On Saturday 13th March (16:00–16:45), I will be talking about my recent work on Chip and PIN security. In the same session, there will also be presentations from Leila Luheshi on Alzheimer’s Disease, and Adrian Owen discussing his research on the awareness of brain-damage victims. The session will be hosted by The Naked Scientists.

For more details, see the event page — science research now!. The talk is free and no booking is required. It will be held in the Cockcroft Lecture Theatre.

The main thrust of the DEB’s approach to dealing with unlawful file sharing of copyright material has been a “three strikes” policy. That is, should you be detected to be sharing some popular beat combo’s music without permission, then on the first two occasions you’d receive an admonishing letter, and on the third time then you would be subject to “technical measures” (ie: very slow Internet speeds) or disconnection, the latter doubtless annoying the rest of your family as they would be unable to visit DirectGov / keep up their social life / catch-up TV shows / do their homework / avoid being sacked from their work-from-home job!

However, the Government are concerned that this won’t be enough, and that unlawful sharing of copyright material might occur in new ways in future. So in clause 17 of the DEB they set out a scheme for amendment (in ways that would be decided as future circumstances required) of the Copyright, Designs and Patents Act 1988 through secondary legislation.

It is unusual to grant such open ended powers to amend primary legislation, because Parliament would be presented with an unamendable statutory instrument and invited to vote for it — no such SI has been defeated in the House of Lords since 2000, and the time before that was in 1968.

There was an outcry over the breadth of clause 17, and so the Government set out amendments to restrict it — but last week peers voted for an opposition amendment (120A) to have an alternative arrangement altogether, a regime of High Court injunctions that would force ISPs to block websites.

This is such a dumb (and dangerous) idea that it has all the characteristics of a wrecking amendment, added to the Bill just to eat up parliamentary time so that the whole Bill will fall at the dissolution for the upcoming election.

There are so many problems with the new clause that it’s hard to know where to begin.

For an analysis of how the costs regime makes it very likely that ISPs will just block, rather than risking the cost of a court action see this article by Francis Davey (a working barrister).

The next problem is that most ISP blocking is trivial to evade. Although Ofcom reports that 98.6% of UK consumer broadband lines are supplied by ISPs who use the Internet Watch Foundation (IWF) list to block child sexual abuse images, in practice all of the systems are trivial to evade by using https links, by using proxies, or in most cases by running your own DNS server or just hard-coding IP addresses into your HOSTS file.

It suits everyone (IWF, ISPs, Government) to pretend that the IWF list blocking schemes work, but when ISPs are faced with the prospect of being found in contempt of court, they will have to implement something which is actually effective — which can in practice only mean “blackholing” IP addresses so that no traffic can be exchanged.

That will mean that everything else at that address is will be blocked as well — so all of t35.com, smtp.ru or blogger.com would disappear if a foreign company’s view of what was a copyright infringement in their jurisdiction was to differ from that of the UK High Court (for example, Disney’s Snow White is out of copyright in Japan — the term is 75 years from 1937 date of release — but not in the UK — where the term is Walt Disney’s 1967 death + 70 years).

IP address blocking is also relatively simple to evade (as has already been discovered by the citizens of China, Iran and elsewhere), by means of proxies, by IP address agility by the websites, or by means of general purpose anonymity systems such as Tor. When the content industries find that the sites aren’t actually blocked, how realistic (or how draconian) will the High Court be ?

Interestingly, the security services (MI5/MI6) share this concern. If evading blocking systems becomes a mainstream activity (and there’s said to be 6-7 million illegal file sharers in the UK) then it will be used, almost automatically, by subversive groups — preventing the spooks from examining the traffic patterns and comprehending the threat. The amendment says that the court must consider “any issues of national security raised by the Secretary of State”, but it’s unclear how they’ll do that even if Lord Mandelson is prepared to wander down to Strand and say that he’s worried that snooping won’t be so effective in the future.

The final problem is that their Lordships clearly envisaged these injunctions being taken out by major film studios against the latest incarnation of The Pirate Bay or some equally high profile den of wickedness. But what if it turns out that they’re used:

• to block US University websites — It’s common to find otherwise hard to view academic papers on such sites, usually through allowing non-local access to material which is being provided to students under “fair use” provisions;
• to block YouTube — which contains thousands of copyright infringing items; there’s not even any need for a High Court litigant to be the copyright owner, so one aggrieved party could point at all the other infringements to show how substantial the problem is;
• to block access to embarassing leaked documents on Wikileaks or (as Microsoft briefly managed recently under US DMCA provisions), on Cryptome;
• to block access to the next disclosure of unjustifiable Parliamentary expense claims!

