One of the most common yet underreported causes of data breaches is users’ failure to properly log out of public PCs.
Is your work computer accessible to others, perhaps after business hours? How about your home computer? Does its use extend beyond your immediate family, to your kids’ friends or babysitters, for example? Do you ever log in to a hotel’s business center PC,
or take advantage of free Internet at a bank of sponsored PCs at a conference? Or pay per minute at an Internet café? Maybe you’re you a college student; do you use the PCs in the computer lab, or friends’ PCs?
Any shared PC is at an increased risk for spyware, viruses, and other malicious activities of a criminal hacker, the PCs administrator, or just the dude that happened to use the computer before you. But many people increase their vulnerability simply by
failing to log out.
A few months ago, my sister-in-law used my family’s PC, logging in to her Facebook account. After she left, I checked Facebook myself, and quickly realized I was still logged in to her account. To teach her a lesson, I changed her profile picture to something
she didn’t appreciate. (Being my sister-in-law, she forgave me.)
This past weekend at a conference, a colleague borrowed my laptop to check his email. Four days later, after having turned the laptop on and off a half dozen times, I attempted to check my own email and found myself still logged in to his Gmail account.
In this instance, I quickly logged out, since Gmail notifies users when their accounts are open at multiple IP addresses, and I wasn’t about to hack a colleague.
Web-based email services, social networking sites, and other websites that require login credentials generally provide an option to “Remember me,” “Keep me logged in,” or, “Save password,” and will do so indefinitely. This feature often works with cookies,
or codes stored in temp files. Some operating systems also include an “auto-complete” feature, which remembers usernames and passwords.
I’m not entirely sure if my colleague left Gmail’s “Stay signed in” box checked, if Gmail left a cookie on my laptop, or if my operating system remembered him. Either way, he was hackable.
I may log in to a PC that is not mine once or twice a year. And when I do, I make sure I log out of any program I logged in to. On the rare occasion that I use someone else’s computer to log in to an account containing sensitive data, I make an effort to
change the password. Generally, though, I lug around my own laptop wherever I go, and I use an iPhone.
Never check a “Remember me” box, and if it’s selected by default, remember to uncheck it.
If you get an auto-complete pop-up while logging in, read it carefully and be sure to click the “no” option.
Some PC administrators install password managers that prompt the user to save login credentials. If you are on someone else’s PC and get this kind of pop-up, read it carefully before just clicking buttons to dismiss the pop-up.
Most importantly, PLEASE, for heaven’s sake, LOG OUT. Do I need to repeat myself?
Robert Siciliano, personal security expert contributor