Hey Lifehacker, While I know it’s my employer’s right to put any software they wish on workplace computers, I’d like to know if my PC is being monitored. If I do online banking during my lunch break, I’m worried that my employer might have access to my credentials. Is there any method you could recommend to check if I’m being watched? Thanks, Private Life
Monitoring picture from Shutterstock
Dear PL,
The short, blunt answer: if you want to do something online and be absolutely sure that you’re not being monitored, do it on your smartphone, not on your workplace computer.
It’s quite unlikely that your employer has installed a keylogger to track everything you type. It’s rather more likely that a browsing history of the sites you visit is being logged somewhere — but no-one is likely to check that in detail unless there’s a legal investigation or an alert pops up when you try and visit a manifestly inappropriate site. But either way, there’s no obvious way of finding out if you’re being tracked — beyond the simple expedient of actually checking what the stated workplace policy about internet usage is.
Software programs that claim to track privacy are often actually just ransomware or crap, and unless your machine has administrative rights, you’re not going to be able to install them anyway. And if you’re so concerned about privacy that you think you’d quit if you found out you were being monitored, you might as well just ask outright.
I personally wouldn’t be concerned about logging into a banking site at work, but you can do exactly the same thing on your phone with less risk and no stress. So do that if that’s your concern.
Cheers
Lifehacker
Got your own question you want to put to Lifehacker? Send it using our [contact text=”contact form”].
Comments
23 responses to “Ask LH: What Can I Do About Work Monitoring My Internet Usage?”
Maybe I’m naive, but if I was worried that my employer would use my banking details against me….I wouldn’t want to be working there in the first place.
I wouldn’t do my online banking at work maybe?!
Yep, I think you’re naive. It’s not your work that will use the info against you. It’s anyone who can access that info. Do you trust every person at your work?
You should always make sure you’re the only one who knows how to access your banking details. Entering them on a work computer is no diffferent from entering them at an internet cafe.
My workplace uses keyloggers. I discovered this when an app suite on my PC automatically updated to install an anti-virus which then quarantined the keylogger. I wasn’t in the office when they announced that we were going to be keylogged. I raised that malware specifically targeting banking credentials on keylogged workplaces was met with no direct response.
This was all happening at a time when windows automatic updates had been switched off for the whole office due to an alleged “corrupt update”. I was also giving my latest round of warnings that my Win XP desktop should be upgraded asap before end of support. So yeah, that’s what I’m dealing with.
I did some research into workplace privacy and found that the law appears to me to be so unclear as to not be an effective prop to workers. Employers can monitor what they want and your choice is to not work for them.
I agree with Angus, do your internet banking on your phone.
Indeed. Simple fact is, all crucial net-useage such as banking, centerlink or whatnot, should never be done through a public computer (shopping center) or a work computer. This sort of stuff should only ever be done through your own phone or home computer (Or one somewhere you completely trust like your sibling, parents or good friends house). Seriously, never do your online banking at work, ever, you’re just asking for trouble.
Group policy pushes certifications to your workstation. The internet proxy performs a ‘man in the middle attach’ on https connections and then resigns them with the certificate on your workstation. You never know.
Most modern proxy’s have this feature. Since it’s somewhat technical, the only people that know are probably the IT people.
This is becoming more and more common. A ‘nice’ employer will whitelist banking sites and other legitimate sites, leaving those HTTPS sessions along, however many just log (and have the ability to intercept) all HTTPS traffic.
Our current filter does not have the ability to do that. I think they are one of the last holdouts.
There is other stuff where you can scan the text on a page and assign a score to certain words. When it gets over threshold, page is blocked. You can also add negative scores so it will not go over threshold in some cases. We have that turned off, it takes a lot of processing and overall internet speed takes a hit.
One of the other ones we have looked at does have a built in whitelist of banking sites.
It also has stuff like ‘bully detection’ where it will look at what stuff you are typing into stuff like facebook. (I work at a school).
Get a bank that uses two-factor authentication. Passwords alone are not good enough security for anyone, anywhere.
2FA can, and regularly is, defeated. If someone else has control of your computer, there’s nothing you can do to protect yourself.
Modern banking trojans steal funds by hijacking your session. They work by waiting for you to make a transfer, and then change the details of the transfer. The trojan also alters web pages on the fly so your accounts and transaction history appear to reflect the transfer you’ve just made.
These trojans are also commonly paired with mobile trojans in order to defeat mobile-based 2FA and to hide evidence of the stolen funds (e.g. if your bank sends an SMS with details of the transaction, the message will be modified on your phone).
I work for company – here in Brisbane Australia, that make the products that are discussed above . All HTTP and HTTPS traffic can be monitored – and managed in any way the employer sees fit. HOWEVER – when it comes to banking details, these are not monitored, and/or stored, can be blocked/shaped allowed etc – but the developers are people too, and so is the business owner (LOL) – yet of course technically is possible, yet, it is simply not done…. so basically your employer cant actually do it if they wanted to – . that is the same for most of our competitors as well, so I expect it is common practice, that the banking side of things is kept private, by design of the tools they use (eg our products). I also suspect a bit of urban myth based on what is possible as apposed to what is probable and actual. . I wont go into details, lets just say there is a fine line in privacy laws, regardless if accessing banking accounts on a work supplied device or not.
