Monthly Archives: February 2007

(In)security at the University of Birmingham

I travelled to the University of Birmingham on Friday to give a guest lecture to their undergraduates on Anonymity and Traceability. It was given in a smart new lecture theatre, which had what Birmingham apparently call a lectern PC at the front with buttons to give the speaker control of the room’s AV devices and lighting, along with a proper PC running various Windows applications, so you can plug in your USB flash drive and display your material.

As you can see from the photo, they have a rather trivial security model for using this PC:

Birmingham Lectern PC with text “Username=user” and “Password=user&2006″

The text (apologies for a rather fuzzy photo) says: "Username=user" and "Password=user&2006".

With a little thought, it can be seen that most likely this isn’t really a security issue at all, but a software design issue. I rather suspect that there just isn’t a way of turning off the login function, and the PC can’t be used to access any other important systems — and no-one wants to see lectures delayed if the password isn’t to hand. That’s undoubtedly why they’ve used proper Dymo-style tape for the information, rather than relying on the traditional yellow sticky, which could get lost!

SOCA: we just want your money?

Just over a year ago I wrote about the, then upcoming, Serious Organised Crime Agency (SOCA), reporting that their aim in tackling “level 3” crime was to be “mysterious and menacing“. I pointed out how they were going to be absorbing the National High Tech Crime Unit (NHTCU) and that this would leave a large gap, in that there would apparently be no police organisation dealing with “level 2” eCrime — crime which is not local to a single police force area, but that is not sufficiently serious or organised to be dealt with by SOCA.

In fact, I’ve since learnt that the inability to deal with level 2 criminality is not just an eCrime issue. In 2005 Her Majesty’s Inspectorate of Constabulary (HMIC) published “Closing the Gap – Review of the ‘Fitness for Purpose’ of the Current Structure of Policing in England and Wales“, which found that the failure to deal with “level 2” criminality was an issue across a very wide range of different crimes (the whole report makes its points without once mentioning eCrime or the Internet). This led to the, now abandoned, proposals to compulsorily merge 43 police forces into 17 larger units. No further generic policy initiative appears to be forthcoming.

However, as I wrote in October, there is some thought going into eCrime and the current proposal is “mainstreaming“, viz: not treating it as anything special.

Additionally, the Met Police have been floating the idea of an national coordination centre for eCrime reports, as hinted at in this January 2007 Met eCrime progress report to the Metropolitan Police Authority. Current indications are that the Home Office may have problems coming up with the money to fund the centre, although SCDEA e-Crime, the equivalent unit in Scotland, is funded by the Scottish Executive. Perhaps more about progress south of the border will come to light in March, when Commander Sue Wilkinson, the Association of Chief Police Officers (ACPO) lead on eCrime testifies before a House of Lords Select Committee.

But, I’m digressing, so back to SOCA

Last month I, and a couple of other eCrime policy opinion formers (!), were invited down to Docklands for the proverbial “free lunch” and several hours of presentations on what SOCA is doing about “level 3” criminality. It’s a little tricky to report on the detail, because they asked us to treat some of the material in confidence. However, two clear messages stood out:

The first is that the absorbed NHTCU is now significantly bigger, significantly better resourced, and with the hiving off of “child abuse image” issues to CEOP, is not being forever distracted into chasing down individual paedophiles (if there’s one child at risk, or an 420-million dollar bank hack to investigate, the former tended to get all the resource). This is basically a Good Thing, so far as it goes.

The second message is that SOCA is a “harm reduction agency” and is not just concentrating on detective work and prosecutions. They are also looking at a whole range of other interventions, from offender management (serious, organised criminals have a very high recidivism rate) through diligent application of the Proceeds of Crime legislation, to working with industry to harden systems against criminal opportunities.

They have a Bill before parliament at present (the Serious Crime Bill) which will give them sweeping new powers to create “gangster-ASBOs” to restrict the lives of convicted organised criminals, and will permit the wholesale swapping of data for the prevention of fraud, without infringement of the Data Protection Act. The Bill also reworks the framework for “inchoate” offences, viz: incitement to commit crimes or assisting with them — of which perhaps more on another occasion, since poor wording for the offences could make many security research activities problematic.

Looking back, it is this strong emphasis on SOCA’s approach to ensuring “crime doesn’t pay” that remains with me most strongly. This isn’t just the approach of locking Al Capone up for tax evasion because nothing else could be made to stick (though Capone actually served time for several other offences). This is all about SOCA developing an effective way of stripping criminals of their ill-gotten gains.

I’m reminded of Sir Alan Sugar giving a lecture about management way back in the 1980’s. He was mocking the catch-phrase/mission-statement culture, memorably saying, “‘Pan Am takes good care of you’, ‘Marks and Spencer loves you’, ‘Securicor cares’ . . . at Amstrad, ‘We just want your money’“. Twenty years on, that seems a rather apt phrase for a significant slice of SOCA’s activities.

Financial Ombudsman on Chip & PIN infallibility

The Financial Ombudsman Service offers to adjudicate disputes between banks and their customers who claim to have been treated unfairly. We were forwarded a letter written by the Ombudsman concerning a complaint by a Halifax customer over unauthorised ATM withdrawals. I am not familiar with the details of this particular case, but the letter does give a good illustration of how the complaint procedure is stacked against customers.