The Earl of Erroll who, although a hereditary peer, is one of the few members of the Upper House with substantial “clue” on Internet matters spoke out clearly against the amendment and in favour of just deleting clause 17. Perhaps in Third Reading, next Monday, the House will listen more carefully to what he has to say — sending this Bill to the Commons in its current form makes a mockery of the Lords’ claim to intelligently revise flawed legislation …

… for the real risk is that the Bill could subsequently go through all substantive Commons stages “on the nod” in a few frantic minutes after the election is called, with the Government accepting all the Lords amendments to avoid a time-consuming game of Parliamentary ping-pong. Wrecking the bill is one thing, wrecking the Internet in the UK is quite another!

Doctors’ leaders are now alarmed. Patients are being misinformed, and opt-out is being made difficult.

The information being given to patients is false and misleading. The SCR promotional leaflet says anyone who has access to your records … must be directly involved in caring for you. However, large numbers of officials will have access. And as I already noted, the SCR isn’t as helpful in emergencies as it’s spun. Its purpose is actually different: to provide the basis for a centralised electronic patient record for everyone.

Doctors have noted that in the pilot areas, seven out of ten patients are unaware that an SCR was created for them. The patient information packs don’t contain an opt-out form; you’re supposed to phone the call centre for one. Over two hundred thousand people have downloaded an opt-out letter from www.thebigoptout.org; now the NHS says it wants doctors to ignore this and get everyone who wants to opt out to use this form instead (which GPs can’t order in bulk).The roll-out is rushed and displays typical incompetence: for example, some patients have been sent other patients’ letters. I am sure this story will run and run.

There’s finally been a surge of academic research into the area in the last five years. It’s been shown, for example, that these questions are easy to look up online, often found in public records, and easy for friends and acquaintances to guess. In a joint work with Mike Just and Greg Matthews from the University of Edinburgh published this week in the proceedings of Financial Cryptography 2010, we’ve examined the more basic question of how secure the underlying answer distributions are to statistical guessing. Put another way, if an attacker wants to do no target-specific work, but just guess common answers for a large number of accounts using population-wide statistics, how well can she do?

Answering this question first required developing the right mathematical model for resistance of a question to guessing. Entropy (specifically Shannon entropy H1) is commonly thrown around as the measure of resistance to guessing, but it was never intended for this purpose and is not appropriate for measuring guessing of non-uniform distributions. Guessing entropy G, the expected number of guesses if answers are guessed in decreasing order of likeliness, is better, but still highly skewed by low-probability events which wouldn’t be guessed in practice. We’re concerned with a trawling attacker, who will guess values like “Smith,” “Jones,” and “Johnson” for a target’s mother’s maiden name, and then move on to other accounts if these don’t work. The frequencies of uncommon names like “Zabielskis” are irrelevant because a trawling attacker will never try them, yet they inflate the values of both H1 and G. Entropy can be very misleading for real-world security, and we hope a contribution of our paper is to encourage the use of “marginal” guessing metrics instead. We even provide a few theorems that prove in a strong way that high entropy  (H1 or G) can give you no security at all against a trawling attacker in the real world.

Using these new metrics, we examined a range of statistics on answer distributions to common personal knowledge questions. It turns out the majority of personal knowledge questions ask for proper names of people, pets, and places, and the rest are trivially insecure (eg “What is my favourite day of the week?”). We collected government census data, pet registration records, and also completely crawled Facebook’s people directory. Incidentally, we believe this Facebook names corpus, consisting of 269 M full names, is the largest such dataset ever assembled and may have many uses outside of security research, which we are happy to provide it for.

Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised. For an attacker who can make more than 3 guesses and wants to break into 50% of available accounts, no distributions gave more than about 12 bits of effective security. The actual values vary in some interesting ways-South Korean names are much easier to guess than American ones, female first names are harder than male ones, pet names are slightly harder than human names, and names are getting harder to guess over time.

Still, there is a strong result that anything named by humans is dangerous to use as a secret. Sociologists have known this for years. Most human names follow a power-law distribution fairly close to Zipfian, which we confirmed in our study. This means every name distribution has a few disproportionately common names—”Gonzalez” amongst Chilean surnames, “Guðrún” amongst Icelandic forenames, “Buddy” amongst pets—for attackers to latch on to. Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security.

One of the topics which has come up is the effect of the no-PIN vulnerability on the consideration of evidence in disputed card transactions. Importantly, we showed that a merchant till-receipt which shows “PIN verified” cannot be relied upon, because this message will appear should the attack we presented be executed, even though the wrong PIN was entered.

On this point, the spokesperson for the banking trade body, the UK Cards Association (formerly known as APACS) stated:

“Finally the issuer would not review a suspected fraud involving a PIN and make a decision based on the customer’s paper receipt stating that the transaction was “PIN verified”, as suggested by Cambridge.”

