Category Archives: Security economics

Social-science angles of security

Personal Internet Security: follow-up report

News coverage, Politics, Security economics

The House of Lords Science and Technology Committee have just completed a follow-up inquiry into “Personal Internet Security”, and their report is published here. Once again I have acted as their specialist adviser, and once again I’m under no obligation to endorse the Committee’s conclusions — but they have once again produced a useful report with sound conclusions, so I’m very happy to promote it!

Their initial report last summer, which I blogged about at the time, was — almost entirely — rejected by the Government last autumn (blog article here).

The Committee decided that in the light of the Government’s antipathy they would hold a rapid follow-up inquiry to establish whether their conclusions were sound or whether the Government was right to turn them down, and indeed, given the speed of change on the Internet, whether their recommendations were still timely.

The written responses broadly endorsed the Committee’s recommendations, with the main areas of controversy being liability for software vendors, making the banks statutorily responsible for phishing/skimming fraud, and how such fraud should be reported.

There was one oral session where, to everyone’s surprise, two Government ministers turned up and were extremely conciliatory. Baroness Vadera (BERR) said that the report “was somewhat more interesting than our response” and Vernon Coaker (Home Office) apologised to the Committee “if they felt that our response was overdefensive” adding “the report that was produced by this Committee a few months ago now has actually helped drive the agenda forward and certainly the resubmission of evidence and the re-thinking that that has caused has also helped with respect to that. So may I apologise to all of you; it is no disrespect to the Committee or to any of the members.

I got the impression that the ministers were more impressed with the Committee’s report than were the civil servants who had drafted the Government’s previous formal response. Just maybe, some of my comments made a difference?

Given this volte face, the Committee’s follow-up report is also conciliatory, whilst recognising that the new approach is very much in the “jam tomorrow” category — we will all have to wait to see if they deliver.

The report is still in favour of software vendor liability as a long term strategy to improving software security, and on a security breach notification law the report says “we hold to our view that data security breach notification legislation would have the twin impacts of increasing incentives on businesses to avoid data loss, and should a breach occur, giving individuals timely information so that they can reduce the risk to themselves“. The headlines have been about the data lost by the Government, but recent figures from the ICO show that private industry is doing pretty badly as well.

The report also revisits the recommendations relating to banking, reiterating the committee’s view that “the liability of banks for losses incurred by electronic fraud should be underpinned by legislation rather than by the Banking Code“. The reasoning is simple, the banks choose the security mechanisms and how much effort they put into detecting patterns of fraud, so they should stand the losses if these systems fail. Holding individuals liable for succumbing to ever more sophisticated attacks is neither fair, nor economically efficient. The Committee also remained concerned that where fraud does take place, reports are made to the banks, who then choose whether or not to forward them to the police. They describe this approach as “wholly unsatisfactory and that it risks undermining public trust in the police and the Internet“.

This is quite a short report, a mere 36 paragraphs, but comes bundled with the responses received, all of which from Ross Anderson and Nicholas Bohm, through to the Metropolitan Police and Symantec are well worth reading to understand more about a complex problem, yet one where we’re beginning to see the first glimmers of consensus as to how best to move forward.

Security psychology

Politics, Privacy technology, Security economics, Security engineering

I’m currently in the first Workshop on security and human behaviour; at MIT, which brings together security engineers, psychologists and others interested in topics ranging from deception through usability to fearmongering. Here’s the agenda and here are the workshop papers.

The first session, on deception, was fascinating. It emphasised the huge range of problems, from detecting deception in interpersonal contexts such as interrogation through the effects of context and misdirection to how we might provide better trust signals to computer users.

Over the past seven years, security economics has gone from nothing to a thriving research field with over 100 active researchers. Over the next seven I believe that security psychology should do at least as well. I hope I’ll find enough odd minutes to live blog this first workshop as it happens!

[Edited to add:] See comments for live blog posts on the sessions; Bruce Schneier is also blogging this event.

Slow removal of child sexual abuse image websites

Academic papers, Banking security, Legal issues, News coverage, Security economics

On Friday last week The Guardian ran a story on an upcoming research paper by Tyler Moore and myself which will be presented at the WEIS conference later this month. We had determined that child sexual abuse image websites were removed from the Internet far slower than any other category of content we looked at, excepting illegal pharmacies hosted on fast-flux networks; and we’re unsure if anyone is seriously trying to remove them at all!
Continue reading Slow removal of child sexual abuse image websites

Second edition

Banking security, Electronic voting, Internet censorship, Privacy technology, Security economics, Security engineering

The second edition of my book “Security Engineering” came out three weeks ago. Wiley have now got round to sending me the final electronic version of the book, plus permission to put half a dozen of the chapters online. They’re now available for download here.

The chapters I’ve put online cover security psychology, banking systems, physical protection, APIs, search, social networking, elections and terrorism. That’s just a sample of how our field has grown outwards in the seven years since the first edition.

Enjoy!

New Banking Code shifts more liability to customers

Banking security, Security economics

The latest edition of the Banking Code, the voluntary consumer-protection standard for UK banks, was released last week. The new code claims to “give customers the most up to date information on how to protect their accounts from fraud.” This sounds like a worthy cause, but closer inspection shows customers could be worse off than they were before.

