Category Archives: Legal issues

Security-related legislation, government initiatives, court cases

Health IT Report

Legal issues, News coverage, Security economics

Late last year I wrote a report for the National Audit Office on the health IT expenditure, strategies and goals of the UK and a number of other developed countries. This showed that our National Program for IT is in many ways an outlier, and high-risk. Now that the NAO has published its own report, we’re allowed to make public our contribution to it.

Readers may recall that I was one of 23 computing professors who wrote to Parliament’s Health Select Committee asking for a technical review of this NHS computing project, which seems set to become the biggest computer project disaster ever. My concernes were informed by the NAO work.

Growing epidemic of card cloning

Banking security, Legal issues, News coverage

Markus points us to a story on card fraud by German TV reporter Sabine Wolf, who reported some of our recent work on how cards get cloned.She reports a number of cases in which German holidaymakers had cards cloned in Italy. In one case, a sniffer in a chip and PIN terminal at a skilift in Livigno sent holidaymakers’ card and PIN details by SMS to Romania. These devices, which apparently first appeared in Hungary in 2003, are now becoming widespread in Europe; one model sits between a card reader and the retail terminal. (I have always refused to use my chip card at stores such as Tesco and B&Q where they want to swipe your card at the checkout terminal and have you enter your PIN at a separate PIN pad – this is particularly vulnerable to such sniffing attacks.)

According to Hungarian police, the crooks bribe the terminal maintenance technicians, or send people round stores pretending to be technicians; the Bavarian police currently have a case in which 150 German cardholders lost 600,000 Euro; the Guardia di Finanza in Genoa have a case in which they’ve recovered thousands of SMSs from phone company computers containing card data; a prosecutor in Bolzano believes that crooks hide in supermarkets overnight and wire up the terminals; and there are also cases from Sweden, France, and Britain. Customers tend to get blamed unless there’s such a large batch of similar frauds that the bank can’t fail to observe the pattern. (This liability algorithm gives the bankers every incentive not to look too hard.)

In Hungary, banks now routinely confirm all card transactions to their customers by SMS. Maybe that’s what banks here will be doing in a year or two (Barclays will already SMS you if you make an online payment to a new payee). It’s not ideal though as it keeps pushing liability to the customer. I suspect it might take an EU directive to push the liability firmly back on the banks, along the lines of the US Federal Reserve’s Regulation E.

Powers, Powers, and yet more Powers …

Banking security, Legal issues, News coverage, Security economics

Our beloved government is once again Taking Powers in the fight against computer crime. The Home Office proposes to create cyber-asbos that would enable the police to ban suspects from using such dangerous tools as computers and bank accounts. This would be done in a civil court against a low evidence standard; there are squeals from the usual suspects such as zdnet.

The Home Office proposals will also undermine existing data protection law; for example by allowing the banks to process sensitive data obtained from the public sector (medical record privacy, anyone?) and ‘dispelling misconceptions about consent’. I suppose some might welcome the proposed extension of ASBOs to companies. Thus, a company with repeated convictions for antitrust violations might be saddled with a list of harm-prevention conditions, for example against designing proprietary server-side protocols or destroying emails. I wonder what sort of responses the computer industry will make to this consultation 🙂

A cynic might point out that the ‘new powers’ seem in inverse proportion to the ability, or will, to use the existing ones. Ever since the South Sea Bubble in the 18th century, Britain has been notoriously lax in prosecuting bent bankers; city folk are now outraged when a Texas court dares to move from talk to action. Or take spam; although it’s now illegal to send unsolicited commercial emails to individuals in the UK, complaints don’t seem to result in action. Now trade and industry minister ‘Enver’ Hodge explains this is because there’s a loophole – it’s not illegal to spam businesses. So rather than prosecuting a spammer for spamming individuals, our beloved government will grab a headline or two by blocking this loophole. I don’t suppose Enver ever stopped to wonder how many spam runs are so well managed as to not send a single item to a single private email address – cheap headlines are more attractive than expensive, mesy implementation.