Unfortunately card issuers do precisely this, as shown in a recent dispute over £9,500 worth of point-of-sale transactions, between American Express and a customer. In their letter to the Financial Ombudsman Service, American Express presented the till receipt as the sole evidence that the PIN was correctly entered:

“We also requested at the time of this claim, supporting documents from [the merchant] and were provided a copy of the till receipts confirming these charges were verified with the PIN.”

Requests to American Express for the audit logs that include the CVR (card verification results), which would have shown whether or not the no-PIN attack had been used, were denied. The ombudsman nevertheless decided against the customer.

The issue of evidence in disputed transaction cases is complex, and wider than questions raised by just the no-PIN attack. To help bring some clarity, I wrote an article, “Reliability of Chip & PIN evidence in banking disputes”, for the 2009 issue of the Digital Evidence and Electronic Signature Law Review, a law journal. This article was written for a legal audience, but would also be suitable for other non-technical readers. It is now available online (PDF 221 kB).

In this article, I give an introduction to payment card security, both Chip & PIN and its predecessors. Then, it includes a high-level description of the EMV protocol which underlies Chip & PIN, with an emphasis on the evidence it generates. A summary of various payment card security vulnerabilities is given, and how their exploitation might be detected. Finally, I discuss methods for collecting and analyzing evidence, along with difficulties currently faced by customers disputing transactions.

Doctors have acted at last. The SCR is being rolled out across London, and the Local Medical Committees there have produced a poster and an opt-out leaflet for doctors to use in their waiting rooms. The SCR is also political: while Labour backs it, the Conservatives and the Lib Dems oppose it. Its roll-out means that millions of leaflets will be distributed to voters, pardon me, patients in London extolling its virtues. A cynic might ask whether this is a suitable use of public funds during an election campaign.

But just how prevalent is typosquatting today, and why is it so pervasive? Ben Edelman and I set out to answer these very questions. In Measuring the Perpetrators and Funders of Typosquatting (appearing at the Financial Cryptography conference), we estimate that at least 938,000 typosquatting domains target the top 3,264 .com sites, and we crawl more than 285,000 of these domains to analyze their revenue sources.

We find that 80% of typo domains are supported by pay-per-click ads. Often, the typo domains show ads that promote the correctly spelled site, along with the site’s competitors. Screenshots of selected examples.

Another 20% of typo domains include static redirects to other sites. For example, 156 misspellings of yellowpages.com redirect to the competing website yellowpagesoftheworld.com. We devised an automated technique that uncovered 75 otherwise legitimate websites which benefited from direct links and redirects from thousands of misspellings of competing websites.

So what’s the harm in typosquatting? First, typosquatting confuses consumers, causing them to visit sites different than the ones they intended to visit. Second, site operators must pay large sums of money to ad platforms such as Google AdWords in order to reach the users who specifically requested the corresponding sites. Third, we found evidence that ad platforms exacerbate typosquatting. Using regression analysis, we determined that websites in categories with higher pay-per-click ad prices face more typosquatting than websites whose keywords fetch lower ad prices.

Just how much revenue comes from ads on typo sites? It is difficult to know for certain, since Google and others do not disclose revenue figures at the granularity of particular advertising programs such as AdSense for Domains. We attempt a back-of-the-envelope estimate using Alexa reports of website popularity. We estimate that typo domains matching the top 100,000 websites collectively receive at least 68.2 million daily visitors. If these typo domains were treated as a single website, that site would be ranked by Alexa as the 10th most popular website in the world. It would be more popular, in unique daily visitors, than twitter.com, myspace.com, or amazon.com!

According to our analysis, 57% of typo sites include Google pay-per-click ads. Combining our observations with financial reports and others’ estimates, we conclude that Google’s revenue from typosquatting on the top 100,000 sites is $497 million per year. This is significant, and not only for the advertisers who are losing out by paying to get their ads placed on typo sites. It matters also because Google’s competitors rely on typosquatting to a much smaller extent: In our testing, Yahoo’s ads appear on 21% of typo sites, and we did not find a single Microsoft ad on any typosquatting site. Looking at Google’s ever-growing share of online search and search advertising, we are struck by the role of typosquatting — making Google look that much larger, to advertisers and to analysts, when in fact this typosquatting traffic is entirely ill-gotten.

However, other findings leave us optimistic about the feasibility of significantly reducing typosquatting. Google’s ad click links indicate which Google partner is paid for clicks at a given typo domain. We found high concentration among Google partners engaged in typosquatting: Of typo domains showing Google ads, 63% use one of five Google advertising IDs. So while the sheer number of typo sites remains high, the number of key perpetrators is small.