Clause 12.11 of the code deals with liability for losses:

If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)

Clauses 12.5 and 12.9 include some debatable advice about anti-virus software and clicking on links in email (more on this in a later post). While malware and phishing emails are a serious fraud threat, it is unrealistic to suggest that home users’ computers can be adequately secured to defeat attacks.

Fraud-detection algorithms are more likely to be effective, since they can examine patterns of transactions over all customers. However, these can only be deployed by the banks themselves.

Existing phishing schemes would be defeated by two-factor authentication, but UK banks have been notoriously slow at rolling out these, despite being widespread in many other European countries. Although not perfect, these defences might cause fraudsters to move to easier targets. Two-channel and transaction authentication techniques additionally give protection against man in the middle attacks.

Until the banks are made liable for fraud, they have no incentive to make a proper assessment as to the effectiveness of these protection measures. The new banking code allows the banks to further dump the cost of their omission onto customers.

When the person responsible for securing a system is not liable for breaches, the system is likely to fail. This situation of misaligned incentives is common, and here we see a further example. There might be a short-term benefit to banks of shifting liability, as they can resist introducing further security mechanisms for a while. However, in the longer term, it could be that moves like this will degrade trust in the banking system, causing everyone to suffer.

The House of Lords Science and Technology committee recognized this problem of the banking industry and recommended a statutory change (8.17) whereby banks would be held liable for electronic fraud. The new Banking Code, by allowing banks to dump yet more costs on the customers, is a step in the wrong direction.

Security Economics and the EU

Security economics

ENISA — the European Network and Information Security Agency — has just published a major report on security economics that was authored by Rainer Böhme, Richard Clayton, Tyler Moore and me.

Security economics has become a thriving field since the turn of the century, and in this report we make a first cut at applying it in a coherent way to the most pressing security policy problems. We very much look forward to your feedback.

(Edited Dec 2019 to update link after ENISA changed their website)

The two faces of Privila

Security economics

We have discussed the Privila network on Light Blue Touchpaper before. Richard explained how Privila solicit links and I described how to map the network. Since then, Privila’s behavior has changed. Previously, their pages were dominated by adverts, but included articles written by unpaid interns. Now the articles have been dropped completely, leaving more room for the adverts.

This change would appear to harm Privila’s search rankings — the articles, carefully optimized to include desirable keywords, would no longer be indexed. However, when Google download the page, the articles re-appear and the adverts are gone. The web server appears to be configured to give different pages, depending on the “User-Agent” header in the HTTP request.

For example, here’s how soccerlove.com appears in Firefox, Netscape, Opera and Internet Explorer — lots of adverts, and no article:
Soccerlove (Firefox)

In contrast, by setting the browser’s user-agent to match that of Google’s spider, the page looks very different — a prominent article and no adverts:
Soccerlove (Google)

Curiously, the Windows Live Search, and Yahoo! spiders are presented with an almost empty page: just a header but neither adverts nor articles (see update 2). You can try this yourself, by using the User Agent Switcher Firefox extension and a list of user-agent strings.

I expect the interns who wrote these articles will be displeased that their articles are hidden from view. Google will doubtlessly be interested too, since their webmaster guidelines recommend against such behavior. BMW and Ricoh were delisted for similar reasons. Fortunately for Google, I’ve already shown how to build a complete list of Privila’s sites.

Update 1 (2008-03-08):
It looks like Google has removed the Privila sites from their index. For example, searches of soccerlove.com, ammancarpets.com, and canadianbattery.com all return zero results.

Update 2 (2008-03-11):
Privila appear to have fixed the problem that led to Yahoo! and Windows Live Search bots being presented with a blank page. Both of these spiders are being shown the same content as Google’s — the article with no adverts. Normal web browsers are still being sent adverts with no article.

Update 3 (2008-03-11):
Shortly after the publication of an article about Privila’s browser tricks on The Register, Privila has restored articles on the pages shown to normal web browsers. Pages presented to search engines still are not identical — they don’t contain the adverts.

Chip & PIN terminals vulnerable to simple attacks

Academic papers, Banking security, Hardware & signals, Security economics, Security engineering

Steven J. Murdoch, Ross Anderson and I looked at how well PIN entry devices (PEDs) protect cardholder data. Our paper will be published at the IEEE Symposium on Security and Privacy in May, though an extended version is available as a technical report. A segment about this work will appear on BBC Two’s Newsnight at 22:30 tonight.

We were able to demonstrate that two of the most popular PEDs in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a “tapping attack” using a paper clip, a needle and a small recording device. This allows us to record the data exchanged between the card and the PED’s processor without triggering tamper proofing mechanisms, and in clear violation of their supposed security properties. This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED.

Ingenico attack Dione attack

In addition to the PIN, as part of the transaction, the PED reads an exact replica of the magnetic strip (for backwards compatibility). Thus, if an attacker can tap the data line between the card and the PED’s processor, he gets all the information needed to create a magnetic strip card and withdraw money out of an ATM that does not read the chip.

