A system is described for allowing a user, operating a trusted device, to remotely log into a server via a potentially untrustworthy client. The system operates by establishing a first secure connection between the client and the server. The system then establishes a second secure connection between the device and the server through the client. The user then remotely logs into the server over the second secure connection using the device. The second secure connection is tunneled within the first secure connection, preventing the untrustworthy client from discovering personal information associated with the user. According to one feature, prior to forming the second secure connection, the user can establish a pairing relationship with the client by reading an address of the client using any kind of reading mechanism. According to another feature, the device can receive marketing information in the course of a transaction.