FIPR colleagues and I have written a response to the recent Cabinet Office consultation on the proposed Framework for e-Government. We’re not very impressed. Whitehall’s security advisers don’t seem to understand phishing; they protect information much less when its compromise could harm private citizens, rather than government employees (which is foolish given how terrorists and violent lobby groups work nowadays); and as well as the inappropriate threat model, there are inappropriate policy models. Government departments that follow this advice are likely to build clunky, expensive, insecure systems.
Category Archives: Legal issues
SOCA: we just want your money?
Just over a year ago I wrote about the, then upcoming, Serious Organised Crime Agency (SOCA), reporting that their aim in tackling “level 3” crime was to be “mysterious and menacing“. I pointed out how they were going to be absorbing the National High Tech Crime Unit (NHTCU) and that this would leave a large gap, in that there would apparently be no police organisation dealing with “level 2” eCrime — crime which is not local to a single police force area, but that is not sufficiently serious or organised to be dealt with by SOCA.
In fact, I’ve since learnt that the inability to deal with level 2 criminality is not just an eCrime issue. In 2005 Her Majesty’s Inspectorate of Constabulary (HMIC) published “Closing the Gap – Review of the ‘Fitness for Purpose’ of the Current Structure of Policing in England and Wales“, which found that the failure to deal with “level 2” criminality was an issue across a very wide range of different crimes (the whole report makes its points without once mentioning eCrime or the Internet). This led to the, now abandoned, proposals to compulsorily merge 43 police forces into 17 larger units. No further generic policy initiative appears to be forthcoming.
However, as I wrote in October, there is some thought going into eCrime and the current proposal is “mainstreaming“, viz: not treating it as anything special.
Additionally, the Met Police have been floating the idea of an national coordination centre for eCrime reports, as hinted at in this January 2007 Met eCrime progress report to the Metropolitan Police Authority. Current indications are that the Home Office may have problems coming up with the money to fund the centre, although SCDEA e-Crime, the equivalent unit in Scotland, is funded by the Scottish Executive. Perhaps more about progress south of the border will come to light in March, when Commander Sue Wilkinson, the Association of Chief Police Officers (ACPO) lead on eCrime testifies before a House of Lords Select Committee.
But, I’m digressing, so back to SOCA…
Last month I, and a couple of other eCrime policy opinion formers (!), were invited down to Docklands for the proverbial “free lunch” and several hours of presentations on what SOCA is doing about “level 3” criminality. It’s a little tricky to report on the detail, because they asked us to treat some of the material in confidence. However, two clear messages stood out:
The first is that the absorbed NHTCU is now significantly bigger, significantly better resourced, and with the hiving off of “child abuse image” issues to CEOP, is not being forever distracted into chasing down individual paedophiles (if there’s one child at risk, or an 420-million dollar bank hack to investigate, the former tended to get all the resource). This is basically a Good Thing, so far as it goes.
The second message is that SOCA is a “harm reduction agency” and is not just concentrating on detective work and prosecutions. They are also looking at a whole range of other interventions, from offender management (serious, organised criminals have a very high recidivism rate) through diligent application of the Proceeds of Crime legislation, to working with industry to harden systems against criminal opportunities.
They have a Bill before parliament at present (the Serious Crime Bill) which will give them sweeping new powers to create “gangster-ASBOs” to restrict the lives of convicted organised criminals, and will permit the wholesale swapping of data for the prevention of fraud, without infringement of the Data Protection Act. The Bill also reworks the framework for “inchoate” offences, viz: incitement to commit crimes or assisting with them — of which perhaps more on another occasion, since poor wording for the offences could make many security research activities problematic.
Looking back, it is this strong emphasis on SOCA’s approach to ensuring “crime doesn’t pay” that remains with me most strongly. This isn’t just the approach of locking Al Capone up for tax evasion because nothing else could be made to stick (though Capone actually served time for several other offences). This is all about SOCA developing an effective way of stripping criminals of their ill-gotten gains.