We also found that the certification process of these PEDs is flawed. APACS has been effectively approving PEDs for the UK market as Common Criteria (CC) Evaluated, which does not equal Common Criteria Certified (no PEDs are CC Certified). What APACS means by “Evaluated” is that an approved lab has performed the “evaluation”, but unlike CC Certified products, the reports are kept secret, and governmental Certification Bodies do not do quality control.

This process causes a race to the bottom, with PED developers able to choose labs that will approve rather than improve PEDs, at the lowest price. Clearly, the certification process needs to be more open to the cardholders, who suffer from the fraud. It also needs to be fixed such that defective devices are refused certification.

We notified APACS, Visa, and the PED manufactures of our results in mid-November 2007 and responses arrived only in the last week or so (Visa chose to respond only a few minutes ago!) The responses are the usual claims that our demonstrations can only be done in lab conditions, that criminals are not that sophisticated, the threat to cardholder data is minimal, and that their “layers of security” will detect fraud. There is no evidence to support these claims. APACS state that the PEDs we examined will not be de-certified or removed, and the same for the labs who certified them and would not even tell us who they are.

The threat is very real: tampered PEDs have already been used for fraud. See our press release and FAQ for basic points and the technical report where we discuss the work in detail.

Update 1 (2008-03-09): The segment of Newsnight featuring our contribution has been posted to Google Video.

Update 2 (2008-03-21): If the link above doesn’t work try YouTube: part1 and part 2.

Justice, in one case at least

Banking security, Legal issues, Politics, Security economics

This morning Jane Badger was acquitted of fraud at Birmingham Crown Court. The judge found there was no case to answer.

Her case was remarkably similar to that of John Munden, about whom I wrote here (and in my book here). Like John, she worked for the police; like John, she complained to a bank about some ATM debits on her bank statement that she did not recognise; like John, she was arrested and suspended from work; like John, she faced a bank (in her case, Egg) claiming that as its systems were secure, she must be trying to defraud them; and like John, she faced police expert evidence that was technically illiterate and just took the bank’s claims as gospel.

In her case, Egg said that the transactions must have been done with the card issued to her rather than using a card clone, and to back this up they produced a printout allocating a transaction code of 05 to each withdrawal, and a rubric stating that 05 meant “Integrated Circuit Card read – CVV data reliable” with in brackets the explanatory phrase “(chip read)”. This seemed strange. If the chip of an EMV card is read, the reader will verify the signature on the certificate; if its magnetic strip is read (perhaps because the chip is unserviceable) then the bank will check the CVV, which is there to prevent magnetic strip forgery. The question therefore was whether the dash in the above rubric meant “OR”, as the technology would suggest, or “AND” as the bank and the CPS hoped. The technology is explained in more detail in our recent submission to the Hunt Review of the Financial Services Ombudsman (see below). I therefore advised the defence to apply for the court to order Egg to produce the actual transaction logs and supporting material so that we could verify the transaction certificates, if any.

The prosecution folded and today Jane walked free. I hope she wins an absolute shipload of compensation from Egg!

Financial Ombudsman losing it?

Banking security, Legal issues, Politics, Security economics

I appeared on “You and Yours” (Radio 4) today at 12.35 with an official from the Financial Ombudsman Service, after I coauthored a FIPR submission to a review of the service which is currently being conducted by Lord Hunt.

Our submission looks at three cases in particular in which the ombudsman decided in favour of the banks and against bank customers over disputed ATM transactions. We found that the adjudicators employed by the ombudsman made numerous errors both of law and of technology, and concluded that their decisions were an affront to reason and to justice.

One of the cases has already appeared here on lightbluetouchpaper; the other two cardholders appeared on an investigation into card fraud on “Tonight with Trevor MacDonald”, and their case papers are included, with their permission, as appendices to our submission. These papers are damning, but the Hunt review’s staff declined to publish them on the somewhat surprising grounds that the information in them might be used to commit identity theft against the customers in question. Eventually they published our submission minus the two appendices of case papers. (If knowing someone’s residential address and the account number to a now-defunct bank account is enough for a criminal to steal money from you, then the regulatory failures afflicting the British banking system are even deeper than I thought.)

The Financial Ombudsman Service, and its predecessor the Banking Ombudsman, have for many years found against bank customers and in favour of the banks. In the early-to-mid 1990s, they upheld the banks’ outrageous claim that mag-stripe ATM cards were invulnerable to cloning; this led to the court cases described here and here. That position collapsed when ATM criminals started being sent to prison. Now we have another wave of ATM card cloning, which we’ve discussed several times: we’ve shown you a chip and PIN terminal playing Tetris and described relay attacks. There’s much more to come.

The radio program is online here (the piece starts 29 minutes and 40 seconds in). We clearly have them rattled; the ombudsman was patronising and abusive, and made a number of misleading statements. He also said that the “independent” Hunt review was commissioned by his board of directors. I hope it turns out to be a bit more independent than that. If it doesn’t, then consumer advocates should campaign for the FOS to be abolished and for customers to be empowered to take disputes to the courts, as we argue in section 31-32 of our submission.