The customer had requested further information from Halifax (the Firm) and the Financial Ombudsman Service (this Service) had replied:

However this Service has already been presented with the evidence you have requested from the Firm and I comment on it as follows. Although you have requested this information from the Firm yourself (and I consider that it is not obliged to provide it to you) I conclude that this will not make any difference, because this Service has already reviewed this information.

The right of parties in dispute to see the evidence involved is a basic component of justice systems, but the Financial Ombudsman has clearly not heard of this, but then again they are funded by the banks. While the bank can have their own experts examine the evidence, the customer cannot do the same. Although the Financial Ombudsman service can review the evidence, giving it to the customer would allow them to pursue further investigation on their own.

The Firm has provided an ‘audit trail’ of the transactions disputed by you. This shows the location and times of the transactions and evidences that the card used was ‘CHIP’ read.

Without access to the audit trail and information concerning how it was produced, it is almost impossible for the customer to know the precise details of the transaction. Based solely on the letter, there are still a number of important unanswered questions. For example:

Was the card in question SDA or DDA?
SDA cards can be cloned to produce yes cards, which will accept any PIN and still work in offline transactions, where the terminal or ATM does not contact the bank. This type of fraud has been seen in France (pp. 5–10).
Was the ATM online or offline at the time of the transaction?
Although ATMs are generally online, if Chip & PIN terminals fail to dial up the bank they may continue to work offline and so accept SDA clones. Could this have happened with this ATM?
What was the application cryptogram presented in this transaction?
When a Chip & PIN card authorises a transaction, it produces an application cryptogram which allows the bank to verify that the card is legitimate. A yes card would not produce the correct application cryptogram.
What is the key for the card?
The application cryptogram is produced using a cryptographic key known only by the card and bank. With this and some other information the customer could confirm that the application cryptogram really came from his card. Since the card has long since been cancelled, releasing this key should not be a security risk. If the banks are not storing this information, how can they be sure that their systems are operating correctly?

It seems unlikely that the Financial Ombudsman knew which of these events have occurred either, otherwise I would have expected them to say so in their letter.

As we have already advised you, since the advent of CHIP and PIN, this Service is not aware of any incidents where a card with a ‘CHIP’ has been successfully cloned by fraudsters so that it could be used by them successfully in a cash machine.

Besides the scenarios mentioned above, our demonstration for Watchdog showed how, even without cloning a card, a Chip & PIN terminal could be fooled into accepting a counterfeit. Assuming this ATM read the chip rather than the magnetic stripe, our attack would work just as well there. The situation surrounding this particular case might preclude a relay attack, but it is one of many possibilities that ought to be eliminated in a serious investigation.

Although you question The Firm’s security systems, I consider that the audit trail provided is in a format utilised by several major banks and therefore can be relied upon.

The format of the audit trail is no indication of whether the information it records is a true and complete representation of what actually happened and it is almost ludicrous to suggest that. Even if it were, the fact that several banks are using it is no indication of its security. To actually establish these facts, external scrutiny is required and, without access to bank’s systems, customers are not a position to arrange for this.

So the banking dispute resolution process works well for the banks, by reducing their litigation costs, but not well for their customers. If customers go to the Ombudsman, they risk being asked to prove their innocence without being given access to the information necessary to do so. Instead, they could go directly to the courts, but while the bank might accuse customers of not following proper procedures, if they win there they can at least send in the bailiffs.

Chip & PIN relay attacks

Saar Drimer and myself have shown that the Chip & PIN system, used for card payments in the UK, is vulnerable to a new kind of fraud. By “relaying” information from a genuine card, a Chip & PIN terminal in another shop, can be made to accept a counterfeit card. We previously discussed this possibility in “Chip & Spin” but it was not until now that we implemented and tested the attack.

A fraudster sets up a fake terminal in a busy shop or restaurant. When a genuine customer inserts their card into this terminal, the fraudster’s accomplice, in another shop, inserts their counterfeit card into the merchant’s terminal. The fake terminal reads details from the genuine card, and relays them to the counterfeit card, so that it will be accepted. The PIN is recorded by the fake terminal and sent to the accomplice for them to enter, and they can then walk off with the goods. To the victim, everything was normal, but when their statement arrives, they will find that they have been defrauded.

Equipment used in relay attack

From the banks’ perspective, there will be nothing unusual about this transaction. To them, it will seem as if the real card was used, with a chip and along with the correct PIN. Banks have previously claimed that if a fraudulent Chip & PIN transaction was placed, then the customer must have been negligent in protecting their card and PIN, and so must be liable. This work shows that despite customers taking all due care in using their card, they can still be the victim of fraud.

For more information, we have a summary of the technique and FAQ. This attack will be featured on Watchdog, tonight (6 February) at 19:00 GMT on BBC One. The programme will show how we successfully sent details between two shops in the same street, but it should work equally well, via mobile phone, to the other side of the world.

It is unlikely that criminals are currently using techniques such as this, as there are less sophisticated attacks which Chip & PIN remains vulnerable to. However, as security is improved, the relay attack may become a significant source of fraud. Therefore, it is important that defences against this attack are deployed sooner rather than later. We discuss defences in our draft academic paper, submitted for review at a peer reviewed conference.

Update (2007-01-10): The segment of Watchdog featuring our contribution has been posted to YouTube.