I’m reminded of Sir Alan Sugar giving a lecture about management way back in the 1980’s. He was mocking the catch-phrase/mission-statement culture, memorably saying, “‘Pan Am takes good care of you’, ‘Marks and Spencer loves you’, ‘Securicor cares’ . . . at Amstrad, ‘We just want your money’“. Twenty years on, that seems a rather apt phrase for a significant slice of SOCA’s activities.
Financial Ombudsman on Chip & PIN infallibility
The Financial Ombudsman Service offers to adjudicate disputes between banks and their customers who claim to have been treated unfairly. We were forwarded a letter written by the Ombudsman concerning a complaint by a Halifax customer over unauthorised ATM withdrawals. I am not familiar with the details of this particular case, but the letter does give a good illustration of how the complaint procedure is stacked against customers.
The customer had requested further information from Halifax (the Firm) and the Financial Ombudsman Service (this Service) had replied:
However this Service has already been presented with the evidence you have requested from the Firm and I comment on it as follows. Although you have requested this information from the Firm yourself (and I consider that it is not obliged to provide it to you) I conclude that this will not make any difference, because this Service has already reviewed this information.
The right of parties in dispute to see the evidence involved is a basic component of justice systems, but the Financial Ombudsman has clearly not heard of this, but then again they are funded by the banks. While the bank can have their own experts examine the evidence, the customer cannot do the same. Although the Financial Ombudsman service can review the evidence, giving it to the customer would allow them to pursue further investigation on their own.
The Firm has provided an ‘audit trail’ of the transactions disputed by you. This shows the location and times of the transactions and evidences that the card used was ‘CHIP’ read.
Without access to the audit trail and information concerning how it was produced, it is almost impossible for the customer to know the precise details of the transaction. Based solely on the letter, there are still a number of important unanswered questions. For example:
- Was the card in question SDA or DDA?
- SDA cards can be cloned to produce yes cards, which will accept any PIN and still work in offline transactions, where the terminal or ATM does not contact the bank. This type of fraud has been seen in France (pp. 5–10).
- Was the ATM online or offline at the time of the transaction?
- Although ATMs are generally online, if Chip & PIN terminals fail to dial up the bank they may continue to work offline and so accept SDA clones. Could this have happened with this ATM?
- What was the application cryptogram presented in this transaction?
- When a Chip & PIN card authorises a transaction, it produces an application cryptogram which allows the bank to verify that the card is legitimate. A yes card would not produce the correct application cryptogram.
- What is the key for the card?
- The application cryptogram is produced using a cryptographic key known only by the card and bank. With this and some other information the customer could confirm that the application cryptogram really came from his card. Since the card has long since been cancelled, releasing this key should not be a security risk. If the banks are not storing this information, how can they be sure that their systems are operating correctly?
It seems unlikely that the Financial Ombudsman knew which of these events have occurred either, otherwise I would have expected them to say so in their letter.
As we have already advised you, since the advent of CHIP and PIN, this Service is not aware of any incidents where a card with a ‘CHIP’ has been successfully cloned by fraudsters so that it could be used by them successfully in a cash machine.
Besides the scenarios mentioned above, our demonstration for Watchdog showed how, even without cloning a card, a Chip & PIN terminal could be fooled into accepting a counterfeit. Assuming this ATM read the chip rather than the magnetic stripe, our attack would work just as well there. The situation surrounding this particular case might preclude a relay attack, but it is one of many possibilities that ought to be eliminated in a serious investigation.
Although you question The Firm’s security systems, I consider that the audit trail provided is in a format utilised by several major banks and therefore can be relied upon.
The format of the audit trail is no indication of whether the information it records is a true and complete representation of what actually happened and it is almost ludicrous to suggest that. Even if it were, the fact that several banks are using it is no indication of its security. To actually establish these facts, external scrutiny is required and, without access to bank’s systems, customers are not a position to arrange for this.
So the banking dispute resolution process works well for the banks, by reducing their litigation costs, but not well for their customers. If customers go to the Ombudsman, they risk being asked to prove their innocence without being given access to the information necessary to do so. Instead, they could go directly to the courts, but while the bank might accuse customers of not following proper procedures, if they win there they can at least send in the bailiffs.