This pattern of behaviour – taking new powers rather than using the existing ones – is getting too well entrenched. In cyberspace we don’t have law enforcement any more – we have the illusion of law enforcement.

New card security problem?

Banking security, Hardware & signals, Legal issues, Security engineering

Yesterday my wife received through the post a pre-approved unsolicited gold mastercard with a credit limit of over a thousand pounds. The issuer was Debenhams and the rationale was that she has a store card anyway – if she doesn’t want to use the credit card she is invited to cut the credit card in half and throw it away. (Although US banks do this all the time and UK banks aren’t supposed to, I’ll leave to the lawyers whether their marketing tactics test the limits of banking regulation.)

My point is this: the average customer has no idea how to ‘cut up’ a card now that it’s got a chip in it. Bisecting the plastic using scissors leaves the chip functional, so someone who fishes it out of the trash might use a yescard to clone it, even if they don’t know the PIN. (Of course the PIN mailer might be in the same bin.)

Here at the Lab we do have access to the means to destroy chips (HNO3, HF) but you really don’t want that stuff at home. Putting 240V through it will stop it working – but as this melts the bonding wires, an able attacker might depackage and rebond the chip.

My own suggestion would be to bisect the whole chip package using a pair of tin snips. If you don’t have those in your toolbox a hacksaw should do. This isn’t foolproof as there exist labs that can retrieve data from chip fragments, but it’s probably good enough to keep out the hackers.

It does seem a bit off, though, that card issuers now put people to the trouble of devising a means of the secure disposal of electronic waste, when consumers mostly have neither the knowledge nor the tools to do so properly

Censoring science

Internet censorship, Legal issues, News coverage

I’ve written a rebuttal in today’s Guardian to an article that appeared last week by Martin Rees, the President of the Royal Society. Martin argued that science should be subjected to more surveillance and control in case terrorists do bad things with it.

Those of us who work with cryptography and computer security have been subjected to a lot of attempts by governments to restrict what we do and publish. It’s a long-running debate: the first book written on cryptology in English, by Bishop John Wilkins in 1641, remarked that ‘If all those useful Inventions that are liable to abuse, should therefore be concealed, there is not any Art or Science which might be lawfully profest’. (John, like Martin, was Master of Trinity in his day.)

In 2001–2, the government put an export control act through Parliament which, in its original form, would have required scientists working on subjects with possible military applications (that is, most subjects) to get export licenses before talking to foreigners about our work. FIPR colleagues and I opposed this; we organised Universities UK, the AUT, the Royal Society, the Conservatives and the Liberals to bring in an amendment in the Lords creating a research exemption for scientists. We mustn’t lose that. If scientists end up labouring under the same bureaucratic controls as companies that sell guns, then both science and nonproliferation will be seriously weakened.

Some people love to worry: Martin wrote a whole book wondering about how the human race will end. But maybe we should rather worry about something a bit closer to hand — how our civilisation will end. If a society turns inwards and builds walls to keep the barbarians out, then competition abates, momentum gets lost, confidence seeps away, and eventually the barbarians win. Imperial Rome, Ming Dynasty China, … ?

How to use a chip card whose PIN you don't know

Banking security, Legal issues

We’ve got emails from several people complaining that after their card had been stolen, someone did a fraudulent transaction on it — without knowing the PIN. In some cases the victim had never used the card in a retail transaction and didn’t know the PIN.

An article in yesterday’s Daily Mail hints at how. In technical language, you read the card, which gives you everything except the MAC key. You now write this data to a fresh card, for which you know the PIN. If this clone card is used in an offline terminal, the transaction will go through and the log will show the PIN was correctly entered. The moral, I suppose, is that customers in dispute with their banks should demand that the banks disclose the MAC key and show that the MAC on the transaction log was correct. Whether their systems support this is of course another story.