Our web appendix details many specific typosquatting domains — including the registrars and hosting companies who support those domains and, crucially, the ad networks whose payments put the system in motion.

Our full posting: Measuring the Perpetrators and Funders of Typosquatting and web appendix.

UPDATE (2010-02-17): New Scientist has published an article.

The ninth installment of WEIS will take place June 7–8 at Harvard. Submissions are due in one week, February 22, 2010. For more information, see the complete call for papers.

WEIS 2010 will build on past efforts using empirical and analytic tools to not only understand threats, but also strengthen security through novel evaluations of available solutions. How should information risk be modeled given the constraints of rare incidence and high interdependence? How do individuals’ and organizations’ perceptions of privacy and security color their decision making? How can we move towards a more secure information infrastructure and code base while accounting for the incentives of stakeholders?

If you have been working to answer questions such as these, then I encourage you to submit a paper.

Perhaps more interesting than the pundit’s responses though is the ability to view thousands of user’s reactions to Buzz as they happen. Google’s design philosophy of “give minimal instructions and just let users type things into text boxes and see what happens” preserved a virtual Pompeii of confused users trying to figure out what the new thing was and accidentally broadcasting their thoughts to the entire Internet. If you search Buzz for words like “stupid,” “sucks,” and “hate” the majority of the conversation so far is about Buzz itself. Thoughts are all over the board: confusion, stress, excitement, malaise, anger, pleading. Thousands of users are badly confused by Google’s “follow” and “profile” metaphors. Others are wondering how this service compares to the competition. Many just want the whole thing to go away (leading a few how-to guides) or are blasting Google or blasting others for complaining.

It’s a major data mining and natural language processing challenge to analyze the entire body of reactions to the new service, but the general reaction is widespread disorientation and confusion. In the emerging field of security psychology, the first 48 hours of Buzz posts could provide be a wealth of data about about how people react when their privacy expectations are suddenly shifted by the machinations of Silicon Valley.

Our technical paper Chip and PIN is Broken explains how. It has been causing quite a stir as it has circulated the banking industry privately for over 2 months, and it has been accepted for the IEEE Symposium on Security and Privacy, the top conference in computer security. (See also our FAQ and the press release.)

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.

It’s no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) — in fact Steven blogged about it here last August.

But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you’re not even looking? The banks didn’t even realise they needed to check.

This attack is both academically and practically significant. We get reports weekly from different victims of phantom withdrawals, and these include large numbers of stolen cards used to make purchases in the window between theft and the cancellation of the card. Currently these victims are denied refunds by their banks, but this attack could explain some of the frauds we are seeing. The fact the receipt says “PIN Verified” when actually it wasn’t raises a whole load of legal and evidential questions which call into question the banking industry’s claim that their systems work (and log) properly. Merchants will be none too pleased either; the system no longer protects their interests but only those of the issuing bank.

There’s been some confusion, possibly even misinformation, about our attack and its effects. Cartes Bancaires in France were so concerned that they briefed the press way in advance of our plans for publication. We can set the record straight on a few things:

• the attack applies to cards used online (where the merchant POS contacts the bank) as well as offline;

• the attack works regardless of the amount of money spent (not just for small value amounts that are below floor limit);

• the attack doesn’t work once a card has been cancelled by the bank — just like stolen cards in the past can only be used for a certain window of time once the cardholder discovers the loss;

• the attack doesn’t work at ATMs (cash machines);

• the failure applies to bank card schemes based on EMV – the most widely deployed standard for smartcard payments. Older national smartcard schemes may or may not be vulnerable; we don’t know.

So what went wrong? In essence, there is a gaping hole in the specifications which together create the “Chip and PIN” system. These specs consist of the EMV protocol framework, the card scheme individual rules (Visa, MasterCard standards), the national payment association rules (UK Payments Association aka APACS, in the UK), and documents produced by each individual issuer describing their own customisations of the scheme. Each spec defines security criteria, tweaks options and sets rules – but none take responsibility for listing what back-end checks are needed. As a result, hundreds of issuers independently get it wrong, and gain false assurance that all bases are covered from the common specifications. The EMV specification stack is broken, and needs fixing.

We’re really worried that if something isn’t done to fix this problem, and the many others we’ve found in EMV, other regions adopting it (like the USA) are going to make the same mistakes again and again – and that means customers stay vulnerable.

That’s why again we’re arguing that Chip and PIN is broken. We don’t want people keeping their money in shoe boxes – we want the problems fixed. That means getting decent governance for the system that involves all the stakeholders – banks, regulators, merchants and customers.

Update (2010-02-11): ZDNet UK have some in-depth press coverage, and the story has also been picked up by the Telegraph and Daily Mail.