Chip & PIN relay attacks
Saar Drimer and myself have shown that the Chip & PIN system, used for card payments in the UK, is vulnerable to a new kind of fraud. By “relaying” information from a genuine card, a Chip & PIN terminal in another shop, can be made to accept a counterfeit card. We previously discussed this possibility in “Chip & Spin” but it was not until now that we implemented and tested the attack.
A fraudster sets up a fake terminal in a busy shop or restaurant. When a genuine customer inserts their card into this terminal, the fraudster’s accomplice, in another shop, inserts their counterfeit card into the merchant’s terminal. The fake terminal reads details from the genuine card, and relays them to the counterfeit card, so that it will be accepted. The PIN is recorded by the fake terminal and sent to the accomplice for them to enter, and they can then walk off with the goods. To the victim, everything was normal, but when their statement arrives, they will find that they have been defrauded.
From the banks’ perspective, there will be nothing unusual about this transaction. To them, it will seem as if the real card was used, with a chip and along with the correct PIN. Banks have previously claimed that if a fraudulent Chip & PIN transaction was placed, then the customer must have been negligent in protecting their card and PIN, and so must be liable. This work shows that despite customers taking all due care in using their card, they can still be the victim of fraud.
For more information, we have a summary of the technique and FAQ. This attack will be featured on Watchdog, tonight (6 February) at 19:00 GMT on BBC One. The programme will show how we successfully sent details between two shops in the same street, but it should work equally well, via mobile phone, to the other side of the world.
It is unlikely that criminals are currently using techniques such as this, as there are less sophisticated attacks which Chip & PIN remains vulnerable to. However, as security is improved, the relay attack may become a significant source of fraud. Therefore, it is important that defences against this attack are deployed sooner rather than later. We discuss defences in our draft academic paper, submitted for review at a peer reviewed conference.
Update (2007-01-10): The segment of Watchdog featuring our contribution has been posted to YouTube.
Health database optout – latest news
This morning I debated health privacy on Radio 4’s Today programme with health minister Lord Warner. You can listen to the debate here, and there is an earlier comment by Michael Summers of the Patients’ Association here.
I support a campaign by TheBigOptOut.org which has so far persuaded thousands of people to write to their GPs forbidding the upload of their patient records to central systems. Once they are uploaded, you’ll have to prove ‘substantial mental distress’ to the government (as Lord Warner says) to get them removed or restricted. It is much simpler to tell your GP not to upload them in the first place (and you can always change your mind later if the Government delivers on its claims about safety and privacy).
For more, see TheBigOptOut.org, nhs-it.info and my previous blog posts here, here and here, and our work on children’s databases (children’s safety and privacy might be particularly at risk from the proposals, as I explain in the debate).
Health privacy … breaking news …
The Chief Medical Officer, Sir Liam Donaldson, has written a letter to all GPs and hospital medical directors telling them that if patients try to opt out of the central collection of their medical data, the Secretary of State must be told. This follows a campaign that I’ve been helping and that has attracted strong support – in the press, from GPs and from public opinion.
This letter orders GPs to break patient confidentiality – and apparently for the noble purpose of news management. I understand that at least one GP will be reporting Sir Liam to the General Medical Council. It is entirely up to the patient to decide whether to send an opt-out letter to their GP, to Ms Hewitt, or to both. It is not for a civil servant – even a very grand one like Sir Liam – to unilaterally override the wishes of those patients who decide to write to their GP but not to Ms Hewitt. (It’s also somewhat amusing as, only a month ago, officials were telling patients who tried to opt out that their GPs would decide whether to upload data.)
Developing …
Developments on health privacy…
The Register reports a leaked document from the NHS which concludes that sensitive patient records would probably be safer held locally, rather than stored on a national database as the Government proposes.
This follows a poll last week in which a majority of GPs said they would not upload their patients’ records to the national database. Together the poll and the leak are a double whammy for the misguided and wasteful project to centralise all computer systems in the NHS.
On Wednesday we are launching a campaign to persuade patients to opt out too. The inaugural meeting will be from 7 to 9 PM in Imperial College, London. For background, see recent posts on opting out and on kids’ databases.