Rule of thumb. If you suspect or think your internet activities are being monitored at ork or school …. Use a wireless option – I would suggest use 3G/4G connection on you device ( but not a hotspot wifi-3G connection). but if you have a wifi or wired connection and you are unsure – assume that you are being monitored – note – if you are not now, your past may come back to haunt you in the future should your employer starts monitoring. We sell mostly to schools and big corp, but that is changing quite rapidly.
Really. Are you the NSA, because I’m pretty sure they’re the only ones who can easily monitor SSL connections..
Browsing history/dns is very different to monitoring HTTPS traffic.
If you’re on a work computer it’s trivial for them to have installed their own ca cert in your browser and be decrypting your traffic then re-encrypting it with their own ssl certs post inspection.
I set this up on my own network in less than half an hour to test it out. No warnings would be given to a user. You’d have to check the cert and compare it’s signer with who should really be signing your banking cert but I doubt anyone would do that if the site is coming up as a kosher ssl connection.
… The cert is a relationship between you and the remote server, not between you and anyone else. Any attempt to subvert this would simply lead to authentication failing.
In a corporate environment it’s not just possible, but common. It’s basically a MITM attack:
1) your (corporate) computer trusts the domain controller implicitly. The domain controller installs a self-signed cert on your machine.
2) you make an ssl connection to the banking site. The connection runs through your office web proxy.
3) the proxy hijacks your request, resubmitting it to the bank server with its own details. It sends the response back to you, replacing the banks cert with its own.
4) your computer implicitly trusts the self-signed cert used, so it doesn’t throw a warning.
5) the proxy happily decrypts and re-encrypts all traffic between you and the bank without either party being the wiser.
Obviously this can be noticed by manually checking certs or using software/hardware outside domain control. But when you’re on a domain, your computer will believe anything the DC tells them.
Hmm, yeah I guess you’re right, though it’s less to do with SSL than we were discussing and more to do with your employer potentially undermining the validity of your certificate authorities – probably for all requests..
Thank you for explaining it without sounding like a 65 year old software salesman (@JustMe)
Hi Michael. Sorry to disillusion you – but Oh Yes. really. In real time. If your employer were to call us or me… we are located here in downtown Brisbane we can offer the tools to monitor SSL – in fact all web traffic. You cant get around it, if you are on their network ( our customers), and plenty have tried world wide.. SO HTTP or HTTPS including SSL connections/traffic in real time. Nor just logs/ history. So no NSA are not the only ones who can monitor SSL connections. Welcome to big brother and the real world. We are not selling a product that *just* lets you view history/dns – this is monitoring HTTPS traffic, Real time, and history… with alerts too.
^_^
SSL Inspection is used by anyone serious about security and is done by Checkpoint, Clearswift, Ironport products. It is good an organisation is using it as it is less likely they’ll have malware on their PCs. I’m an ex-security guy at a large organisation and I use third factor authentication (SMS/softtokens) for everything I can including my Google mail because it is the only way to have any real protection.
Depends on your capabilities. For example, you can set up a DNS server that uses SSL (such as DNSCrypt with OpenDNS) or find one you can access – and then use TOR from a thumb drive. This assumes you can both change system settings, and run external/untrusted executables.
As others suggest above though, this is largely moot if they run screen capturing or keylogging software. It’s advisable to check your process list and reference any you are not familiar with to check for this – as well as making sure to press “Processes from all users”.
michael_debyl …… Micheal Michael Michael…. you need to broaden your breadth of knowledge. yes you seem to grasp the fundamentals, but your understanding is too scoped. screen capturing and keylogging are not remotely related to the technologies you can buy right now today, these older tools have been around a very long time and easily detectable and are no longer a “commercial option” for the many tech savvy staff in corporate roles these days, In an enterprise run owned network. Even if you BYO your device into your workplace ( which initially drove a lot of this new tech being used in corporate) – Once you connect to the network of your employer – our customer know what your doing, and might even get an SMS on an alert for a specific rule . I have a feeling you yourself would be totally amazed, if you love technology. We have a world wide customer base.
I will take 10
When I used to look after the PABXs of a large international company in Sydney, I turned on the logging for all DTMF tones, so I could troubleshoot some internal issues.
Within a day, I had the phone banking details of approx 30 users, plus passwords in the logs. Luckily for them, I was content to not supplement my meager pay with their private donations, but it shows that an employer can get that information if they wanted to.
If I really had to use a work PC for sensitive stuff, I’d use an Ubuntu boot disk, and use a VPN to my home router. It may not be the most secure solution, but it’s going to negate most of the common attacks. If I’m still concerned, then I’m either waiting till I get home, or looking for another place to work.
Then again, a tablet with a 3G connection is just as easy and more secure.