Monthly Archives: December 2014

Our Christmas message for troublemakers: how to do anonymity in the real world

On the 5th of December I gave a talk at a journalists’ conference on what tradecraft means in the post-Snowden world. How can a journalist, or for that matter an MP or an academic, protect a whistleblower from being identified even when MI5 and GCHQ start trying to figure out who in Whitehall you’ve been talking to? The video of my talk is now online here. There is also a TV interview I did later, which can be found here, while the other conference talks are here.

Enjoy!

Ross

Curfew tags – the gory details

In previous posts I told the story of how Britain’s curfew tagging system can fail. Some prisoners are released early provided they wear a tag to enforce a curfew, which typically means that they have to stay home from 7pm to 7am; some petty offenders get a curfew instead of a prison sentence; and some people accused of serious crimes are tagged while on bail. In dozens of cases, curfewees had been accused of tampering with their tags, but had denied doing so. In a series of these cases, colleagues and I were engaged as experts, but when we demanded tags for testing, the prosecution was withdrawn and the case collapsed. In the most famous case, three men accused of terrorist offences were released; although one has since absconded, the other two are now free in the UK.

This year, a case finally came to trial. Our client, to whom we must refer simply as “Special Z”, was accused of tag tampering, which he denied vigorously. I was instructed as an expert along with my colleague Dr James Dean of Materials Science. Here is my expert report, together with James’s report and addendum, as well as a video of a tag being removed using much less than the amount of force required by the system specification.

The judge was not ready to set a precedent that could have thrown the UK tagging system into chaos. However, I understand our client has now been released on other grounds. Although the court did order us to hand back all the tags, and fragments of broken tags, so as to protect G4S’s intellectual property, it did not make a secrecy order on our expert reports. We publish them here in the hope that they might provide useful guidance to defendants in similar cases in the future, and to policymakers when tagging contracts come up for renewal, whether in the UK or overseas.

On the measurement of banking fraud

Kidnapping is not an easy crime to be successful at…

… it is of course easy to grab the heiress from outside the nightclub at 3am. It’s easy to incarcerate her at the remote farmhouse. If you pick the right henchmen then it’s easy to cut off her ear and post it off to the frantic family.

Thereafter it gets very difficult — you must communicate directly several times and you must physically go and pick up the bag of money. These last two tasks are extremely difficult to manage successfully which is why police forces solve kidnap cases so often (in its first 5 years the Metropolitan Police Kidnap Unit solved 100% of their cases).

Theft from online bank accounts also has its difficulties. It remains relatively easy to gain access to a victim’s bank account and to issue instructions on their behalf. Last decade this was all about “phishing” — gathering credentials by creating fake websites; more recently credentials have been compromised by means of “man-in-the-browser” malware: you think you are paying your gas bill and that’s what your browser tells you is occurring. In practice you’re approving a money transfer to a criminal.

However, moving the money to another account does not mean that the criminal has got away with it. If the bank notices a suspicious pattern of transfers then they can investigate, and when they see the tell-tale signs of fraud then the transfers (which were only changes to computer records) can be trivially reversed. It is only when the criminal can extract folding money from an ATM, or can move the money abroad in such a way that it will never be repatriated that they have been truly successful. So like kidnap, theft from bank accounts is somewhat harder to pull off than one might initially think.

This has turned out to be a surprise to the Treasury Select Committee.

Last month I was asked to give oral evidence to them and the very first question related to how much fraud there was relating to online banking. I explained that the banks collated figures showing how much money was actually “lost” (viz: the amount that the banks ended up, usually anyway, reimbursing to the unfortunate customers who had been defrauded).

However, industry insiders say that about twice this amount is moved to another account but — and this is basically Very Good News — it is then transferred back so there is no actual loss to anyone. We don’t know the exact figures here, because they are not collated and published.

Furthermore, the bank should also be measuring “money at risk” that is the total amount in the compromised accounts. If their security measures failed and criminals stole every last penny then these would be actual losses — an order of magnitude more, perhaps, than the published figures.

The Select Committee chairman is now writing to the banks to ask if this is all true and what the “true” fraud figures might be. If the banks reply with detailed information then we might finally understand quite how difficult bank fraud is. I fully expect the story will run something along the lines that <n> accounts with 10,000 pounds in them are comprised, that the crooks fraudulently transfer 995 pounds from most, but not all of these <n> — but that half the time the fraudulent transaction is reversed.

If this analysis is correct then online banking fraud is a still, on average, much more lucrative than kidnapping — but we must make up our mind as to whether to measure it using the figures of 10,000 or 995 or “about half of 995 is permanently lost”. There’s justification to every way of measuring the problem — but it it’s important to understand the limitations of any single measurement; failure to do so will mean that the banks will not deploy the right level of security measures — and the politicians will fail to give the issue an appropriate level of  consideration.

Why password managers (sometimes) fail

We are asked to remember far too many passwords. This problem is most acute on the web. And thus, unsurprisingly, it is on the web that technical solutions have had most success in replacing users’ ad hoc coping strategies. One of the longest established and most widely adopted technical solutions is a password manager: software that remembers passwords and submits them on the user’s behalf. But this isn’t as straightforward as it sounds. In our recent work on bootstrapping adoption of the Pico system [1], we’ve come to appreciate just how hard life is for developers and maintainers of password managers.

In a paper we are about to present at the Passwords 2014 conference in Trondheim, we introduce our proposal for Password Manager Friendly (PMF) semantics [2]. PMF semantics are designed to give developers and maintainers of password managers a bit of a break and, more importantly, to improve the user experience.

Continue reading Why password managers (sometimes) fail