. I've also seen post-mortems that involved certs from compromised CAs (your browser trusts a LOT of CAs) used for a MitM attack.

A proper 2-factor setup helps a great deal here. If you get my password you still don't get my token / yuibkey. (SMS 2-fac is sort of 1.5-fac)
Loggers found in certain conference rooms in Las Vegas in late summer do not count... ;)

Your points on 2FA and click through bad certs is exactly the kind of security hygiene people should in fact be thinking about. (And using a password manager so as to never reuse a password across sites.) With those three things, I would guess that 98% concerns go away. It goes over 99 if you avoid using a phone # for 2FA.
Post Reply