ATMs and Disclosure Laws

Banking security, Legal issues, Security economics

My local freesheet had an article entitled ‘Skimming device found at Tesco’ (‘Bedfordshire on Sunday’, May 21, p 30). This managed barely 6 column inches, so common is the offence these days. What caught my eye was an appeal by the police for anyone who used the machine at Flitwick between 1030 and 1130 AM on Tuesday last week to check their accounts and report any unauthorised transactions.

Now hang on. What can’t the bank that operates the machine help them? They have the definitive list of potential victims. Come to think of it, when a skimmer is found on Barclays’ machine, and they see that customer X from Lloyds just used it, why don’t they write to Lloyds suggesting they invite her to check her account? Well, you can imagine what Barclays’ lawyers would think of that, but where does the public interest lie?

The Americans do this sort of thing much better. California has a law mandating prompt notification of individuals potentially affected by information compromises, and many other states are trying to follow. According to survey reported by SANS, 71% of Americans want this to become a federal law, and 46% said that they would have serious doubts about political candidates who did not support improving the law.

I initially had my doubts about the Californian initiative, but Tescos in Flitwick are helping convince me.

What's a security problem?

Banking security, Legal issues, Security economics

On Wednesday I was driving back from Oxford and dropped off at Tesco to buy some food. They had an offer ‘5 for 4’ — buy any 5 items of packaged fruit or vegetables and get the cheapest of them for free. I bought seven items. I would have expected to get the fifth cheapest item free, but their computer instead gave me the seventh cheapest item. Here is the evidence.

A few years ago, it was common for website designers to make errors in logic that enabled customers to get unanticipated discounts. These were seen as ‘security failures’. Nowadays it seems that programmers err on the other side. Thankfully, this has stopped the security problems.

Or has it? Here’s how to attack Tesco if you don’t like them. Go and buy six packs of fruit and veg, then take the receipt to your local Trading Standards and make a formal complaint. If a hundred people do that, it’ll cost them plenty.

The Internet allows the rapid dissemination, and anonymous exploitation, of vulnerability information, as Microsoft has learned over the last five years. Maybe there are variants of this lesson that will be even more widely learned.

Chinese website registration

Internet censorship, Legal issues, Privacy technology

The OpenNet Initiative has released a bulletin on China’s website registration policy. This mandates that all non-commercial websites hosted in China be registered with the Ministry of Information Industry (MII), whereas previously this applied only to commercial sites.

Failure to register a site by July 2005 was punishable by a ¥10 000 fine (about €1 000 and 2/3 of an average urban Chinese annual income) as well as removal the website. Sites are required to put their registration number at the center-bottom of the homepage. Failure to comply makes the owner liable for a ¥5 00010 000 fine.

Enforcement is not only by the MII, but also by the hosting ISPs. This is encouraged by a ¥10 000 fine for hosting unregistered content. ISPs are also responsible for cutting off sites in violation of these rules, however IP/port blocks have also been reported, along with the consequent over-blocking of virtual hosts. The MII also operates the “Night Crawler” which searches for sites not displaying a registration number.

Rebecca MacKinnon suggests that this move might shift Chinese bloggers on to commercial sites such as MSN Spaces, Blogbus, Bokee or Sina, which implement their own keyword filtering to prevent themselves being blocked (as Typepad and Blogsome have been). This shifts the cost and accountability of censorship away from the government and to the edges, as has been done for registration enforcement. The remaining bloggers who maintain their own site will be required to register and so are more likely to self-censor.

The registration process is entirely online, and consists of the owner entering personal information (name, address, etc…) as well as the site description, an email address and mobile phone number. The registration request must then be reviewed by the MII and after a few days the owner is notified of the result and given the registration number if successful.

Interestingly, only the mobile phone number and email address are verified by sending a code to them, which ties in well to the compulsory mobile phone registration in December. Criminals in the UK have been known to steal mobile phones to give untraceable communication in the course of committing offences. Perhaps stolen phones will be used in China to produce fraudulent website registrations for people who would like to keep their anonymity?