The US Secret Service is warning hotel operators to be on the lookout for malware that steals passwords and other sensitive data from guests using PCs in business centers, according to a published report.

The non-public advisory was issued on last Thursday, KrebsOnSecurity reporter Brian Krebs reported Monday. Krebs said the notice warned that authorities recently arrested suspects who infected computers at several major hotel business centers around Dallas. In that case, crooks using stolen credit card data to register as hotel guests used business center computers to access Gmail accounts. From there, they downloaded and installed keylogging software. The malware then surreptitiously captured login credentials for banking and other online services accessed by guests who later used the compromised PCs.

The report is a poignant reminder why it's rarely a good idea to use public PCs for anything more than casual browsing of websites. Even when PCs are within eyesight of a business center employee, librarian, or other supervisor, and even when it is locked down with limited "guest" privileges, there are usually a host of ways attackers can compromise machines running either Windows or Mac OS X. Krebs wrote:

The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer. But don’t take my word for it. This maxim is among the “10 Immutable Laws of Security” as laid out by none other than Microsoft‘s own TechNet blog, which lists law #3 as: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware. The trouble is that there is no easy way for the average guest to know for sure. That’s why I routinely advise people not to use public computers for anything more than browsing the Web. If you’re on the road and need to print something from your email account, create a free, throwaway email address at yopmail.com or 10minutemail.com and use your mobile device to forward the email or file to that throwaway address, and then access the throwaway address from the public computer.

As Krebs notes, one measure that provides some protection is to lock down BIOS settings and secure them with a strong password, so people with physical access to a machine can't boot up from CDs or USB drives. Unfortunately, not all systems support such protections, and frequently, business center users may be inconvenienced by them.