Kids’ databases
The Information Commissioner has just published a report we wrote for him on the UK Government’s plans to link up most of the public-sector databases that contain information on children. We’re concerned that aggregating this data will be both unsafe and illegal. Our report has got coverage in the Guardian, the Telegraph (with a leader), the Daily Mail, the BBC and the Evening Standard.
Traffic Data Retention and Forensic Imaging
Last week I participated in yet another workshop on traffic data retention, in ICRI, with the added twist that now traffic data retention is in ‘European Law’, and shall become actual law in most EU countries very soon. It was a special treat to be talking just after Chief Superindendent Luc Beirens, Head of the Belgian Federal Computer Crime Unit, that tried to sell the idea of retention to a crowd of people from the flagship EU privacy project PRIME.
As usually Beirens assured us that proper judicial oversight exists and will regulate access to traffic data. Yet a different pictured emerged when we got into the details of how cyber-crime investigations are conducted. It turns out that the first thing that the police does, to the suspects but also the victims, of cyber-crime is to take a forensic image of their hard disk. This is a sound precaution: booting up the machine to extract evidence may activate malware on a victim’s machine to erase traces, or an alert system on a suspects computer.
The obvious question becomes: how does this policy of automatic forensic imaging and analysis of a hard disk interacts with traffic data retention? Luc was keen to acknowledge that the investigation procedure would proceed unchanged, and an image of a hard disk that may contain retained data would be taken — and forensic tools used on the totality of the hard disk. To be fair, tools that take a forensic image or only look at parts of the disk according to a set security policy do not exist.
What does this mean? If you are a victim of cyber-crime, or a company you have given your data to is a victim of cyber-crime, all the data will end up with the police. This will be the case irrespective of judicial oversight, or any other safeguards. You may ask yourself what the chance is that the retained data will be kept of a computer that maybe part of an investigation? First do not underestimate the fact that these machines will end up on-line to serve requests, and therefore will be subject to their fair share of attacks. But most importantly this case will obviously occur as part of an investigation on themisuse, unauthorized access, or attempted access to the traffic data retention systems!
This standard procedure may also explain why companies are so reluctant to call in the high tech crime units to help them investigate cyber-crime. Their procedures are simply incompatible with any security policy with a confidentiality component. Would you report some of your documents being stolen from your home or business, if this meant the police taking a copy of every single paper in the building?
Yet another insecure banking system
The banks are thinking about introducing a new anti-phising meaure called the ‘chip authentication protocol’. How it works is that each customer gets a device like a pocket calculator in which you put your ‘chip and PIN’ (EMV) card, enter your PIN (the same PIN you use for ATMs), and it will display a one-time authentication code that you’ll use to log on to your electronic banking service, instead of the current password and security question. The code will be computed by the card, which will encrypt a transaction counter using the EMV authentication cryptogram generation key – the same key the EMV protocol uses to generate a MAC on an ATM or store transaction. The use model is that everyone will have a CAP calculator; you’ll usually use your own, but can lend it to a friend if he’s caught short.
I can see several problems with this. First, when your wallet gets nicked the thief will be able to read your PIN digits from the calculator – they will be the dirty and worn keys. If you just use one bank card, then the thief’s chance of guessing your PIN in 3 tries has just come down from about 1 in 3000 to about 1 in 10. Second, when you use your card in a Mafia-owned shop (or in a shop whose terminals have been quietly reprogrammed) the bad guys have everything they need to loot your account. Not only that – they can compute a series of CAP codes to give them access in the future, and use your account for wicked purposes such as money laundering. Oh, and once all UK banks (not just Coutts) use one-time passwords, the phishermen will just rewrite their scripts to do real-time man-in-the-middle attacks.
I suspect the idea of trying to have a uniform UK solution to the phishing problem may be misguided. Bankers are herd animals by nature, but herding is a maladaptive response to phishing and other automated attacks. It might be better to go to the other extreme, and have a different interface for each customer. Life would be harder for the phishermen, for example, if I never got an email from the NatWest but only ever from Bernie Smith my ‘relationship banker’ – and if I were clearly instructed that if anyone other than Bernie ever emailed me from the NatWest then it was a scam. But I don’t expect that the banks will start to act rationally on security until the liability issues get fixed.