Truth 25 Hotel business centers can be treacherous

Have you ever been visiting a hotel, not had your laptop with you, and needed to check email? You simply go to the hotel business center and jump on one of the computers set up for use by customers. In some cases, you have to pay a small fee to use the computers, but in most hotels, the computers are complementary to their guests. You open up the Web browser, connect to your Web mail account, type in your username and password, and just like that you are reading and responding to your emails. While you are online, you might also decide to check your bank accounts, check your brokerage site, and more. However, as you can no doubt surmise by now, like most everything else, hotel business centers are prime targets for identity thieves.

A couple of years ago, I was traveling and headed down to the hotel business center planning to log into my Web-based email via one of the public computers. When I entered the room, I sat down at a computer just after another hotel guest had finished. When I sat down, I noticed there was a Web browser already running and minimized at the bottom of the screen. I clicked on it planning to type in the URL to access my Web email. To my surprise, the window opened up to an online stock-trading Web site, with the previous user still logged in. While the obvious concern here would be that a malicious person could have started using that account and caused all sorts of trouble, I was more concerned about just how secure this computer really was that she had just used to access such confidential information.

You see, public computers are just that: public. This means that people can do just about anything they want on them. While some people browse the Web, play games, and check their email, there are those who use these computers as a point of attack to gain access to unsuspecting users’ personal information.

I closed the browser that was connected to the online stock trading Web site instead of continuing with my previous plan to check my own email. Instead, I started performing an audit on the computer. I began with the obvious and downloaded an antispyware program from the Internet and ran it. Within minutes, it had found so many applications running it was simply ridiculous. While many were intrusive, none were actually designed to steal confidential information. I then ran some software to give me a complete list of all processes currently running on the computer. As I went through the list, I recognized most of the applications running with the exception of one that seemed odd. Its filename was winrunner.exe, and it was a program that was set up to start running whenever the computer booted up. I ran another program that could watch the process and noted that it was continually accessing the hard drive. After a little more research, I found a log file on the hard drive that contained a complete history of every keyboard stroke that had been entered. This included not only everything that I had typed since I had been logged in, but hundreds of entries before me, including the login information the woman had typed to access her online stocks.

Sure enough, software designed to capture potentially confidential information had been loaded on this computer by an identity thief. I immediately removed the nefarious application, typed a few more characters, and checked the log again. That time nothing more had been added to the log. I then deleted the log file to make sure it didn’t end up in someone else’s hands. Had I left the application running, I assume it would have emailed or transferred the log file at a predetermined time—perhaps once a day—to a waiting thief.

After this discovery, I changed my mind about using the computer to check my own mail and to this day have never used a public computer to check anything more exciting than the weather, flight times, or other information that does not require a login. Now, you might think to yourself, “What were the odds that the first computer he looked at was actually compromised?” Well, it turns out pretty darn good. Since then, I have checked more than 20 additional hotel business centers throughout the United States and have found that half of them are running malicious software designed to capture confidential information.

The reality is that public computers are not designed to be secured access points. They are there for customer convenience only and should be used with extreme caution. As part of one of the spots I did for The Today Show, the hotel association was contacted by The Today Show at NBC. The hotel association stated that it was not responsible for securing the business center computers, and to date I have yet to see a single warning located in any hotel business center.

If you have used a public computer in the past couple months, it’s time to follow some quick tips.

Change the passwords on all the accounts you accessed through the public computer.

If you made any online purchases via the public computer, immediately contact your credit card company and check for any suspicious activity. In addition, while it is an inconvenience, I strongly encourage you to change the credit card account number used for the transactions.

If you used the account to access email, review all email you have received since that time and verify that you have not received anything confidential. One of the easiest types of attacks for identity thieves is to simply monitor email. Often people receive account activations and confidential information via an email. If ID thieves can access these emails, they also will gain that confidential information.

If you accessed your business email, send out a note to your coworkers asking if they’ve received any emails from you recently with requests. Often thieves use a business account to send emails to other coworkers asking for confidential information on clients. If they receive a response, they record the information and then delete the email immediately, hoping that you never see it.