Here's my proposal, I don't know whether it's new at all, I guess it's not. It's purely virtual, I've not tested anything like this.
- I go to a place where people use laptops: train stations, a home apartment in a crowded city or a job place where the Internet access is not given to all employees.
- I create an unprotected wifi access point, open to all. And I keep listening when someone does connect. It may take time, but that's not part of the given problem so I'm assuming I've got time.
- I count on the fact that at least one service the victim will use is not secured via SSL or similar. So when that happens, I just take note of the login/password couple.
- Then I go and try the login/password in other applications such as Facebook, Gmail, MSN, online stores and so on. As most people use the same passwords for many applications, I think it could be a correct ratio of success.